Compliance

SOC 2
compliance.

SOC 2 Type II is the dominant attestation for B2B SaaS. We handle the penetration testing and technical control evidence your auditor expects under CC6 (logical access), CC7 (system operations), and CC8 (change management).

SOC2

SOC 2 scope.

SOC 2 reports cover the Trust Services Criteria your business commits to (always Security; optionally Availability, Processing Integrity, Confidentiality, Privacy). Penetration testing is the most common technical evidence requested under CC7.1 (system monitoring) and CC7.2 (vulnerability mitigation). We’ve mapped our engagements to the AICPA Trust Services Criteria explicitly.

Trust Services Criteria we cover.

  • CC6.1 Logical access controls — tested via authentication and authorization findings
  • CC6.6 System boundary protection — external pen test evidence
  • CC6.7 Data in transit — TLS configuration analysis
  • CC6.8 Malicious code prevention — tested via payload delivery attempts
  • CC7.1 System monitoring — detection gap assessment
  • CC7.2 Vulnerability and incident management — pen test report + retest
  • CC8.1 Change management — pre/post-release testing

Auditor-ready deliverables.

  • Executive summary mapped to relevant TSCs
  • Full technical report with findings, severity, and remediation status
  • Customer-facing letter of attestation suitable for sharing with prospects
  • Retest evidence within 30 days
  • SOC 2 audit-ready evidence file structure

Compatible auditors.

Our reports have been accepted by major SOC 2 auditors including A-LIGN, Schellman, Sensiba San Filippo, BDO, and Drata-assisted compliance teams. We’ll happily liaise with your auditor pre-engagement to confirm coverage.

Where to start.

Make your auditor happy

BOOK A SOC 2
scoping call.

Free 30-minute call. Customer-facing letter of attestation included with every engagement.

Book Free Scoping Call →All Services