AICPA SOC 2 · Trust Services Criteria
Framework Landing Page

SOC 2 readiness — without the chaos of DIY compliance.

We guide SaaS companies and technology service providers through SOC 2 Type I and Type II — from evidence collection to auditor liaison — so you can close enterprise deals faster.

Explore the Framework
Type I Timeline
8–12 wk
Type II Observation Period
6–12 mo
Reports Supported
Type I & II
Trust Service Criteria

Five criteria. One report
that enterprise buyers trust.

SOC 2 evaluates your controls against five Trust Service Criteria. Security (CC) is mandatory; the others are selected based on your product and customer requirements.

CC
Security
Mandatory. Protection of system resources from unauthorised access.
A
Availability
System accessible and operable as committed or agreed.
PI
Processing Integrity
System processing is complete, valid, accurate and timely.
C
Confidentiality
Information designated confidential is protected accordingly.
P
Privacy
Personal information collected, used, retained and disclosed per privacy commitments.
Which Report Do You Need?

Type I or Type II —
we'll help you choose the right starting point.

Point-in-time
SOC 2 Type I
Confirms your controls are designed appropriately at a specific date. Fastest path to a reportable audit — ideal for early-stage companies needing to unblock deals quickly.
8–12 weeks to report
Lower cost than Type II
Good for initial enterprise sales qualification
Natural stepping stone to Type II
Operating effectiveness · Recommended
SOC 2 Type II
Confirms your controls operated effectively over an observation period (typically 6–12 months). Stronger market signal — required by most large enterprise buyers.
6–12 month observation period
Required by Fortune 500 vendor programmes
Annual renewal builds continuous trust
Strongest signal of security maturity
Readiness Programme

From kickoff to clean report —
a structured readiness programme.

Weeks 1–2
Scoping & Readiness Assessment
Define your SOC 2 scope (systems, services, criteria). Conduct a readiness assessment identifying gaps between your current controls and TSC requirements. Produce a prioritised remediation backlog.
Weeks 3–6
Control Implementation & Policy Development
Implement missing controls across people, process, and technology. Develop policies, procedures, and control documentation. Set up continuous monitoring and evidence collection tooling.
Weeks 7–8
Evidence Collection & Auditor Selection
Collect, organise, and package audit evidence. Select and engage a qualified CPA firm for the SOC 2 audit. We manage the auditor relationship and handle their requests throughout.
Ongoing
Observation Period Support (Type II)
Monthly check-ins, continuous evidence collection, control monitoring, and exception management throughout the Type II observation period — so you arrive at the audit with clean evidence.
Audit
Audit Liaison & Report Delivery
We attend fieldwork alongside your team, manage auditor queries in real time, and handle any findings. Final SOC 2 report delivered — ready to share with customers and prospects.
Common Questions

SOC 2 questions,
answered directly.

Who needs a SOC 2 report?

Any technology company storing, processing, or transmitting customer data that sells to enterprise buyers. If your sales team is losing deals because prospects ask for security documentation you can't provide, SOC 2 is almost certainly the answer.

Can an African company get a SOC 2 report?

Yes. SOC 2 is not US-exclusive — it's an AICPA framework that can be applied globally. Many East African SaaS companies pursue SOC 2 specifically to sell into US and European enterprise markets. We've supported East African companies through the full process.

Do we need to use a specific auditor?

SOC 2 audits must be performed by a licensed CPA firm. We are not the auditor — we are your readiness and advisory partner. We help you select an appropriate CPA firm (including firms that audit remote-first companies globally) and manage the relationship throughout.

How much does SOC 2 cost in total?

Total cost has two components: SecureZaidi's readiness programme fee (fixed, based on scope) plus the CPA firm's audit fee (typically $15,000–$40,000 USD for Type II depending on scope). We help you scope efficiently to minimise unnecessary cost without compromising the report's credibility.

Can SOC 2 and ISO 27001 be pursued together?

Yes — there is roughly 60–70% overlap between ISO 27001 controls and SOC 2 CC criteria. We frequently run combined programmes for companies targeting both certifications, reducing duplicate effort significantly. Many enterprise-grade organisations hold both.

Ready to unblock your enterprise sales with SOC 2?

Book a 15-minute scoping call. We'll tell you exactly what's involved, how long it takes, and what it costs — no guesswork.

15 min · Free · No sales pitch