Are you actually allowed to put that SOC 2 logo on your website?
Most companies displaying the AICPA SOC logo on their landing page or Trust Center never registered for it. Here's what the rules actually say and what changed recently.
Open ten Trust Centers. Count the AICPA SOC logos.
Now ask yourself how many of those companies actually registered with the AICPA before slapping the trademark on their site.
The honest answer: probably very few.
There’s a quiet assumption running through the GRC industry that getting a SOC 2 report comes with a free pass to use the logo. It doesn’t. The report is one thing. The trademark is another. And the AICPA has been very specific about what you have to do to use it.
What the AICPA terms actually require
Three rules, none of them optional:
- You have to register. Formal registration with the AICPA. Acceptance of their terms and conditions. Not a checkbox in your Trust Center vendor’s UI.
- No qualified opinions. If your SOC 2 report came back with a modified opinion, the logo is off the table.
- The logo expires. If you haven’t received a new SOC 2 report within 12 months of your last one, take it down.
Most service organizations know rule one exists. Plenty of them ignore it anyway, because nobody’s been knocking on doors. That may be about to change.
What changed on April 22
The AICPA quietly restructured the SOC logo system. Before, there were two logos: one for CPA firms doing the examinations, one for service organizations that had received a SOC 1, SOC 2, or SOC 3.
Now there are three:
| Logo | Who can use it |
|---|---|
| SOC Logo for CPAs | Licensed CPAs (or CPA firms) that perform SOC 1, SOC 2, or SOC 3 examinations |
| AICPA SOC for Service Organizations Logo | Any service org with at least one SOC 1, SOC 2, or SOC 3 report from a licensed CPA (or non-U.S. equivalent) |
| AICPA SOC 2 Logo for Service Organizations | Service orgs specifically with a SOC 2 report — a brand-new SOC 2-specific mark with “SOC 2” baked into the design |
If you have a SOC 2 report, you can use either of the two service organization logos. Pick one.
The new registration form is the real signal
The interesting part isn’t the third logo. It’s what the AICPA now asks for when you register.
The new form requires:
- The name of the CPA who signed your SOC report
- That CPA’s license number
- The date of the report
The AICPA hasn’t said what they’re going to do with this data. The most likely answer: cross-check it. Look for reports being issued by individuals or firms without the proper licensing. Catch the rubber stampers.
That’s a meaningful shift. Up until now, the SOC logo program has been a soft trademark with soft enforcement. Collecting CPA license numbers at registration turns it into something the AICPA can actually audit.
The new CPA terms are doing real work
Buried in the new SOC Logo for CPAs terms and conditions is this:
“You further acknowledge that the SOC services and related reports that bear the Logo were performed in accordance with the relevant AICPA attestation standards and other professional standards… You, therefore, agree that any services or report you provide under the SOC Logo for CPAs will be at a level of quality commensurate with that of goods and services provided by AICPA prior to your use of the SOC Logo for CPAs.”
Translation: if you’re a CPA using the logo, you’re contractually attesting that your work meets AICPA quality standards. That language gives the AICPA a lever they didn’t have before.
The thing the AICPA should fix next
Most CPA firms don’t put the SOC Logo for CPAs on the reports they issue. They’re not required to. Most don’t.
That’s backwards.
If the AICPA actually wants to use the logos as a quality enforcement mechanism, make it a requirement that CPAs display the SOC Logo for CPAs on every SOC report they issue. That’s the document the customer reads. That’s the artifact that gets handed to the buyer’s security team. Anchor the trademark to the report itself, not just the marketing collateral.
What to do this week
If you have a SOC 2 report and you’re displaying the AICPA logo:
- Confirm you’re registered. If you’re not, register now. The new form is the only path forward.
- Check your opinion. Qualified? Take the logo down until you have a clean report.
- Check the date. More than 12 months since your last report? Take the logo down until the next one lands.
- Pick the right logo. The new SOC 2-specific mark is available if your report is SOC 2.
- Audit your Trust Center. If the logo got there automatically, find out who put it there and on what authority.
The SOC logo isn’t a participation trophy. It’s a trademark with terms attached. Treat it that way before someone makes you.
Want to display the official SOC logo? The form is available in the AICPA CIMA resource library (you need to create a free account first).
