SOC 2 Type II is an attestation report issued by a CPA firm based on the AICPA Trust Services Criteria (Security mandatory; Availability, Confidentiality, Processing Integrity, Privacy optional). Type II demonstrates operating effectiveness of controls over a period of time (typically 3-12 months). It's the most-requested security attestation for SaaS vendors selling to enterprise.