33CC1–CC9
Security
Common criteria — required for every report
RequiredFramework · AICPA · TSC 2017 + 2022
SOC 2 — operated, not just attested.
Trust Services Criteria mapped to the controls you actually run, with evidence streaming from the integrations engineering already trusts. Walk into Type I or Type II with the package built.
Trusted by teams shipping to enterprise buyers
- NorthLogic
- Faro Cloud
- Helix.io
- Stratus
- Beacon AI
69TSC criteria across S/A/C/PI/P
8 wkMedian time to Type I
0Auditor reproduction asks*
40+Native evidence integrations
* across 12-month rolling cohort, 23 customers
Trust Services Criteria · 2017 + 2022
Five categories. Pick the scope your customers ask for.
Security is required. The remaining four toggle on per audit period.
7A1.1–A1.3
Availability
Performance and uptime commitments
6C1.1–C1.2
Confidentiality
Information designated as confidential
5PI1.1–PI1.5
Processing Integrity
Processing is complete, valid, accurate
18P1–P8
Privacy
Personal information lifecycle
Common Criteria · COSO-aligned
Nine principle groups, mapped to your operating model
Each CC group maps to specific platform modules — no orphan controls, no ambiguous ownership.
Control environment
Tone at the top, ethics, board oversight
Communication & info
Internal and external information flows
Risk assessment
Identification, analysis, response
Monitoring activities
Ongoing and separate evaluations
Control activities
Policies and procedures executed
Logical access
Provisioning, deprovisioning, MFA
System operations
Detection, response, change tracking
Change management
Authorize, develop, test, deploy
Risk mitigation
Vendor management, BIA, insurance
Type I vs Type II
Two reports. One control library. No duplicated work.
| Dimension | Type I | Type II |
|---|---|---|
| Period | Point in time | 3–12 month observation |
| Effort | 8–14 weeks | Continuous + 2-week fieldwork |
| Customer signal | Foundational trust | Operating excellence |
| Auditor sample | Configuration snapshot | Sampled population over period |
| Renewal | Optional | Annual |
Evidence engine
Four lanes, continuously fed
Each lane streams from integrations, populates the control matrix, and freezes at period-end.
Identity
4- IAM access reviews
- MFA enrollment
- Privileged session logs
- JML attestations
Change
4- Branch protection
- PR review requirements
- Change advisory minutes
- Emergency change log
Operations
4- Backup test results
- Incident response drills
- Capacity reviews
- Service-health postmortems
Vendor
4- Tier-1 SOC 2 reports
- Subprocessor list
- Renewal due diligence
- Critical-vendor BIA
From kickoff to report
Eight weeks to Type I when continuous evidence is on day one
Skip the 12-week paper-chase. Onboard, integrate, run dry-fieldwork, lock the package.
- Week 1–2Onboarding + scoping
- Week 3–5Integration + drift cleanup
- Week 6–7Walkthrough rehearsal
- Week 8Auditor fieldwork
8weeks
FAQ
Pre-kickoff questions
Type I or Type II first?
Most SaaS teams start with Type I to establish design effectiveness, then run a Type II observation window of 3, 6, or 12 months.
Which TSC categories should we pick?
Security is required. Availability and Confidentiality are common for SaaS. Privacy adds significant scope — only include if your customer questionnaire requires it.
Do you map to AICPA 2017 TSC?
Yes. We ship the full 2017 TSC plus the 2022 Privacy revisions. Custom additions and points of focus are supported.
Can we run SOC 2 alongside ISO 27001?
60–80% of evidence overlaps. Maintain one control library, map to both frameworks, and freeze separate audit packages.
See SOC 2 in your tenant
Map TSC, owners, and evidence — once. Reuse across audit periods, customer reviews, and adjacent frameworks.