SOC 2 is the AICPA’s framework for technology companies that handle customer data. We guide you from your first gap assessment to your certified Type 1 or Type 2 report — and stay through every annual renewal cycle after.
Timeline 10–12 weeks (Type 1) · 6–12 months (Type 2)
SOC 2 Type 1 or Type 2 certified report
Senior advisor — not a junior
98% of clients pass their audit
Fixed fee — agreed upfront
SOC 2 is a voluntary compliance standard developed by the American Institute of Certified Public Accountants (AICPA). It defines criteria for how technology organisations manage and protect customer data across five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
A SOC 2 certification is issued by an independent, AICPA-accredited CPA firm following a formal audit of your security controls. It provides your customers — particularly enterprise buyers — with independent, third-party confirmation that your organisation’s security programme is real, documented, and operating effectively. It is not self-certified. It cannot be purchased. It must be earned through an audit.
For technology companies selling to enterprise customers, SOC 2 has become effectively mandatory. Enterprise procurement, legal, and security teams require it before signing software contracts, adding vendors to their approved supplier lists, or processing sensitive data through third-party platforms. Without it, deals stall. With it, you remove the most common non-price obstacle in enterprise sales.
Security is the only mandatory Trust Services Criterion. The remaining four are included based on the commitments you make to your customers and what your enterprise buyers require. We scope the correct criteria for your specific customer base — not a generic selection.
The Security criterion covers the entire lifecycle of your information security programme: risk management, logical access controls, change management, system operations, and monitoring. Every SOC 2 engagement includes Security. It is assessed across nine control categories and is the area where most companies have the most gaps before their first engagement.
The Availability criterion applies to companies that have made uptime commitments to their customers — SLAs, uptime guarantees, or business continuity requirements written into contracts. It covers your monitoring infrastructure, incident management procedures, disaster recovery capabilities, and documented recovery time objectives. Required for most SaaS platforms with enterprise SLAs.
The Confidentiality criterion applies to companies that handle information their customers designate as confidential — legal documents, financial data, HR records, intellectual property, or other sensitive business information. It covers data classification, encryption in transit and at rest, access controls for confidential data, and disposal procedures. Required for legal tech, HR tech, financial platforms, and similar categories.
The Processing Integrity criterion applies to companies where the accuracy and completeness of data processing is central to the customer relationship — payment processors, financial calculation engines, healthcare data processors, or any platform where incorrect processing has direct financial or clinical consequences. It covers input validation, processing accuracy, and output completeness.
Different enterprise buyers have different requirements. Security is always required. Availability, Confidentiality, and Privacy depend on what your product does and what you have committed to your customers. We will tell you exactly which criteria your target market requires — at no cost.
We audit your existing security controls, policies, vendor relationships, and infrastructure against the SOC 2 Trust Services Criteria. We confirm your scope — the systems and services your SOC 2 report will cover — and deliver a detailed gap report with every finding classified by severity and a prioritised remediation roadmap with realistic timelines. This happens before any implementation work begins.
We work alongside your engineering and operations teams to build every control required for your SOC 2 scope. We write the policies, configure the technical controls, build the evidence collection workflows, and guide your team through implementation — so compliance work gets done without pulling your team off their primary responsibilities. We work around your sprint cycles and operational schedules.
Before your formal audit begins, we conduct a full pre-audit assessment using the same procedures your auditor will use. We test every control for both design adequacy and operating effectiveness. Every gap found at this stage is closed before the auditor arrives. This is why 98% of our clients pass on the first attempt.
We manage the auditor relationship through the formal audit — from kick-off through fieldwork through report issuance. We triage auditor requests, review evidence before it is submitted, respond to findings on your behalf, and make sure your team is never blindsided by a question no one prepared you for.
SOC 2 certification is not a one-time event. Your Type 2 report covers a 12-month observation period, and enterprise buyers expect to see a new report every year. We stay engaged through every renewal cycle — monitoring controls, updating evidence, and ensuring your programme keeps pace with your product's growth.
Both SOC 2 Type 1 and Type 2 reports are issued by independent CPA firms. The difference is what they attest to — and how long the audit process takes.
A Type 1 report attests that your security controls were suitably designed as of a specific date. It does not test whether those controls worked over time — only that they existed and were designed correctly at a point in time. Type 1 reports are typically issued 10–12 weeks after an engagement begins. They are accepted by most enterprise buyers as a first certification and are the right starting point for companies that need a report quickly for a specific deal.
A Type 2 report covers a 6–12 month observation period during which your controls are tested for operational effectiveness — not just design. Type 2 is the gold standard. It tells your customers that your security controls actually worked, consistently, over a meaningful period of time. Most enterprise buyers, and virtually all financial institutions and healthcare organisations, require Type 2 for a mature vendor relationship.
Our recommendation for most companies: begin a Type 1 engagement immediately and start your Type 2 observation period at the same time. You receive your Type 1 report in 10–12 weeks to close near-term deals, and your Type 2 report roughly 6–9 months later. Same advisory team. Same controls. No duplicated work.
If your question is not here, just email us — we will give you a straight answer.
SOC 2 is a compliance standard developed by the AICPA that specifies how technology organisations should manage and protect customer data. It is based on five Trust Services Criteria. A SOC 2 certification is issued by an independent CPA firm following a formal audit — it cannot be self-certified. For technology companies selling to enterprise buyers, SOC 2 has become effectively mandatory before contracts are signed.
SOC 2 Type 1 certification typically takes 10–12 weeks from engagement kick-off to report issuance. SOC 2 Type 2 requires an additional 6–12 month observation period after your controls are implemented. Most companies run Type 1 and begin their Type 2 observation period simultaneously — receiving their Type 1 report in 10–12 weeks and their Type 2 report roughly 6–9 months later.
SOC 2 Type 1 attests that your security controls were suitably designed at a specific point in time. SOC 2 Type 2 covers a 6–12 month observation period and tests whether your controls operated effectively over time. Enterprise buyers prefer Type 2. For most companies, we recommend starting a Type 1 engagement immediately while beginning the Type 2 observation period simultaneously.
SOC 2 costs have two components: advisory fees and independent audit fees. Audit fees from your CPA firm typically range from $8,000 to $25,000 depending on scope and firm. Advisory fees depend on the size and complexity of your environment. At SOC 2 Advisory, all engagements are fixed-fee — your total investment is agreed upfront before any work begins, with no hourly billing and no scope creep charges.
SOC 2 is the primary standard required by North American enterprise buyers. ISO 27001 is required by European, Middle Eastern, and many Asia-Pacific enterprise buyers. If you are selling primarily in the US, start with SOC 2. For companies with international ambitions, most build SOC 2 first and layer ISO 27001 on top using shared controls — avoiding the duplicated effort of running them sequentially.
Book a free 30-minute consultation. A senior compliance advisor will give you an honest assessment of your current state, the right scope for your situation, and a realistic timeline and budget — before you commit to anything.
After remediation, confirm you are genuinely ready before your auditor arrives. Our readiness assessment runs the same tests your auditor will run.
We stay with you through the formal audit — managing auditor requests, reviewing evidence, and handling every question until your report is issued.
Built specifically for cloud-native SaaS companies selling to enterprise buyers. Cloud infrastructure scoping, IaC-native controls, and evidence workflows that do not pull your engineers off product.
