# Achieve SOC 2 password compliance with Bitwarden Companies that provide services to other organizations and are seeking to boost their information security stance often complete a Service Organization Control 2 (SOC 2) audit, with a growing focus on meeting SOC 2 [password requirements](https://bitwarden.com/it-it/resources/the-state-of-password-security/). The SOC 2 certification process includes demonstrating adequate system access controls to ensure that sensitive data remains protected and secured at all times. SOC 2 reports are often requested by customers and business partners of outsourced solution providers, underscoring the importance of SOC 2 compliance. Many companies seeking SOC 2 compliance leverage solutions such as a SOC 2-compliant [password manager](https://bitwarden.com/it-it/blog/picking-the-right-password-for-your-password-manager/) to help meet requirements. > Check out the [Resource Center](https://bitwarden.com/it-it/resources/) for more guides on how to achieve compliance with other security standards. ## Table of Contents [A summary of SOC 2 trust services criteria](https://bitwarden.com/it-it/resources/achieve-soc-2-password-compliance-with-bitwarden/#a-summary-of-soc-2-trust-services-criteria/) [Overview of the SOC 2 certification process](https://bitwarden.com/it-it/resources/achieve-soc-2-password-compliance-with-bitwarden/#overview-of-the-soc-2-certification-process/) [The Security Principle: SOC 2 security controls and password requirements](https://bitwarden.com/it-it/resources/achieve-soc-2-password-compliance-with-bitwarden/#the-security-principle-soc-2-security-controls-and-password-requirements/) [Explore Bitwarden to support SOC 2 compliance and password requirements](https://bitwarden.com/it-it/resources/achieve-soc-2-password-compliance-with-bitwarden/#explore-bitwarden-to-support-soc-2-compliance-and-password-requirements/) ## A summary of SOC 2 trust services criteria SOC 2 reports are relevant to service organizations and pertain to the controls concerning aspects like security and privacy. The [American Institute of Certified Public Accountants](https://www.aicpa-cima.com/feed) (AICPA) introduced the [Service Organization Control or SOC 2 report](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2) to help evaluate service companies – i.e., financial firms, healthcare providers, cloud service providers, and SaaS providers – and their ability to maintain strong controls “relevant to security, availability, and processing integrity of the systems … to process users’ data and the confidentiality and privacy of the information processed by these systems.”  SOC 2 includes two types of reports: - Type 1: Reports on a company’s system description and the suitability of the design of its controls. - Type 2: Reports on a company’s system description and the suitability *and* operational effectiveness of its controls. During SOC 2 audits, a service organization's controls are evaluated to ensure compliance with the security framework. Both SOC 2 report types detail how companies process data, but SOC 2 Type 2 more deeply describes data security controls in place, including [credential management](https://bitwarden.com/it-it/blog/credential-management-in-the-enterprise/). Both report types are restricted to certain entities (e.g., customers or auditors). However, companies may also produce a publicly available SOC 3 report, which summarizes some of the data security criteria found in the SOC 2 report. [Check out the Bitwarden SOC 3 Report](https://assets.ctfassets.net/7rncvj1f8mw7/34OTRi66eNWAqiuM5xKXeN/f42d204c04bb43361a67f4ae7edaffef/bitwarden-2021-soc-3-report.pdf). ## Overview of the SOC 2 certification process Companies seeking SOC 2 certification must pass an audit conducted by an accredited AICPA representative. The five Trust Services Criteria form the fundamental components of the SOC 2 compliance framework, including Security, Availability, Processing Integrity, Confidentiality, and Privacy. First developed in 2017, and last updated in late 2022 to “reflect an environment of ever-changing technologies, threats, and vulnerabilities … changing legal and regulatory requirements and related cultural expectations regarding privacy,” and “addressing data management, particularly when related to confidentiality,” the criteria is as follows: - **Security** - Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, data integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to achieve its objectives. - **Availability** - Information and systems are available for operation and used to meet the entity’s objectives. - **Processing integrity** - System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. - **Confidentiality** - Information designated as confidential is protected to meet the entity’s objectives. - **Privacy** - Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives. Internal controls play a crucial role in ensuring compliance with the Trust Services Criteria during audits. Companies only have to comply with the principles that apply to them. For example, the Availability Principle typically applies to companies providing customers with colocation, data center, SaaS-based services, or hosting services. ## You might also like: [The benefits of password managers for finance companies](https://bitwarden.com/it-it/blog/the-benefits-of-password-managers-for-finance-companies/) ## The Security Principle: SOC 2 security controls and password requirements The Security Principle applies to most companies seeking SOC 2 compliance, focusing on protecting customer data. The bulk of the Security Principle requirements exist under section [CC6 of the Trust Services Criteria](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2), which also details SOC 2 password requirements. The following sections demonstrate how a password manager can support many key requirements. SOC 2 controls are significant in mitigating data breaches and protecting sensitive information. #### Infrastructure credentials management to protect customer data > “The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.” - CC6.1 (Pg. 34-35) Companies must demonstrate how they manage credentials for infrastructure and software, including removing access once it’s no longer needed or required. With a password manager, administrators can easily automate access, assign roles, and restrict users to read-only access for system credentials. [Granular access control](https://bitwarden.com/it-it/help/user-types-access-control/#granular-access-control/) allows