Record of Processing Activities
Transfer Impact Assessment
Privacy Impact Assessment
Cybersecurity Controls
Cybersecurity Risk Management
Interactive Awareness Program
SOC 2 Compliance
The security audit standard for SaaS and cloud service providers. AICPA's Trust Services Criteria framework — available on the Ultimate plan.
The security audit standard
enterprise customers require
SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA (American Institute of Certified Public Accountants). It verifies that a service organization has appropriate controls in place to protect customer data across five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Most enterprise customers in the US require a SOC 2 Type II report from their SaaS vendors before signing contracts. For B2B SaaS companies, SOC 2 certification is increasingly the difference between winning and losing enterprise deals.
Unlike ISO 27001, SOC 2 has no prescriptive control list — the auditor evaluates whether your controls *effectively* meet the Trust Services Criteria. This makes preparation more nuanced, and evidence collection more critical.
SOC 2 Type I vs Type II
Type I assesses whether controls are *designed* appropriately at a point in time — faster but less credible. Type II assesses whether controls *operated effectively* over a 6–12 month period — the gold standard for enterprise customers.
Who needs SOC 2?
SaaS companies, cloud service providers, data centers, managed security providers, and any B2B software company whose customers store sensitive data on their platform. If your enterprise customers are asking for it, you need it.
How long does SOC 2 take?
Type I: 2–5 months from starting readiness work. Type II: 8–14 months total (3 months prep + 6–12 month observation period + 1–2 month audit). Starting with automated evidence collection significantly reduces prep time.
The five SOC 2 Trust Services Criteria
All SOC 2 reports must include Common Criteria (Security). Additional criteria are selected based on your service's commitments to customers.
Common Criteria (CC)
33 criteriaRequired for all SOC 2 reports. Covers security across organization, communication, risk management, monitoring, logical access, system operations, and change management.
Availability (A)
3 criteriaThe system is available for operation and use as committed or agreed. Covers uptime, performance monitoring, incident response, and disaster recovery.
Processing Integrity (PI)
5 criteriaSystem processing is complete, valid, accurate, timely, and authorized. Relevant for financial processing, payroll, and transaction-intensive systems.
Confidentiality (C)
2 criteriaInformation designated as confidential is protected as committed or agreed. Critical for B2B platforms handling customer intellectual property or trade secrets.
Privacy (P)
9 criteriaPersonal information is collected, used, retained, disclosed, and disposed of in conformity with the entity's privacy commitments and criteria.
SOC 2 compliance checklist
for startups and SaaS companies
This checklist covers the most common SOC 2 Common Criteria requirements. Use it to assess your current readiness before starting a formal SOC 2 audit process.
Organization & Governance
4 itemsBoard of directors or equivalent oversees information security
Management establishes a structure with assigned security responsibilities
Background checks conducted for employees in security-sensitive roles
Security policies reviewed and approved annually
Communication & Information
3 itemsInformation security policy communicated to all employees
Security training completed by all staff annually
Security incidents reported to appropriate personnel
Risk Assessment
4 itemsRisk assessment process defined and documented
Risk assessment conducted at least annually
Significant changes trigger a new risk assessment
Fraud risk considered in the risk assessment
Monitoring Activities
2 itemsSecurity controls monitored on an ongoing basis
Internal audit or independent review conducted
Logical & Physical Access
6 itemsUnique IDs assigned to all users — no shared accounts
MFA enforced for all remote access and privileged accounts
Access provisioning follows a formal approval process
Encryption used for all data transmitted over public networks
Data classified and handled according to classification policy
Malicious software controls implemented (AV, EDR)
System Operations
4 itemsVulnerability scanning conducted regularly
Security incidents identified and responded to within defined SLAs
Incident response plan documented and tested
Identified security deficiencies communicated to management
Change Management
2 itemsChange management process documented and followed
Security testing conducted before production deployment
Track this checklist automatically in Unicis
Every item in this checklist is a trackable control in Unicis. Automatically link evidence, track completion status, and generate audit-ready reports. Ultimate plan includes all SOC 2 Trust Services Criteria.
What a SOC 2 Type II journey
looks like in practice
Readiness
GAP analysis, policy development, control implementation, evidence collection setup.
Type I audit
Auditor reviews design effectiveness of controls at a point in time. Good for first-time SOC 2.
Observation period
Evidence collected continuously over the observation window for Type II.
Type II audit
Auditor reviews operating effectiveness of controls over the observation period.
How Unicis automates SOC 2 preparation
Unicis Atlassian Apps
Unicis Platform Modules
Who needs SOC 2?
SOC 2 is widely adopted by technology companies, cloud service providers, SaaS platforms, financial institutions, healthcare organizations, and any entity responsible for managing customer data or IT services — particularly those selling to US enterprise customers.
Multi-Framework Support
11 Compliance Frameworks Supported
From the minimum viable security baseline to enterprise-grade standards — coverage for every compliance requirement.
Start your SOC 2 preparation with Unicis
Unicis automates evidence collection, GAP analysis, and audit reporting for SOC 2. Ultimate plan includes all Trust Services Criteria. Start with the free Community plan to build your foundation.