System and Organization Controls 2
An attestation report, defined by the AICPA, in which an independent auditor evaluates a service organization's controls against the Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Type I covers control design at a point in time, while Type II tests operating effectiveness over months. It has become the default security due-diligence artifact that SaaS vendors hand to enterprise customers.