Services
Enterprise buyers no longer accept "SOC 2 in progress" in a security questionnaire — they want a current Type II report. We take SaaS companies from zero to a clean Type II in 9–12 months: scope the Trust Services Criteria you actually need (CC1.0–CC9.0 Common Criteria plus the right combination of A1.0 Availability, C1.0 Confidentiality, PI1.0 Processing Integrity and P1.0–P8.0 Privacy), implement the controls in your IaC, IdP and ticketing stacks, wire up an evidence-automation platform, draft the policy pack, prep for Type I, and run the Type II observation window with you. AICPA-aligned, auditor-friendly, integrated with your engineering cadence. Readiness from 12,000 EUR.
SOC 2 is a market signal that compresses sales cycles. But the audit is unforgiving of cosmetic controls — the auditor will sample your change tickets, re-perform your access reviews, and ask the IdP for raw evidence. The right outcome is not a green dashboard; it is a programme where the controls happen naturally because they are embedded in the developer workflow, the on-call rotation, and the quarterly business review. We build it that way, then hand it off to an in-house compliance owner who can run it without us.
Written scoping decision against the AICPA Trust Services Criteria 2017: which categories (Security mandatory; A1, C1, PI1, P1–P8 optional), which systems are in scope, which subservice organisations carve out, and what the report description of the system will say.
Actual engineering work: SSO+MFA on every system, SCIM provisioning, IaC-enforced encryption and backup, GitOps change management, centralised logging with retention, on-call rotation and incident postmortem template, vendor inventory and DPA tracking.
15+ policies cross-referenced to specific CC and chosen-category controls: information security, access control, change management, incident response, business continuity, vendor management, acceptable use, secure development, encryption, data classification, risk assessment, and HR security.
Vanta, Drata, Secureframe, Tugboat Logic or your incumbent — integrations tuned for low false-positive rate, evidence quality checked before the auditor sees it, and operator playbooks for the inevitable failed checks.
We run the relationship with your CPA firm: kickoff, evidence room, fieldwork questions, exception handling, management response drafting, and the negotiation around the wording of the report description and complementary user entity controls (CUECs).
For the 6–12 month observation window: monthly control owner sync, quarterly access and vendor reviews, evidence-quality monitoring, incident response on retainer, and the discipline that prevents a single control gap from killing your opinion.
Weeks 1–3: TSC scoping memo, system description draft, gap analysis against the in-scope controls, control owner assignment, automation platform selection if not already chosen.
Weeks 4–12: implement controls in IaC and IdP, integrate the automation platform, adopt the policy pack, run the first access review and vendor review, dry-run the incident response procedure.
Weeks 12–16: auditor kickoff, evidence room handover, fieldwork support, exception remediation, and the report description & CUECs negotiation. For Type II this is also the first month of the observation window.
Months 4–12: monthly control owner sync, quarterly access/vendor reviews, evidence-quality monitoring, incident response, and the final Type II auditor walkthrough & report issuance.
Four to six weeks, fixed scope. TSC scoping, gap analysis, automation platform setup, 15+ policy pack mapped to CC and chosen categories, control owner assignment, executive briefing. 12,000 EUR fixed.
Eight to twelve weeks. Control implementation in code/IaC/IdP, evidence collection, auditor liaison through field work, remediation of design gaps, and management response drafting. 28,000 EUR fixed.
Monthly retainer through the observation window. Control owner sync, quarterly access/vendor reviews, evidence-quality monitoring, incident response on retainer, auditor liaison through Type II issuance. 5,000 EUR/month.
CPA firm audit fees billed separately by the firm (typically $20k–$60k for Type II depending on scope and firm tier). We work with your incumbent CPA or introduce auditors from our network. Three-month minimum on Type II Ongoing. NDA and DPA signed before kickoff.
Multi-tenant SaaS architecture with SOC 2 controls embedded from sprint zero — not bolted on the week before the auditor arrives.
Read more →
AWS/GCP/Azure landing zones with IaC-enforced controls (encryption, MFA, logging, SCP guardrails) that an auditor can re-perform from Terraform state.
Read more →
Senior security & engineering leadership for SaaS startups that need a credible "Security Officer" signature and an audit-ready engineering culture.
