SOC 2

SOC 2 compliance software

Prepare for SOC 2 Type I and Type II across the Trust Services Criteria — controls, continuous evidence, and an auditor-ready review workflow in one workspace.

Start free Book a demo

Starter is free · Professional $890/mo · see pricing

What SOC 2 requires

SOC 2 (TSC 2017, revised 2022) reports on controls relevant to the Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy. The Security category (the Common Criteria) is mandatory; the rest are optional. A Type I report assesses design at a point in time; a Type II report evaluates operating effectiveness over a period, which makes continuous evidence and a clear review trail essential.

Choose your Trust Services Criteria — and your report type

Not every SOC 2 needs every criterion. SentinelPanda starts you on the Security Common Criteria that every report requires, then lets you add Availability, Processing Integrity, Confidentiality, or Privacy based on the commitments you make to customers. The same controls support both a Type I (design at a point in time) and a Type II (operating effectiveness over a 3–12 month window), so you can start with Type I and grow into Type II without re-platforming. Unlike a prescriptive standard, SOC 2 has no fixed control count — the AICPA defines the Trust Services Criteria and you define the controls that meet them; SentinelPanda ships a 57-control starter set you tailor to your environment.

Continuous evidence is what makes Type II survivable

Type II is won or lost on whether your controls actually operated for the whole period. SentinelPanda’s connectors pull configuration, identity, and vulnerability evidence from AWS, Okta, CrowdStrike, GitHub and more on a schedule, attaching each artifact to the control and timestamp it proves. When the audit arrives, the Auditor Review export hands your CPA firm the workflow history and outcome for every control — no scramble to reconstruct a year of screenshots.

How SentinelPanda helps

0157-control starter set mapped to the Trust Services Criteria — SOC 2 controls are entity-defined, so tailor freely

02Supports both Type I (design) and Type II (operating effectiveness)

03Continuous evidence connectors (AWS, Okta, CrowdStrike, GitHub and more)

04Auditor Review export — workflow history and outcome per control

05Three-role workflow with an HMAC-signed audit log

06Cross-framework mapping to ISO 27001 and NIST CSF

SOC 2 — frequently asked questions

Does SentinelPanda support SOC 2 Type II?

Yes — its continuous evidence collection and append-only workflow history are built for demonstrating operating effectiveness over a period, which is what Type II requires.

What’s the difference between Type I and Type II here?

Type I assesses control design at a point in time; Type II assesses operating effectiveness over a window. The same control library and evidence support both, so you can start with Type I and progress to Type II.

Which Trust Services Criteria are covered?

The mandatory Security (Common Criteria) set plus optional Availability, Processing Integrity, Confidentiality, and Privacy criteria.

Can our external auditor use it?

Yes — the Auditor Review export gives your CPA firm per-control status, evidence, and the full workflow history they need to test, without a separate handoff.