SOC 2 Type II —
Done Right.

US enterprise buyers require it. We implement the controls, generate the evidence, and support your audit.

SOC 2 is becoming the entry ticket to US enterprise sales

Every US enterprise procurement checklist asks for SOC 2 Type II. It is no longer a differentiator — it is a requirement. If you cannot produce a report, the deal does not move forward.

Type I alone is no longer sufficient for serious buyers. A Type I report says your controls were designed appropriately at a point in time. A Type II report says they actually worked over months. Enterprise procurement teams know the difference.

The Trust Service Criteria are broader than most people expect — Security, Availability, Confidentiality, Processing Integrity, and Privacy. Each criteria category carries dozens of control requirements and corresponding evidence obligations.

Most companies underestimate the evidence generation burden. Controls are the easy part. Proving they ran consistently over 6–12 months is where most teams struggle without dedicated infrastructure.

Key facts

  • Observation period:
    6–12 months (Type II)
  • With Veratlas:
    Controls live in 90 days — observation starts immediately
  • Supported criteria:
    Security (CC), Availability (A), Confidentiality (C)
  • Auditor:
    Your choice — we prepare all the evidence

The pathway

Three steps to your SOC 2 report.

01

Assess

Security Assessment

Maps your current state against the Trust Service Criteria. We identify gaps in CC6 (logical access), CC7 (system operations), CC8 (change management), and the remaining Common Criteria — then produce a prioritised remediation roadmap.

€2,500 — credited in full to the Sprint if you proceed.

02

Build

90-Day Accelerator

We implement all technical controls across the Common Criteria: MFA, MDM, SIEM, access reviews, change management procedures, and incident response. At the end of 90 days you have a fully operational control environment and an evidence pack ready for the start of your observation period.

Fixed €28,000. No surprises.

03

Run

The Compliance Engine™

Continuous evidence generation across the entire observation period. Automated evidence collection, quarterly access reviews, four vendor assessments per quarter, and annual audit support. Your auditor gets a clean, organised evidence pack — and you get a SOC 2 Type II report.

From €120/user/month.

SOC 2 Coverage

We cover the criteria that matter most.

Common Criteria (CC) — Security

  • CC6 — Logical and physical access controls
  • CC7 — System operations monitoring
  • CC8 — Change management
  • CC9 — Risk mitigation
  • CC1 — Control environment and governance
  • CC2 — Communication and information
  • CC3 — Risk assessment
  • CC4 — Monitoring activities
  • CC5 — Control activities

Additional Criteria

  • Availability (A1) — System availability and backup
  • Confidentiality (C1) — Data classification and protection
  • Incident response — Documented, tested, and evidenced
  • Vendor management — Four assessments per quarter
  • Access reviews — Quarterly, with documented outcomes
  • Change advisory process — Tracked and approved
  • Vulnerability management — Scheduled scanning and remediation

FAQ

Common questions.

Type I is a point-in-time assessment of whether your controls are designed appropriately. Type II tests whether those controls actually operated effectively over a period of time — typically 6–12 months. US enterprise buyers increasingly require Type II. A Type I report may help you advance an early conversation, but it will not satisfy a mature procurement team.
Most auditors accept a minimum 6-month observation period for Type II. Some enterprise buyers require 12 months. We recommend starting the observation period as soon as controls are live — which is day 91 with our Sprint. The sooner you start the clock, the sooner you have a report to show buyers.
We will advise on CPA firms accredited for SOC 2 audits that fit your size and budget. SOC 2 audits must be conducted by a licensed CPA firm — we help you identify the right one and prepare everything they need. We do not take referral fees.
Yes, and there is significant overlap between the two frameworks. The 90-Day Accelerator produces a control environment and evidence pack that supports both. Pursuing them in parallel is the most efficient path if your customer base spans both Europe and the US. Book a Fit Call and we will map out the most efficient path for your specific situation.

Start the observation period in 90 days.

Tell us about your target enterprise customers and your current timeline. We will tell you exactly what it takes to get your SOC 2 Type II report in hand.

Book a Fit Call
or
Take the free Security Snapshot

2 minutes · Zero commitment · Instant security grade