---
title: "What SOC2 requirements should a VoIP platform vendor meet?"
topic: "Security & Compliance"
updated: 2026-05-09
canonical: https://acrobits.net/resources/knowledge-base/soc2-requirements-voip-platform-vendor/
summary: "A VoIP platform vendor should hold a current SOC 2 Type II report — an independent CPA attestation covering at minimum the Security trust criterion and ideally Availability as well. The report should be less than 12 months old, cover the production systems processing your subscribers' traffic, and be accompanied by a signed Data Processing Agreement. Ask for the sub-processor list, pen test history, and the auditor's opinion letter to check for exceptions."
---

# What SOC2 requirements should a VoIP platform vendor meet?

> A VoIP platform vendor should hold a current SOC 2 Type II report — an independent CPA attestation covering at minimum the Security trust criterion and ideally Availability as well. The report should be less than 12 months old, cover the production systems processing your subscribers' traffic, and be accompanied by a signed Data Processing Agreement. Ask for the sub-processor list, pen test history, and the auditor's opinion letter to check for exceptions.

When evaluating a white-label VoIP or UCaaS platform vendor, you should require a current **[SOC 2 Type II report](/voip-glossary/soc-2-for-voip-vendors/)** — an independent CPA attestation confirming that the vendor's security and operational controls were in place and functioning over a sustained audit period (typically 6–12 months). SOC 2 is not a certification a vendor self-issues; it is an opinion from an accredited auditor. A Type I report only tests that controls exist at a point in time; a Type II report proves they work in practice.

## The five Trust Services Criteria — what matters for VoIP

SOC 2 reports are scoped to one or more of five Trust Services Criteria (TSCs). Security is mandatory; the others are optional. For a VoIP platform vendor, operators should require coverage of at least:

  - **Security (CC)** — mandatory baseline. Covers logical access controls, encryption in transit and at rest, change management, incident response, and vendor risk management. For VoIP, verify this includes SIP signaling protection and credential handling.

  - **Availability (A)** — critical for real-time communications. Covers uptime commitments, network monitoring, disaster recovery, and business continuity. Ask for the audit period's SLA attainment and documented failover procedures.

  - **Confidentiality (C)** — relevant where the vendor stores call records, voicemails, or subscriber PII. Verify encryption at rest and data retention terms.

  - **Privacy (P)** — if the vendor's platform processes subscriber personal data (names, phone numbers, location for E.911), Privacy criteria ensure GDPR- and CCPA-aligned controls. Relevant for operators serving healthcare or regulated industries.

  - **Processing Integrity (PI)** — lower priority for voice-only deployments; more relevant if the vendor processes billing data or routing decisions on your behalf.

## What to ask any VoIP platform vendor

Put the following on your vendor security checklist before signing a white-label agreement or master services agreement:

  - **Report type and date** — Is it Type II? When does the audit period end? A report more than 12 months old is stale. Request a bridge letter if the current audit is in progress.

  - **Scope** — Which systems are in scope? The report must cover the infrastructure that will process your subscribers' traffic (e.g., push notification infrastructure, SIP proxy, provisioning portal). Confirm the scope statement explicitly includes the services you are licensing.

  - **Trust Criteria covered** — Security alone is table-stakes. For a VoIP platform, push for Security + Availability at minimum.

  - **Sub-processor list** — Which third-party cloud providers, CDNs, or push notification gateways (e.g., APNs, FCM) does the vendor rely on? Are those sub-processors themselves SOC 2 audited? Request the full sub-processor list and confirm a change-notification commitment.

  - **Exceptions and qualifications** — Read the auditor's opinion. A qualified or adverse opinion is a red flag. Note any exceptions — controls that failed during the audit period — and ask how they were remediated.

  - **Pen test recency** — A SOC 2 report is not a penetration test. Request a summary of the most recent third-party pen test (ideally within 12 months) and any critical findings.

  - **Incident history** — Ask for a summary of material security incidents during the last audit period and how they were handled. This is often in the system description section of the report.

  - **Data Processing Agreement (DPA)** — Confirm the vendor will sign a DPA that defines processing purpose, data categories, breach notification timelines (72 hours is standard for GDPR), retention/deletion terms, and audit rights.

## Table-stakes vs. differentiators

**Table-stakes (required for enterprise operators):**

  - SOC 2 Type II report with Security criteria, current within 12 months, covering the production environment

  - Willingness to share the report under NDA

  - A signed DPA

  - Documented incident response and change management processes

**Differentiators (signal operational maturity):**

  - Availability and Confidentiality criteria included

  - Annual pen testing by a named third party

  - ISO 27001 certification alongside SOC 2 (common for vendors with EU operations)

  - Continuous compliance monitoring (not just point-in-time)

  - Sub-processor list published or promptly disclosed

  - HIPAA Business Associate Agreement (BAA) available for healthcare deployments

Cloud Softphone by Acrobits supports [HIPAA-](/resources/knowledge-base/is-there-a-hipaa-compliant-voip-app-for-healthcare/) and GDPR-compliant configurations — for current SOC 2 audit status, contact [sales@cloudsoftphone.com](mailto:sales@cloudsoftphone.com) or request the security documentation package directly.

{
  "@context": "https://schema.org",
  "@type": "FAQPage",
  "mainEntity": [
    {
      "@type": "Question",
      "name": "What SOC2 requirements should a VoIP platform vendor meet?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "A VoIP platform vendor should hold a current SOC 2 Type II report — an independent CPA attestation covering at minimum the Security trust criterion and ideally Availability as well. The report should be less than 12 months old, cover the production systems processing your subscribers' traffic, and be accompanied by a signed Data Processing Agreement. Ask for the sub-processor list, pen test history, and the auditor's opinion letter to check for exceptions."
      }
    },
    {
      "@type": "Question",
      "name": "What is the difference between SOC 2 Type I and Type II for a VoIP vendor?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "A SOC 2 Type I report tests that security controls existed at a single point in time. A Type II report tests that those controls operated effectively over an audit period, typically 6–12 months. For vendor procurement, require Type II — Type I is considered transitional and does not prove ongoing operational discipline."
      }
    },
    {
      "@type": "Question",
      "name": "Which SOC 2 Trust Services Criteria should a VoIP platform vendor cover?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "At minimum: Security (mandatory in every SOC 2 audit) and Availability (critical for real-time voice services). If the vendor stores call records or subscriber PII, also require Confidentiality. For regulated verticals such as healthcare, request Privacy criteria coverage and a HIPAA BAA."
      }
    }
  ]
}
