If you sell software to other businesses, sooner or later a prospect’s security team will ask for your SOC 2 report. For many startups that request is the first real forcing function to get a compliance program in place. This guide explains what SOC 2 is, what’s involved, and how long it really takes — without the jargon.

What is SOC 2?

SOC 2 is an attestation report produced by a licensed CPA firm. It describes the controls your company has in place to protect customer data, and — for a Type II report — provides the auditor’s opinion on whether those controls actually operated effectively over a period of time.

It is not a certification you pass or fail. It’s a report an independent auditor writes about your environment against a defined set of criteria, called the Trust Services Criteria. Your prospects read that report (usually under NDA) to decide whether they trust you with their data.

Type I vs. Type II

There are two flavors, and the difference matters:

  • Type I describes your controls at a single point in time. It answers: are the right controls designed and in place today? It’s faster to get and useful as a first milestone.
  • Type II covers a period — typically 3 to 12 months — and tests whether those controls operated effectively the whole time. It’s the report most enterprise buyers actually want.

A common path is to get a Type I first to unblock a deal, then run a Type II observation window and produce the stronger report a few months later. Many companies skip straight to a Type II with a short (e.g. 3-month) window.

The five Trust Services Criteria

SOC 2 is organized around five categories. Only Security (also called the “common criteria”) is required; the others are included based on what you commit to your customers.

  • Security — protection against unauthorized access. Always in scope.
  • Availability — the system is available for operation as agreed (think uptime commitments).
  • Confidentiality — information designated confidential is protected.
  • Processing integrity — processing is complete, valid, accurate, and timely.
  • Privacy — personal information is handled in line with your privacy notice.

Most first-time startups scope Security only, sometimes adding Availability and Confidentiality. Adding criteria adds controls and evidence, so scope deliberately.

What controls do you actually need?

At a high level, auditors want to see that you manage access, protect data, monitor your systems, respond to incidents, manage vendors, and govern the whole thing with policies and reviews. In practice that looks like:

  • Access control: unique accounts, least privilege, MFA, and periodic access reviews.
  • Change management: code review, testing, and controlled deploys.
  • Encryption in transit and at rest.
  • Logging, monitoring, and alerting.
  • Vulnerability management and patching.
  • Backups and a tested recovery plan.
  • Vendor/third-party risk management.
  • Written, approved policies and evidence they’re followed.
  • A risk assessment and a living risk register.

The good news: most of these overlap heavily with ISO 27001, so the work you do for SOC 2 gets you most of the way to other frameworks too.

A realistic timeline

For a small team starting from scratch, a reasonable first-report timeline looks like:

  1. Weeks 1–3 — Scope and gap analysis. Decide criteria, pick your framework model, and see where you stand.
  2. Weeks 3–8 — Remediate. Implement missing controls, write and approve policies, turn on MFA and logging, run your first access review.
  3. Weeks 6–10 — Pick an auditor and, for Type II, define your observation window.
  4. Observation window (Type II). Operate your controls and collect evidence continuously — 3 to 12 months.
  5. Fieldwork and report. The auditor tests your evidence and writes the report.

The remediation phase is where most of the effort is. Tooling that maps controls to criteria and collects evidence continuously is what turns a scramble into a routine.

How Keel helps

Keel gives you a SOC 2 control set pre-mapped to the Trust Services Criteria, one-click starter controls, policy templates you can approve and export, access reviews that produce audit evidence automatically, and a readiness view so you always know how close you are. Because everything sits on one crosswalked graph, the same controls also move you toward ISO 27001, HIPAA, and more.

Ready to see where you stand? Start free and map your posture against SOC 2 in minutes.