“Walk into your SOC 2 audit knowing exactly where you stand.”
Editor's note
Tell us about your company, your target Trust Service Criteria, and the controls you already have. The tool maps everything to the SOC 2 framework, surfaces the gaps an auditor will flag, and drafts an evidence-collection checklist and starter policies — turning weeks of prep into an afternoon.
Tagged
§ Section I
Tell the tool what your product does, where it runs (for example AWS or GCP), who your customers are, and what customer data you store or process. The more concrete the description, the more specific the gap analysis.
Security is always included as the Common Criteria. Add Availability, Confidentiality, Processing Integrity, or Privacy only if your customers actually need them. Choose Type I (control design at a point in time) or Type II (operating effectiveness over a period).
You get a readiness score, a prioritized control-gap table mapped to real AICPA criteria, an evidence checklist with owners, and starter policy templates you can copy or download. Use it to plan remediation before you engage an audit firm.
§ Section II
Get a clear, prioritized picture of what stands between you and your first SOC 2 report before you spend money on an audit firm or a compliance platform.
Turn a pile of existing controls into a mapped gap analysis and evidence checklist with owners, so you can hand work to the right teams and track readiness over time.
Understand which technical controls — access reviews, change management, logging, vulnerability management — need to be in place and documented before an enterprise deal stalls on a security review.
Produce a fast, structured first-pass readiness assessment for a client, then refine it with your own judgment instead of starting from a blank page.
§ Section III
No. Only a licensed CPA firm can issue a SOC 2 report. This tool is a readiness assessment: it maps your current controls to the Trust Service Criteria, shows you where the gaps are, and helps you collect evidence before the audit. It is the prep work, not the attestation.
A Type I report evaluates whether your controls are designed appropriately at a single point in time. A Type II report evaluates whether those controls actually operated effectively across an observation window, usually three to twelve months. Type II requires evidence collected throughout the period, which is why it carries more weight with enterprise buyers.
Security (the Common Criteria, CC1 through CC9) is mandatory for every SOC 2 report. The other four are optional: choose Availability if you have uptime SLAs, Confidentiality if you handle proprietary data, Processing Integrity if data accuracy is critical, and Privacy if you process personal data. Over-scoping adds cost without adding value, so only include what your customers ask for.
Each report costs 10 credits. You can run it as often as you like — for example, an initial baseline, then again after each round of remediation to watch your readiness score improve.
Completed reports are stored for 30 days on paid plans and 7 days on the free plan. You can download the full report as JSON, and copy or download each policy template as Markdown to keep a permanent copy.
The tool uses the real AICPA Trust Service Criteria and Common Criteria references (CC1–CC9, A1, C1, PI1, P1–P8). The policy templates are genuine starter documents you should tailor to your actual environment. Treat the output as expert guidance to review with your security team and auditor, not as a finished compliance program.