Framework — SOC 2
Trust, demonstrated continuously
SOC 2 is the trust standard for SaaS. Sudory collects evidence continuously against Trust Service Criteria — so your Type II report is built from real operational data, not an annual scramble.
Trust Service Criteria
Five categories of trust
SOC 2 evaluates controls across five Trust Service Criteria. Security is mandatory. The others are optional — but customers increasingly expect all five.
CC
Security (Common Criteria)
The foundation of every SOC 2 report. Logical and physical access controls, system operations, change management, and risk mitigation. Required for all SOC 2 engagements.
DNS/TLS scanning, CIS benchmarks, access control checks via Google Workspace and Slack integrations.
A
Availability
Systems are available for operation and use as committed. Monitoring, incident response, disaster recovery, and business continuity controls.
Continuous uptime monitoring via DNS and HTTP checks. Certificate expiry tracking. Infrastructure configuration via CIS benchmarks.
PI
Processing integrity
System processing is complete, valid, accurate, timely, and authorised. Data validation, error handling, and output reconciliation.
Compliance ledger provides an immutable record of all processing. Balance policies detect anomalies. Flow policies enforce processing order.
C
Confidentiality
Information designated as confidential is protected as committed. Encryption, access restrictions, and data classification controls.
TLS configuration scanning, DNSSEC verification, encryption-at-rest checks via CIS benchmarks. Vendor data region tracking.
P
Privacy
Personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments. Overlaps significantly with GDPR.
Vendor sub-processor chains, DPA availability, data processing regions, DPF participation — the privacy supply chain mapped.
Key controls
Where Sudory scans map to SOC 2
Common Criteria controls that Sudory's scanning engine produces evidence for — from access control to vendor risk management.
CC6.1
Logical access security
Restrict logical access to information assets. Sudory's CIS benchmarks check MFA enforcement, admin privileges, OAuth grants, and SSO configuration across your platforms.
CC6.6
System boundaries
Restrict access at system boundaries. Sudory scans firewall headers, CORS policies, CSP directives, and network configuration to verify boundary controls.
CC7.1
Monitoring for anomalies
Detect anomalies in processing. Sudory's policy engine detects configuration drift, expired certificates, and degraded security posture — automatically.
CC9.2
Vendor risk management
Assess and manage risks from vendors. Sudory's vendor directory provides SOC 2 certification status, sub-processor chains, and continuous security posture monitoring.
Terminology
SOC 2 vocabulary
Type I vs Type II, Trust Service Criteria, Common Criteria, CUECs — these terms define what your SOC 2 engagement covers and what evidence you need.
SOC 2 Type I
Point-in-time assessment. Evaluates whether controls are designed appropriately as of a specific date. Faster to obtain, but less valuable than Type II.
SOC 2 Type II
Period-of-time assessment. Evaluates whether controls operated effectively over a period (usually 6–12 months). The standard customers and auditors expect.
Trust Service Criteria (TSC)
The five categories of controls: security (required), availability, processing integrity, confidentiality, and privacy. You choose which apply to your engagement.
Common Criteria (CC)
The security controls required for every SOC 2 report. Nine categories covering logical access, system operations, change management, and risk assessment.
Complementary User Entity Controls (CUECs)
Controls your customers must implement for your service to work securely. Documented in your SOC 2 report — your vendor directory profile should reference them.
Subservice organisations
Third-party vendors your service depends on — hosting providers, payment processors, CDNs. SOC 2 requires you to disclose them. Sudory calls them sub-processors.
How Sudory helps
From scans to SOC 2 evidence
SOC 2 Type II demands continuous evidence. Sudory's scanning engine and compliance ledger produce it automatically — mapped to Trust Service Criteria and ready for your auditor.
Continuous evidence collection
SOC 2 Type II requires evidence over time, not point-in-time snapshots. Sudory's compliance ledger collects timestamped evidence continuously — every scan, every check, every finding.
Vendor SOC 2 tracking
CC9.2 requires vendor risk management. Sudory's vendor directory tracks SOC 2 certification status for 1,500+ vendors. Know which of your vendors are certified — and which aren't.
Subservice organisation mapping
SOC 2 requires disclosure of subservice organisations. Sudory's sub-processor chains map your vendor dependencies — the data auditors need for the report.
CIS benchmark evidence
CIS benchmark results map to Common Criteria controls. Access control checks → CC6.1. Configuration management → CC8.1. Monitoring → CC7.1. One scan, multiple trust criteria.
Policy enforcement
SOC 2 requires that policies exist and are enforced. Sudory's policy-as-code engine defines and enforces policies — balance, freshness, flow, role, separation, and temporal.
Audit preparation
Export evidence packages for your auditor. Point-in-time snapshots for Type I, continuous evidence trails for Type II. No more spreadsheet scrambles before the audit window.
For MSPs
SOC 2 readiness as a service
Your SaaS clients need SOC 2 to close enterprise deals. Deliver continuous evidence collection and audit preparation as a managed service.
SOC 2 readiness across clients
Your clients need SOC 2 to close enterprise deals. Sudory provides continuous evidence collection — you deliver the audit preparation expertise.
Vendor risk for CC9.2
Every client needs vendor risk management. Sudory's directory tracks SOC 2 certification across their vendor stack — one search covers all clients' vendors.
Type II evidence as a service
Type II requires months of evidence. Sudory collects it continuously from day one. By the time the audit window opens, the evidence is already there.
Start collecting Type II evidence today
The sooner you start, the more evidence you have when the audit window opens. Connect your platforms, scan continuously, and let the compliance ledger build your evidence trail.