Read more →GDPR-aligned · ISO 27001 ready · SOC 2 Type II in progress · HIPAA-capable · AICPA-aware
We implement controls in Terraform, Okta, GitHub, PagerDuty and Datadog. The evidence comes from the systems doing the work, not from a screenshot folder a junior consultant manually refreshes once a quarter.
We speak SSAE 18, COSO and TSC fluently and submit evidence packages structured the way the auditor's workpapers want them. Field work compresses; partner review compresses; the report ships faster.
CC and ISO 27001 Annex A overlap 80%+; SOC 2 controls discharge a large chunk of HIPAA Security Rule and EU AI Act ISMS duties too. One library, many opinions.
Our own SOC 2 Type II is in progress on the same toolchain we deploy for clients — we eat our own cooking, and the playbook is battle-tested in our own audit.
SOC 2 Type I attests that controls are suitably designed at a point in time. SOC 2 Type II attests that controls operated effectively over an observation period — typically 6 to 12 months (3 months is possible for first-year reports but enterprise procurement increasingly insists on 12). Most US enterprise buyers ask for a current Type II covering at minimum the Security (Common Criteria CC1.0–CC9.0) category. The pragmatic path: Type I in month 4 to unblock pipeline, then a 6-month Type II window kicking off immediately, with the report landing roughly 10 months from kickoff.
Security (Common Criteria CC1.0–CC9.0) is mandatory in every SOC 2 — it covers COSO 2013-aligned control environment, communication, risk assessment, monitoring, logical/physical access, system operations, change management and risk mitigation. The optional categories: A1.0 Availability (uptime and capacity — pick this if you sell SLAs), C1.0 Confidentiality (non-public data protection — common for B2B SaaS), PI1.0 Processing Integrity (transaction completeness/accuracy — common for fintech and payments), P1.0–P8.0 Privacy (notice, choice, collection, use, retention, disclosure, quality, monitoring — pick if you process consumer PII at scale). Most B2B SaaS start with Security+Availability+Confidentiality.
More than vendor automation platforms suggest, less than legacy consultants quote. Real engineering work: change-management (CC8.1) means a Git branching/PR/approval workflow auditors can re-perform from commit history; logical access (CC6.1–CC6.3) means SSO with MFA on every PHI/customer-data system plus quarterly access reviews; system monitoring (CC7.1–CC7.5) means centralised logging, alerting, on-call rotation, incident postmortems; vendor management (CC9.2) means a tracked vendor inventory with security reviews. We implement the actual controls in your IaC, IdP, ticketing and monitoring stacks — automation tools observe what already exists; they do not build it.
They are evidence collectors and policy templators, not control implementers. They integrate with AWS/GCP/Okta/GitHub etc. and pull continuous evidence (MFA on, encryption on, backups running, vulnerability scans clean), which compresses Type II observation cost dramatically. We work with whichever platform you have or recommend one based on your stack; we then build the controls the platform watches. The mistake is buying the platform first and assuming the dashboard turning green equals an audit-ready posture — it does not, because culturally-evidenced controls (access reviews, vendor reviews, change approvals, incident postmortems) live outside the platform and still need human cadence.
Realistic timeline: 12–18 weeks of readiness work (gap analysis, control implementation, policy adoption, automation integration), then either a Type I audit (~4 weeks of auditor field work, report 2–4 weeks after) or directly into a 6-month Type II observation window. CPA firm audit fees are separate from our work and typically run $20k–$60k for Type II depending on scope and firm tier. Combining our readiness (12,000 EUR), Type I prep (28,000 EUR), Type II ongoing (5,000 EUR/month), and the CPA audit, most SaaS companies are at a clean Type II in 9–12 months from kickoff.
Three packages. Readiness is 12,000 EUR fixed (4–6 weeks): TSC scoping, control gap analysis, automation platform setup and integration tuning, policy pack (15+ policies mapped to CC and chosen categories), control owner assignment, and an executive briefing. Type I Prep is 28,000 EUR fixed (8–12 weeks): control implementation in code/IaC/IdP, evidence collection, auditor liaison through field work, and remediation of any design gaps the auditor raises. Type II Ongoing is 5,000 EUR/month: monthly control owner sync, quarterly access/vendor reviews, evidence-quality monitoring, incident response on retainer, and auditor liaison through the Type II window. CPA firm fees billed separately by the firm.
