SOC 2 Type II
Your SOC 2 report, 4–6 weeks from now.
SOC 2 is the trust report your enterprise customers ask for. We design the controls around your existing stack, automate evidence collection on AWS / Azure / GCP, draft every required policy, and walk you straight into your auditor's portal — all inside our platform.
What you get
Everything in your SOC 2 program
Built specifically for service organizations and saas.
Trust Services Criteria mapped to your specific tech stack (Security required, plus Availability / Confidentiality / Processing Integrity / Privacy as needed)
Continuous control monitoring — automated tests run hourly across cloud, code, identity, and device tooling
Auditor-ready evidence collected and tagged automatically (no more screenshot scavenger hunts)
All required policies drafted and version-controlled (Information Security, Acceptable Use, Incident Response, Change Management, BCP/DR, Vendor Management)
Quarterly access reviews + vendor inventory + risk assessment workflows
Direct intros to vetted, fixed-fee SOC 2 auditors (we have working relationships)
In-platform auditor portal — your auditor reviews evidence directly, no email back-and-forth
Type I report in ~6 weeks, Type II observation period (3–12 months) starts immediately after
Pricing
Fixed price. No annual contract.
Setup gets you to the report. The retainer keeps you compliant. Cancel any time.
One-time, fixed-fee
- Full SOC 2 program build
- Auditor introductions and prep
- 4–6 weeks to audit-ready
Cancel any time
- Continuous control monitoring
- Quarterly access reviews + risk refresh
- Drift remediation by our team
- Annual re-audit support included
Audit fees paid directly to your auditor (not marked up). We negotiate fixed-fee quotes from our auditor network.
Stack frameworks, save money
Reuse your SOC 2 work across other frameworks
Most controls overlap. Your second framework costs a fraction of the first.
SOC 2 questions, answered
We target ~6 weeks to Type I and start your Type II observation period the same week. Type II requires a 3–12 month observation period (you choose); enterprises typically expect 6 months. We've shipped Type I in as little as 4 weeks for greenfield SaaS on a clean cloud setup.
Type I attests that your controls are designed and in place at a specific point in time. Type II attests they actually operated effectively over a window (3–12 months). Most enterprise customers ask for Type II. If you need to move fast for a specific deal, start with Type I and run Type II in parallel.
Vanta and Drata sell you software and you do the work. We're a managed service — we wire your cloud accounts, write your policies, run your access reviews, and front-line your auditor. You own all the evidence and can switch providers any time; nothing is locked into a SaaS we control.
The audit is a separate fee paid to your auditor (we don't mark it up). Expect $12K–$25K for a Type I and $20K–$40K for a Type II from a reputable mid-market firm — we negotiate fixed-fee quotes from our auditor network so you know the number up front.
Yes — that's what the monthly retainer covers. Continuous control tests, evidence refresh, quarterly access reviews, vendor re-assessments, policy updates, and drift remediation. You stay audit-ready year-round, not just before the next audit.
You own all the evidence, policies, and tooling — they live in your cloud accounts and your repo, not ours. Cancel any time and walk away with everything. We hand you a transition packet and your next provider (or in-house team) picks up where we left off.
Ready to ship your SOC 2?
Tell us your timeline. We'll scope the work, give you a fixed price, and start this week.