Sign in to my dashboard Create an account

Service Organization Controls (SOC) 2 Reports

Table Of Contents

Share this page

November 2023

An independent third-party auditor has affirmed that NetApp in-scope cloud and managed services have achieved SOC 2 Type I and Type II reports based on applicable Trust Services criteria.

About SOC 2 Reports

In alignment with the International Standard on Assurance Engagements (ISAE No. 3402), the American Institute of Certified Public Accountants (AICPA) developed the Service Organization Controls (SOC) suite of services with three types of reports: SOC 1, SOC 2, and SOC 3. The SOC 2 report is intended to provide information about a service organization’s system relevant to selected AICPA Trust Services Criteria (security, availability, processing integrity, confidentiality, or privacy). It enables report users to assess and address potential risks related to their relationship with that organization. It also offers assurance to service organizations and users that system controls reasonably protect the confidentiality and privacy of user information processed by the system.

A SOC 2 report  reflects a service auditor's attestation (opinion) regarding a service organization’s description of its system and the suitability of the design of its controls with respect to applicable Trust Services Criteria. A SOC 2 examination results in a report that provides a useful and standard way of understanding an organization’s oversight, corporate governance, supply chain management, and risk management processes. 

There are two types of SOC 2 examinations and related reports:

  • A Type I report is a service auditor’s "point in time" opinion of whether a service organization's description accurately represents its system design and implementation, and whether its controls are suitably designed to meet service commitments and system requirements.
  • A Type II report addresses the operational effectiveness of controls over a specified review period in addition to the system description and suitability of control design.

NetApp in-scope services

An independent certified public accountant firm and services auditor examined the following NetApp cloud and managed services and affirmed that they have achieved SOC 2 reports based on the applicable Trust Services Criteria.

  • Amazon FSx for NetApp ONTAP
  • Astra Service
  • Azure NetApp Files
  • BlueXP (formerly known as Cloud Manager Platform)—App Template, Backup for Kubernetes, Cloud Backup, Cloud Data Sense, Cloud Manager, Cloud Sync, and Cloud Tiering
  • CloudCheckr
  • Cloud Insights
  • Cloud Volumes Service for AWS
  • Cloud Volumes Services for GCP
  • Instaclustr
  • NetApp Managed Services in the Americas
  • SaaS Backup
  • Spot
  • Spot PC
  • Virtual Desktop Service and Virtual Desktop Managed Service (VDS & VDMS)

Audits, reports, and certificates

NetApp products and services are audited regularly against the SOC 2 (AT Section 101) standard by an independent third-party auditor.

Login is required to access the NetApp SOC 2 reports listed below. 

These SOC 2 reports are stored as indicated: 

Frequently asked questions

Why is NetApp audited as a service provider?

NetApp is audited as a service provider because we provide information and data services, both internally within our corporate information services and externally through services to our customers. NetApp therefore pursues audit certifications as evidence that these services follow processes designed to protect information in accordance with common industry standards.

Back To Top
Drift chat loading