A SOC 2 report is increasingly the price of doing business with serious clients. AiVigil builds the controls, runs them, and gathers the evidence continuously — so when the auditor arrives, you're ready.
SOC 2 is built on the AICPA Trust Services Criteria. Security is always in scope; the rest you add based on what you promise customers.
Access control, MFA, change management, network and endpoint security, and monitoring. This is the backbone every SOC 2 audit tests.
If you promise uptime, you need monitoring, capacity planning, tested backups and a disaster-recovery plan to back it up.
Classification, encryption and access controls over confidential data, plus handling commitments where personal data is involved.
Where relevant, evidence that your systems process data completely, accurately and on time.
For a Type II report, controls must demonstrably operate over an observation window — so logs, reviews and tickets must be captured continuously, not assembled afterward.
SOC 2 rarely fails on the design of controls — it fails on operating them consistently and proving it.
Policies on paper that aren't actually enforced day to day.
Joiner/mover/leaver access never reviewed, so ex-staff keep accounts.
No logs, tickets or screenshots to prove a control operated across the window.
No record of the subprocessors and tools that touch client data.
Changes pushed with no approval or record — a classic Type II finding.
Trying to reconstruct months of evidence in the weeks before the audit.
We map the right Trust Services Criteria to your commitments and show exactly where you stand.
MFA, least privilege and scheduled joiner/mover/leaver reviews — with the evidence captured automatically.
Logging, monitoring and ticketing set up so controls generate evidence across the whole observation window.
EDR, change management, network and endpoint security — run by us, not left for your team to maintain.
Written policies aligned to what actually happens, so auditors find no gap between paper and reality.
We work alongside your CPA assessor and hand over organized evidence throughout the engagement.
A plain-English self-assessment of the Trust Services Criteria controls and evidence a SOC 2 auditor will test — so you can close gaps before the observation window starts.
Our finance bundle runs the controls and captures the evidence SOC 2 demands — so accounting, advisory and finance firms can answer a client security questionnaire without flinching.
The basics
Type I assesses whether your controls are suitably designed at a point in time. Type II tests whether they actually operated effectively over a period — usually three to twelve months. Most clients ask for Type II, which is why continuous, evidenced controls matter.
No. A SOC 2 report can only be issued by a licensed CPA firm. We handle readiness: we build and run the controls, gather the evidence continuously, and support you through the audit so the assessor finds you prepared.
Scope & timing
Security (the common criteria) is always in scope. Availability, Confidentiality, Processing Integrity and Privacy are added based on what you promise customers. We help you scope the right set so the audit fits your commitments.
Getting controls in place is typically weeks; a Type II then requires an observation window during which those controls run and generate evidence. We get you ready fast and keep the evidence flowing through the window.
Book a free IT & security risk assessment — or grab the SOC 2 readiness checklist to see where you stand today.
Download the checklist