MongoDB Atlas and Atlas For Government provide features that can help you design architectures that support your organization's System and Organization Controls (SOC) 2 Type II objectives across the Trust Services Criteria, including Security, Availability, Processing Integrity, Confidentiality, and Privacy.
An enterprise architect who is responsible for high-level governance, security, and compliance decisions can use this page to better understand how MongoDB Atlas capabilities support your SOC 2 Type II program. This page does not provide legal advice or replace your own governance, risk, and compliance (GRC) processes.
Important
For information about MongoDB's attestation reports, contracts, and legal commitments, see:
SOC 2 Type II
SOC 2 Type II evaluates the design and operating effectiveness of a service organization's controls.
The assessment is structured around the Trust Services Criteria (TSC):
Security
Availability
Processing Integrity
Confidentiality
Privacy
Using MongoDB Atlas or Atlas For Government does not, by itself, make your organization SOC 2 Type II compliant. Instead, MongoDB Atlas provides platform capabilities that you can incorporate into a broader control framework that spans your applications, processes, and people.
SOC 2 Type II Reports
For up-to-date details on MongoDB's SOC 2 Type II posture, including the current report period and scope, you should use the MongoDB Trust Center resources, not this page. MongoDB Atlas (Commercial environment) and Atlas For Government each have their own SOC 2 Type II report that covers the specific controls and configurations relevant to each environment.
To request the current SOC 2 Type II report:
Existing customers: Request from the MongoDB Customer Trust Portal.
Prospective customers: Contact the MongoDB Sales team.
To receive a SOC 2 Type II report, you must either be a current customer of MongoDB or enter into an NDA with us.
Choosing MongoDB Atlas or Atlas For Government
MongoDB Atlas is available in two main managed environments, each covered by its own SOC 2 Type II report.
MongoDB Atlas (Commercial Environment)
Fully managed multi-cloud developer data platform for a broad range of commercial workloads.
Covered by the MongoDB Atlas SOC 2 Type II report.
May be appropriate when:
You do not require a FedRAMP-authorized environment.
Your data residency and regulatory requirements can be satisfied with the commercial MongoDB Atlas regions and controls.
You want to standardize on a single global MongoDB Atlas footprint across business units.
Most links and examples in the Atlas Architecture Center, including this page, focus on commercial MongoDB Atlas configurations.
Atlas For Government
A separate, isolated MongoDB Atlas environment deployed and managed specifically for U.S. public sector and related regulated workloads.
Covered by a dedicated SOC 2 Type II report and additional public-sector compliance frameworks.
Typically appropriate for organizations with:
U.S. government hosting, connectivity, or personnel screening requirements.
FedRAMP or similar framework requirements in addition to SOC 2 Type II.
Policy or regulation that requires a segregated environment for government workloads.
For configuration guidance that is specific to Atlas For Government, see the Atlas For Government documentation.
Relevant MongoDB Atlas Features
This section highlights MongoDB Atlas features that can support each Trust Services Criterion and points you to detailed Atlas Architecture Center guidance. It does not prescribe a complete control set. Organizations can evaluate how to map these capabilities into their own SOC 2 Type II control descriptions and test procedures.
Security (Access Control and Network Security)
Concept: The system is protected against unauthorized access, both physical and logical.
The following relevant MongoDB Atlas guidance and features apply:
Identity and authentication
Guidance for Atlas Authentication covers:
MongoDB Atlas UI authentication
Database authentication
MongoDB Atlas Administration API authentication
Federated authentication (SSO)
AWS IAM role authentication
Multi-factor authentication (MFA)
X.509 client certificates
SCRAM password authentication
Secrets management
Authorization and least privilege
Guidance for Atlas Authorization covers:
Role-based access control (RBAC)
Built-in roles and custom roles
Just-in-time access for time-bound database users
Network security and isolation
Guidance for Atlas Network Security covers:
Mandatory TLS/SSL encryption
IP access lists
Private endpoints (AWS PrivateLink, Azure Private Link, GCP Private Service Connect)
VPC/VNet peering and network isolation patterns
When you document Security controls for SOC 2 Type II, you can reference how these capabilities enforce strong authentication, authorization, and network boundaries for MongoDB Atlas control plane and data plane access.
Confidentiality and Privacy (Data Protection and Encryption)
Concept: Information designated as confidential is protected, and personal information is collected, used, retained, disclosed, and destroyed in accordance with privacy commitments.
The following relevant MongoDB Atlas guidance and features apply:
Encryption in transit, at rest, and in use
Guidance for Atlas Data Encryption covers:
Encryption in transit (TLS)
Encryption at rest using cloud provider disk encryption (AES-256)
Encryption at rest with customer key management (BYOK/CMK via KMS)
Encryption in use via Queryable Encryption and Client-Side Field Level Encryption (CSFLE)
Backups and retention
Guidance for Atlas Backups covers:
Snapshot and backup retention configurations
Continuous cloud backups
Backup compliance policies (for write-once-ready-many-style retention and protection against deletion)
In your SOC 2 Type II control descriptions, you can map these capabilities to controls that address confidentiality of data at rest and in transit, cryptographic key management, backup protection, and data lifecycle management aligned with your own retention and privacy policies.
Availability (High Availability, Disaster Recovery, and Backups)
Concept: The system is available for operation and use as committed or agreed.
The following relevant MongoDB Atlas guidance and features apply:
High availability architecture
Guidance for Atlas High Availability covers:
Replica set architectures and automatic failover
Cluster sizing and deployment patterns to meet availability targets
Disaster recovery and RTO/RPO
Guidance for Atlas Disaster Recovery covers:
Defining and validating Recovery Time Objective (RTO)
Defining and validating Recovery Point Objective (RPO)
DR patterns using regional redundancy and backup-based recovery
Backups and snapshot distribution
Guidance for Atlas Backups covers:
Scheduled cloud backups and continuous backups
Multi-region snapshot distribution and restore strategies
Scalability and capacity
Guidance for Atlas Scalability covers:
Vertical and horizontal scaling (sharding and tier changes)
Auto-scaling of compute and storage
Data tiering and archival strategies
Deployment-paradigm-aware recommendations
For SOC 2 Type II Availability controls, organizations can combine MongoDB Atlas configuration (for example, multi-region architectures, backup policies, maintenance windows) with their own incident response and DR runbooks.
Processing Integrity (Auditing, Monitoring, and Logging)
Concept: System processing is complete, accurate, timely, and authorized.
The following relevant MongoDB Atlas guidance and features apply:
Database auditing
Guidance for Atlas Auditing covers:
Enabling database auditing on M10+ clusters
Creating and refining audit filters
Recommended audit events (e.g., authentication, privilege changes, schema changes)
Logging and access to audit data
Guidance for Atlas Logging covers:
Downloading and streaming MongoDB logs and audit logs
Programmatic export of logs (for example, to S3 or SIEM platforms)
Integration points for additional analysis
Monitoring and alerts
Guidance for Atlas Monitoring and Alerts covers:
Key metrics and dashboards (performance, resource utilization, replication)
Recommended alert configurations
Integration with external monitoring and incident management tools
Automation examples for alert policies
In a SOC 2 Type II context, these capabilities typically support controls around:
Monitoring correctness and timeliness of processing.
Detecting and investigating anomalous activity.
Enforcing change control and segregation of duties through audit evidence.