The SOC (Service Organization Controls) 2 is a security standard aimed at Service Organizations. It breaks goals for secure operations into five different categories called trust principles, specifically

  1. Security
  2. Availability
  3. Processing Integrity
  4. Confidentiality
  5. Privacy
Service Organizations may be assessed against one or more of the trust principles.

Akamai's SOC 2 report covers the Security and Availability trust principles.

There is no certificate of compliance, instead, qualified third-party assessors produce a report on compliance for the assessed organization, discussing the assessed organization’s system description, scope, control descriptions for meeting common criteria, evidence, and suitability of the organization’s descriptions and evidence. Reports come in one of two formats:

Type 1: Assesses evidence from a single point-in-time, showing that if the controls operate as intended, the assessed organization would meet its goals; and
Type 2: Assesses evidence across a larger span of time, typically 6 months to 1 year, showing that the assessed organization consistently meets its goals.

Our SOC 2 report covers the Enhanced TLS services on our Secure CDN (i.e., ESSL) and applications running on it (e.g., Kona) (just like for PCI DSS), the Prolexic products, and critical platform infrastructure such as the Authgate, KMI, Auditserver, Sentry, Forcefield and metadata systems.

Ernst & Young (EY) completed Akamai’s 2017 SOC 2 Type 2 report which contains the following four sections:
  • Auditor's Report
  • Akamai Management Assertion
  • Description of Akamai’s Covered Systems relevant to Security & Availability
  • Description of Common Criteria, Controls, Tests, and Results of Tests
After completing their audit, EY concluded with the following, unqualified opinion of our security controls:

In our opinion, in all material respects, based on the description criteria and the applicable trust services criteria:
  1. The Description fairly presents Akamai’s Covered Systems that were designed and implemented throughout the period January 1, 2017 to September 30, 2017.
  2. The controls stated in the Description were suitably designed to provide reasonable assurance that the applicable trust services criteria would be met if the controls operated effectively and user entities applied the controls assumed in the design of Akamai’s controls throughout the period of January 1, 2017 to September 30, 2017.
  3. The controls operated effectively to provide reasonable assurance that the applicable trust service criteria were met throughout the period January 1, 2017 to September 30, 2017, if the user entity controls assumed in the design of Akamai’s controls operated effectively throughout the period January 1, 2017 to September 30, 2017.
This document is available to customers and partners subject to nondisclosure agreements (NDAs) with Akamai. Contact your account team for more information.

Please note that Akamai does not undergo a SOC 1 (an audit focused on financial controls) assessment; because Akamai is a U.S. publicly-traded company, we are bound by Sarbanes-Oxley and other regulations to make our financial well-being publicly available. Customers and prospects may access our annual financial statements and 10-Ks on our Investor Relations website.