administrators to hide credentials to prevent copying passwords, [TOTP](https://bitwarden.com/it-it/help/authenticator-keys/) seeds, or [custom fields](https://bitwarden.com/it-it/learning/using-custom-fields/). An accredited CPA evaluates an organization's controls' design and operating effectiveness during a SOC 2 audit to ensure they align with the required standards for safeguarding sensitive data. Companies must encrypt their data and protect [encryption](https://bitwarden.com/it-it/help/what-encryption-is-used/) keys at all times. With a 100% [end-to-end zero-knowledge encrypted password manager](https://bitwarden.com/it-it/blog/end-to-end-encryption-and-zero-knowledge/) using AES 256-bit encryption, companies protect their credentials and sensitive information that can be shared amongst employees, such as financial documents. Additionally, PBKDF2 SHA-256 strengthens encryption key protection by limiting key retrieval to only the user logging in with their [master password](https://bitwarden.com/it-it/help/master-password/). #### Onboarding and succession > “Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.” - CC6.2 (Pg. 36) Companies must show how they register and authenticate new users, including levels of access. With a password manager, administrators can link their directory service ([LDAP](https://bitwarden.com/it-it/help/ldap-directory/)) to streamline [user onboarding and succession](https://bitwarden.com/it-it/blog/password-management-directory-connector/). Users and groups in your company LDAP sync with your password manager’s Organization, replicating the same structure. Better yet, whenever a new user is added to the LDAP, they are also created in the password manager–and vice versa, they are removed when de-provisioned from the LDAP. Companies must authorize access to protected assets. A password manager with [Single Sign On](https://bitwarden.com/it-it/blog/configure-bitwarden-sso/) allows your existing [Identity](https://bitwarden.com/it-it/resources/charting-the-identity-and-access-management-landscape/) Provider to offer authentication for password manager users. Administrators can set password policies requiring users to log in through the Single Sign-On method to access credentials. #### Granular access control > “The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.” - CC6.3 (pg. 36) Companies must demonstrate role-based access controls (RBAC). With a password manager, administrators can set [user types](https://bitwarden.com/it-it/help/user-types-access-control/) and create custom roles to assign granular control and user permissions for components of the password manager. Role-based access controls can be configured for functions such as who can manage users, access event logs, or import/export data. Wondering how else to boost your company's security? Check out [Bitwarden Secrets Manager](https://bitwarden.com/it-it/products/secrets-manager/) to secure your developer secrets. ## Explore Bitwarden to support SOC 2 compliance and password requirements Adding a password manager, such as Bitwarden, can demonstrate the commitment of service providers to protect customer data and SOC 2 auditors. Bitwarden offers enterprise-grade security, conducts regular third-party security audits, and [complies](https://bitwarden.com/it-it/compliance/) with major privacy and security standards, including SOC 2.  Bitwarden supports service organizations in meeting SOC 2 compliance requirements by ensuring effective controls are in place for safeguarding data. Take advantage of an [all-access free Enterprise trial](https://bitwarden.com/it-it/pricing/business/) to see how Bitwarden can help service providers prepare for a SOC 2 security audit and meet SOC 2 password requirements. ## Read more: [How to choose the best enterprise password manager for your business](https://bitwarden.com/it-it/blog/choose-the-best-enterprise-password-manager/) ## Ottieni subito una sicurezza per le password potente e affidabile. Scegli il tuo piano. ## Personale ### Hai appena iniziato? *Ottieni una gestione di base delle password oggi stesso. Sempre gratis.* [Crea un account gratuito](https://bitwarden.com/go/start-free/) --- ### Premium **$1.65** *al mese* *Con fatturazione annuale a 19,80 USD* Scopri le funzionalità premium - Autenticatore integrato - Allegati file - Accesso di emergenza - Blocco del phishing - Report di sicurezza e altro Condividi gli elementi della cassaforte con un altro utente [Crea un account Premium](https://bitwarden.com/go/start-premium/) --- ### Famiglie **$3.99** *al mese* *Fino a 6 utenti, con fatturazione annuale a 47,88 USD* Proteggi gli accessi della tua famiglia - 6 account premium - Condivisione illimitata - Raccolte illimitate - Spazio di archiviazione dell’organizzazione Condividi gli elementi della cassaforte tra sei persone [Inizia la prova gratuita per Famiglie](https://bitwarden.com/go/start-families-trial/) --- Prezzi indicati in USD e basati su un abbonamento annuale. Tasse escluse. ## Business ### Teams *Per team e aziende in crescita che devono muoversi rapidamente.* **$4** *al mese / per utente, con fatturazione annuale* **Nessun compromesso** Tutte le funzionalità Premium, più funzionalità avanzate come: - Condividi le credenziali in modo sicuro - Controlla le attività con i log eventi - Sincronizza la directory esistente - Automatizza il provisioning con SCIM [Avvia la prova gratuita](https://bitwarden.com/go/start-teams-trial/) --- ### Enterprise *Per aziende che necessitano di protezione e controllo avanzati.* **$6** *al mese / per utente, con fatturazione annuale* **Massima protezione** Tutte le funzionalità Premium e Teams, più funzionalità di livello enterprise come: - Controllo granulare degli accessi - Integrazione SSO senza password - Recupero account semplificato - Flessibilità di self-hosting - Mitigazione dei rischi con Access Intelligence [novità] - Piano Families gratuito per tutti gli utenti [Avvia la prova gratuita](https://bitwarden.com/go/start-enterprise-trial/) --- ### Parla con il team vendite *Per le grandi organizzazioni, parla con un esperto di un piano su misura e scopri come Bitwarden può:* *al mese* - Ridurre il rischio di cybersecurity - Aumentare la produttività - Integrarsi perfettamente Bitwarden si adatta ad aziende di qualsiasi dimensione per portare la sicurezza delle password nella tua organizzazione [Parla con il team vendite](https://bitwarden.com/talk-to-sales) --- Prezzi indicati in USD e basati su un abbonamento annuale. Tasse escluse.