Fordel StudiosMost early-stage SaaS companies treat SOC 2 as something they will deal with later — when a customer demands it. By then, they are paying a consulting firm $40,000 to retrofit compliance onto a system that was never designed for it. The same compliance posture, built in from the start, costs a fraction of that.
SOC 2 is an attestation framework, not a prescriptive standard. The American Institute of CPAs (AICPA) Trust Services Criteria define what you need to achieve, not how. This flexibility is a feature — you can satisfy the criteria in ways that fit your architecture — but it also means there is no cookbook. This guide is the cookbook.
The Five Trust Services Criteria
SOC 2 audits can cover up to five criteria: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy. Security is mandatory for any SOC 2 report. Most SaaS companies pursuing their first SOC 2 add Availability and Confidentiality. Processing Integrity is relevant for data processing services. Privacy (based on AICPA GAPP) is complex and usually deferred to a second audit cycle.
| Criterion | What It Covers | Typical Evidence | Priority |
|---|---|---|---|
| Security (CC) | Logical and physical access controls, risk assessment, monitoring | Access logs, vulnerability scans, pen test reports | Required |
| Availability (A) | System uptime, performance, disaster recovery | Uptime metrics, DR test results, incident logs | Common add-on |
| Confidentiality (C) | Protection of confidential information | Data classification, encryption evidence, NDA records | Common add-on |
| Processing Integrity (PI) | Complete, accurate, timely processing | Processing logs, error rate metrics, reconciliation records | Situational |
| Privacy (P) | Personal information collection and use | Privacy notices, consent records, retention schedules | Deferred usually |
Infrastructure Controls That Need Day-One Architecture
Some SOC 2 controls are easy to retrofit. Documenting a policy takes an afternoon. Others require architectural decisions that are expensive to change after the fact. Know which is which before you start building.
- Encryption at rest: Every data store that holds customer data must be encrypted. Design this into your storage layer from the start. Retrofitting encryption onto an existing unencrypted database requires migration.
- Encryption in transit: All inter-service communication must use TLS 1.2+. Design your service mesh or API gateway with TLS termination from the start.
- Access logging: Every access to customer data must be logged with who, what, and when. This requires your data access layer to emit structured audit events. Retrofitting this into an ORM or query layer is painful.
- Principle of least privilege: IAM roles with minimal permissions. If you start with overly permissive roles, scoping them down later will break things.
- Multi-factor authentication: Required for all production access. Design your access management to enforce MFA — do not make it optional.
- Data segregation: Customer data must be logically or physically separated per tenant. Multi-tenant architectures that mix data are expensive to remediate.
Processes That Need to Be Running Before the Audit Period
Evidence collection for SOC 2 Type II requires showing consistent execution of controls over time, typically 6-12 months. Processes that need to be running before your audit period starts include vulnerability management (regular scanning and documented remediation), security incident response (a documented process with evidence of execution), access reviews (quarterly review and certification of who has access to what), change management (evidence that code changes were reviewed and approved), and vendor risk management (documented assessment of your critical vendors).
The auditor will ask for evidence from across the audit period, not just from the date of the audit. A vulnerability scan run the week before the audit covers nothing. A vulnerability scan run monthly for twelve months with documented remediation of findings is the evidence the auditor needs.
Day-One SOC 2 Implementation Roadmap
Tools like Vanta, Drata, Secureframe, or Tugboat Logic automate evidence collection, monitor cloud configurations, and track control gaps. At $10-20K/year, they pay for themselves in audit prep time savings alone. Start this on day one — they begin collecting evidence immediately.
SOC 2 auditors want to see that your infrastructure configuration is version-controlled, reviewed, and consistently applied. Terraform or Pulumi with a code review process satisfies this. Ad-hoc console changes that cannot be audited do not.
All production logs — application, infrastructure, access — must flow to a centralized, tamper-evident log store. AWS CloudTrail, GCP Audit Logs, or Azure Monitor are the starting point. Add application-level audit events for all customer data access.
SOC 2 requires documented policies and procedures. Write them as you implement the controls, not retrospectively. A 2-page access control policy written while you set up IAM is far more accurate than a policy written from memory six months later.
At three months, run a gap assessment against the criteria you are pursuing. Use your GRC tool's gap report or hire a security consultant for a half-day assessment. Identify what is not in place, and prioritize. You still have time to close gaps before the audit period evidence matters.
CPA firms that perform SOC 2 audits vary significantly in price, speed, and expertise. Get three quotes. Evaluate their experience with your tech stack and company stage. Boutique firms that specialize in SaaS often move faster and cost less than Big Four.
Type I vs Type II: The Practical Difference
SOC 2 Type I attests that controls are suitably designed at a point in time. Type II attests that controls operated effectively over a period (typically 6-12 months). Most enterprise customers require Type II. Type I is a stepping stone — useful to show progress to prospects while you accumulate Type II evidence. Do not let vendors or consultants sell you on Type I as a destination.
“Every month you delay implementing compliance controls is a month you cannot use as SOC 2 evidence. Time is the one thing money cannot replace in this process.”