Compliance Framework

SOC 2 Compliance

SOC 2 is an AICPA attestation report proving your controls meet the Trust Services Criteria — the report enterprise buyers ask for before they sign.

Talk to us about SOC 2 SOC 2 in 75 Days

SOC 2 for Canadian startups · SOC 2 cost in CAD

Who needs SOC 2

B2B SaaS and cloud vendors whose customers trust them with data, and any startup stuck behind an enterprise security questionnaire.

Key SOC 2 requirements

The core of what SOC 2 asks you to put in place.

  • Security (the mandatory Common Criteria): access control, change management, and risk assessment
  • Availability: monitoring, capacity, backup and recovery
  • Confidentiality: data classification, encryption, retention and disposal
  • Processing Integrity: complete, accurate, and authorized processing
  • Privacy: notice, choice, and handling of personal information
  • Continuous evidence collection across the observation window

Typical timeline

Type I readiness commonly runs a few months. Our productized SOC 2 in 75 Days compresses readiness, then Type II adds a three-to-twelve-month observation window.

How we help with SOC 2

We run SOC 2 readiness end to end — scoping the Trust Services Criteria, writing policies, implementing controls, and coordinating a vetted CPA auditor — packaged as SOC 2 in 75 Days with our partner Lorikeet Security.

See SOC 2 in 75 Days, or compare estimated SOC 2 cost in CAD. Based in Toronto and led by a published CVE researcher, we deliver across Canada and the US with our partner Lorikeet Security.

Start the SOC 2 evidence collection →

SOC 2 questions

Is SOC 2 a certification?

No. SOC 2 is an attestation report issued by a licensed CPA firm against the AICPA Trust Services Criteria. There is no SOC 2 certificate; you receive a Type I or Type II report.

What is the difference between Type I and Type II?

Type I assesses control design at a single point in time. Type II tests operating effectiveness across an observation window, usually three to twelve months.

Which Trust Services Criteria do we need?

Security, the Common Criteria, is mandatory. Availability, Confidentiality, Processing Integrity, and Privacy are added based on the commitments you make to customers.

How long does SOC 2 take?

Readiness commonly runs a few months. Our SOC 2 in 75 Days engagement compresses that, then Type II adds the observation window.

Do we need SOC 2 or ISO 27001?

US buyers usually ask for SOC 2, while international and EU procurement often prefers ISO 27001. Many companies eventually do both from one control set.

Move on SOC 2 with a team that has done it

Book a free discovery call. We will tell you whether SOC 2 fits, what it would take, and roughly what it would cost.

Book a call Contact us