System and Organization Controls (SOC) 2 reports are independent third-party examination reports that demonstrate how an organization achieves key compliance controls and objectives.
SOC 2 reports are based on the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) existing Trust Services Criteria (TSC). The purpose of the report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy.
Atlassian undergoes rigorous independent third-party SOC 2 audits conducted by a reputable certified public accountant (CPA) firm to certify individual products on a regular basis. The audit firm evaluates whether Atlassian’s compliance controls are designed appropriately, were in operation on a specified date, and were operating effectively over a specified time period.
Both SOC 2 and SOC 3 reports are attestation examinations that are conducted in accordance with the SSAE 18 standard, specifically sections AT-C 105 and 205, governed by the AICPA. The main difference is SOC 2 is a restricted use report and SOC 3 is a public-facing report.