SOC 2 · Type I & II

SOC 2 reports your customers actually trust.

Move from spreadsheet readiness to a live, mapped control library with continuous evidence and audit-defensible packages — without slowing engineering down.

Request a demoStart free trial
  • 200+ TSC criteria, mapped
  • 40+ integration sources
  • Big-4 + boutique auditor compatible

Trust Services Criteria

The five categories, one operating model

Toggle the categories your customers ask for. Each criterion ships with starter controls, evidence templates, and integration mappings.

CC

Common Criteria

33 criteria
A

Availability

7 criteria
C

Confidentiality

6 criteria
PI

Processing Integrity

5 criteria
P

Privacy

18 criteria

Why programs stall

Four failure modes we see every quarter

01

Drift between narrative and reality

Control descriptions stay frozen while engineering ships weekly. Auditors find gaps no one in security knew existed.

02

Evidence scattered across tools

Screenshots in tickets, exports in drives, attestations in email. Reproducing a single sample takes half a day.

03

Auditor sample requests cascade

A single PBC item triggers four engineering pages. Velocity collapses for the duration of fieldwork.

04

Leadership distrusts the dashboard

Compliance shows green while security alerts fire. The board stops believing the report before fieldwork starts.

Operating workflow

From kickoff to defensible report

The same four phases run every period — automation, not heroics.

  1. Phase 01Day 1–7

    Map TSC into a live control library

    Import the 2017 Trust Services Criteria, assign owners, set evidence frequency, and tag each control with the systems it depends on.

  2. Phase 02Day 7–21

    Wire continuous evidence collectors

    AWS, GitHub, Okta, Jamf, and your SIEM push posture every 24h. Manual attestations only fill the gaps integrations cannot reach.

  3. Phase 03Ongoing

    Reconcile contradictions weekly

    When telemetry disagrees with a passing control — say, a failed access review while CC6.1 reports green — a task opens automatically.

  4. Phase 04Period close

    Freeze the audit package

    Lock evidence at the period end. Export hash-stamped bundles your CPA can ingest without sending us a single follow-up.

Live evidence engine

Posture moves the moment the system does

Every integration writes to the same evidence ledger. Controls inherit status from telemetry, not from the last screenshot someone uploaded.

  • Hash-stamped artifacts with chain of custody
  • Drift detection on every framework cycle
  • Sample selection auditors can reproduce
  • Period freeze without losing live data
Continuous evidence — last 24hauto-collected
  • AWS ConfigCC6.1IAM password policy enforces 12+ char minimum
  • GitHubCC8.1Branch protection on main: 2 reviewers required
  • OktaCC6.33 dormant accounts pending deactivation
  • JamfCC6.798.4% endpoint disk encryption coverage
  • DatadogCC7.2Alerting on 100% of critical service health checks
  • LinearCC8.11 emergency change missing post-deploy review

Path to attestation

Predictable stages, deliverables at every step

Stage 1

Gap assessment

2–4 weeks
  • Control inventory
  • Evidence baseline
  • Owner assignments
Stage 2

Remediation

4–10 weeks
  • Policy publication
  • Integration coverage
  • Process documentation
Stage 3

Type I attestation

2 weeks fieldwork
  • Point-in-time report
  • Auditor walkthrough
  • Customer-facing summary
Stage 4

Type II observation

3–12 month window
  • Continuous evidence
  • Sample populations
  • Exception register

“We finished Type II fieldwork in nine days. The package walked itself — our auditor opened the export and never asked us to reproduce a single sample.”

VP SecuritySeries C SaaS · 380 employees

FAQ

What teams ask before kickoff

How long does a SOC 2 program typically take?

Customers using BNB Infinite GRC reach Type I in 8–14 weeks. The Type II observation window then runs 3–12 months depending on your scope.

Can we reuse this work for ISO 27001 or HIPAA?

Yes. Controls are stored once and mapped to multiple frameworks. Most customers reuse 60–80% of SOC 2 evidence for ISO 27001.

What about our existing auditor?

We are auditor-agnostic. Export packages match the CPA-firm format and we have walkthrough partners at the major Big 4 and boutique firms.

Do you support Trust Services Criteria additions?

All five categories are supported (Security, Availability, Confidentiality, Processing Integrity, Privacy). Toggle scope per audit period.

Adjacent programs

Reuse this foundation

ISO 27001 ProgramsFull ISMS lifecycle and continuous control healthVendor Risk OversightAssess third parties against your controlsAudit PreparationAssemble evidence packages in hours, not daysSecurity Ops AlignmentConnect detection signals to compliance postureExecutive ReportingCompliance and risk health for leadership teams

See SOC 2 readiness in your environment

Walk through TSC mapping, integrations, and ownership models with a solutions engineer.

Request a demoPlatform overview