Readiness, mapping to the Trust Services Criteria, evidence collection and coordination with the CPA who signs the report. We don't sign it, and that's exactly what makes it valid.
The right document for the right market: the US.
A US enterprise client sent you a security questionnaire or a 'SOC 2 required' contract clause.
Go to pathYou realised SOC 2 is the trust passport there, and you want to unblock the conversations.
What SOC 2 isYou want the right document for the right market (US), without doing the wrong thing (ISO 27001 weighs more in the EU).
ISO 27001 for the EUSOC 2 is an attestation report issued by a US CPA under AICPA standards (SSAE 18). It assesses controls against the Trust Services Criteria (TSC): Security (Common Criteria, mandatory) + optional Availability, Processing Integrity, Confidentiality, Privacy.
We call it an attestation because that's the technical truth, and because anyone who calls it a 'certification' gets caught instantly by your client's CISO.
The difference drives the timeline. It often makes sense to start with a Type I to unblock quickly, then aim for Type II. We tell you which one you actually need, and when, after a first conversation.
Assesses the design of controls at a point in time. Faster, weaker signal.
Assesses the operating effectiveness of controls over an observation period (typically 3-12 months). This is what enterprise clients actually ask for.
We don't sign the SOC 2 report: an independent CPA does. That separation is what gives the attestation its value with your clients.
Readiness assessment, mapping controls to the TSC, defining controls, collecting and organising evidence (AI-accelerated, expert-validated), exam preparation.
Conducts the attestation examination and signs the SOC 2 report.
Readiness : depends on your starting point
Getting controls and evidence in place before the exam.
Type I : exam at a specific date
The exam happens once the design of controls is ready (point-in-time).
Type II : observation period 3-12 months
Controls must actually operate throughout the period, before the CPA can issue the report.
Anyone promising 'SOC 2 in 3 months' without distinguishing Type I/II is only telling you the readiness part. We tell you the whole story.
For SOC 2, pricing is on request: it depends on the TSC in scope, Type I vs Type II and your readiness. We give you an indicative range after a first conversation, transparently.
The CPA who signs the report has a separate fee from our readiness work: we explain that clearly. See the pricing page.
SOC 2 is the language of the US. In the EU, clients usually ask for ISO 27001 and care about GDPR. If you sell on both sides of the ocean, a combined strategy often makes sense: we design it so you don't pay twice for the same work.
In the EU it's the common language of security. We combine the paths without duplicating work.
Learn moreGDPR and, where needed, NIS2/DORA for those selling or operating in Italy/the EU.
Learn moreNo: it's an attestation issued by a CPA under AICPA standards. There's no 'SOC 2 certificate'. Calling it a certification is the mistake that costs you credibility with a technical buyer.
It depends on what your client asks and how much time you have. Type I unblocks faster (point-in-time design); Type II is stronger but needs an observation period. Often you start with Type I and aim for Type II.
Typically 3-12 months: the window during which controls must actually operate before the CPA issues the report. It can't be compressed to zero: anyone claiming otherwise isn't talking about a Type II.
An independent US CPA, not us. We get you ready and coordinate the exam; the signature of an independent third party is what makes the report valid.
It's built for the US market. In the EU, clients usually ask for ISO 27001 and care about GDPR. If you sell into both, we help you combine the paths without duplicating work.
AI speeds up collecting and organising evidence; an expert validates everything before it reaches the CPA. Evidence stays real and verifiable: that's its only value.
Security is mandatory; the others (Availability, Processing Integrity, Confidentiality, Privacy) are added based on what you promise clients. After a first conversation we set the right scope, without inflating it.
No: the outcome depends on an independent CPA's examination. We get you ready and maximise your chances, but a guarantee would undermine the very independence that gives the report its value.
The guide to the standard: AICPA attestation, Trust Services Criteria, Type I vs Type II.
Read the guideThe certification your EU clients ask for: comparison and a combined EU/US strategy.
Learn moreThe facilitator model and our readiness approach, from initial assessment to maintenance.
See the methodTell us your need: we figure out whether you need Type I or Type II and how long it really takes.