System and Organization Controls (SOC) Reports

Independent third-party audit reports on internal controls of a cloud service provider

Frequently asked questions about SOC reports

Frequently asked questions about SOC reports

  • What is an SOC report?

    An SOC report is an independent audit issued by a third-party audit institution based on relevant guidelines developed by the American Institute of Certified Public Accountants (AICPA) for the systems and internal controls of outsourced service providers.


    SOC reports are classified as SOC 1 (including Type I and Type II), SOC 2 (including Type I and Type II), or SOC 3.


    • An SOC 1 report is intended to examine the controls related to financial reporting processes and is usually used by cloud customers and their independent auditors. SOC Type II reports provide more opinions on operational effectiveness than Type I reports to achieve related control objectives.


    • An SOC 2 report focuses on the internal operations and compliance of an organization, including controls related to security, availability, process integrity, confidentiality, and privacy. An SOC Type I report demonstrates the design rationality of internal controls within the organization, and SOC Type II reports reflects the effectiveness of the implementation of the measures during the reporting period.


    • An SOC 3 report is a summary version based on the SOC 2 Type II report and is available to the public.



    Huawei Cloud has earned SOC 1 Type II, SOC 2 Type II, and SOC 3 certification. Huawei Cloud is the first cloud service provider in the world to meet the SOC 2 requirements for controls related to security, availability, process integrity, confidentiality, and privacy. This certifies that information security controls adopted by Huawei Cloud meet strictest requirements of the internationally recognized standards and also certifies our abilities to provide you with world-class security and privacy protection.


    Huawei Cloud periodically invites third-party organizations to review its information security management systems to ensure that the ever-evolving Huawei Cloud environment and services are always protected by industry-leading information security management capabilities.

  • Which data centers are covered by the Huawei Cloud SOC reports?

    The SOC reports for Huawei Cloud cover 30+ data centers in Chinese Mainland, Hong Kong (China), Thailand, Mexico, Singapore, South Africa, Chile, and Brazil. You can download the Huawei Cloud SOC audit reports from Compliance Certificates.

  • Which Huawei Cloud services are covered by SOC reports?

    The SOC reports certification covers over 150 Huawei Cloud services including, but not limited to, Advanced Anti-DDoS (AAD), Web Application Firewall (WAF), Data Encryption Workshop (DEW), and Database Security Service (DBSS). You can download Huawei Cloud's SOC reports from Compliance Certificates.


    If you would like to learn more about our products, please contact us.


  • How long is an SOC report valid?

    SOC reports are issued based on independent audits and demonstrate the rationality and effectiveness of internal controls of an organization for a certain period of time in the past. So SOC reports do not expire.


    Huawei Cloud invites third-party auditors to perform SOC audits twice a year. They will issue two SOC reports. You can request SOC reports to learn how well Huawei Cloud controls meet audit requirements. The first audit starts on April 1 of the previous year and ends on March 31 of the current year, and the SOC report is released at the beginning of June. The second audit starts on October 1 of the previous year and ends on September 30 of the current year, and the report is released at the beginning of December of the current year.


    Huawei Cloud will periodically issue an SOC Continued Operations Letter to demonstrate that Huawei Cloud will continue to maintain the system and control environment described in the latest SOC 1 and SOC 2 reports and continue to implement the same controls.You can download SOC reports and SOC Continued Operations Letters in Compliance Center.