SOC 2 is an AICPA attestation report proving your controls meet the Trust Services Criteria — the report enterprise buyers ask for before they sign.
B2B SaaS and cloud vendors whose customers trust them with data, and any startup stuck behind an enterprise security questionnaire.
The core of what SOC 2 asks you to put in place.
Type I readiness commonly runs a few months. Our productized SOC 2 in 75 Days compresses readiness, then Type II adds a three-to-twelve-month observation window.
We run SOC 2 readiness end to end — scoping the Trust Services Criteria, writing policies, implementing controls, and coordinating a vetted CPA auditor — packaged as SOC 2 in 75 Days with our partner Lorikeet Security.
See SOC 2 in 75 Days, or compare estimated SOC 2 cost in CAD. Based in Toronto and led by a published CVE researcher, we deliver across Canada and the US with our partner Lorikeet Security.
No. SOC 2 is an attestation report issued by a licensed CPA firm against the AICPA Trust Services Criteria. There is no SOC 2 certificate; you receive a Type I or Type II report.
Type I assesses control design at a single point in time. Type II tests operating effectiveness across an observation window, usually three to twelve months.
Security, the Common Criteria, is mandatory. Availability, Confidentiality, Processing Integrity, and Privacy are added based on the commitments you make to customers.
Readiness commonly runs a few months. Our SOC 2 in 75 Days engagement compresses that, then Type II adds the observation window.
US buyers usually ask for SOC 2, while international and EU procurement often prefers ISO 27001. Many companies eventually do both from one control set.
Book a free discovery call. We will tell you whether SOC 2 fits, what it would take, and roughly what it would cost.