FAQ

Common questions, answered honestly.

What exactly is the Commitment Review?
You upload your SOC 2 report; we extract every commitment your organization made in it — what was promised, the stated cadence, and what demonstrating it at audit time implies — and mirror it back in plain language, organized by business function. AI does the extraction; a practitioner verifies it before delivery. It lands in your soc2doc console the same day, and we email you when it is ready. It's free.
Is soc2doc just the free review, or a platform?
The free Commitment Review is the way in. The product is a SOC 2 compliance console where you track every control you committed to, attach evidence — first-class and many-to-many with controls — an assessor verifies the record with an auditable sign-off, and an audit-readiness view flags stale or missing evidence before your audit date. All of that is available on the One Plan. See the platform.
Is my report safe with you?
A mutual NDA is executed before upload is even enabled — you get a copy by email with the acceptance timestamp. Your authorization for machine and human analysis is logged separately. The report is encrypted in transit and at rest, and access is restricted to the assessors working your review. The NDA text is public at /nda.
Will you tell me what's wrong with my program?
No. The review mirrors your commitments — it doesn't judge whether your organization lives up to them. Gap analysis requires assessing the actual organization (interviews, evidence, process), which is a paid engagement, not a document read. We're explicit about this so the free review never pretends to be assurance.
Who reads my report?
The automated extraction pipeline, then the vetted assessor — the same practitioner who verifies customer evidence in the console — before it reaches you. Assessors work under written confidentiality obligations, reviews are anonymized where possible, and access is need-to-work only.
What happens to my report afterward?
Free reviews are retained, anonymized, and used to improve the service — that's in the authorization you give at upload, in plain words. You can request deletion at any time at no cost. If you want guaranteed secure deletion immediately after delivery, with a signed certificate for your own vendor-risk records, that's the $99 option on the pricing page.
How is this different from Vanta, Drata, or Sprinto?
Those platforms automate evidence collection — screenshots and config checks. soc2doc reads your issued SOC 2, tracks the controls you committed to, and holds your evidence in a compliance console you log into between audits. Keep those tools for evidence collection and run soc2doc alongside for the control-and-evidence layer — or run soc2doc on its own if you're earlier in the process. Full breakdown on works with your stack.
Can I use this alongside my existing compliance platform?
Yes — that's the normal setup. Clients keep Vanta or Drata for evidence collection and use soc2doc for strategy, policy, and oversight. Complementary by design.
Do you perform the audit itself?
No, and we never will. SOC 2 audits must be performed by an independent CPA firm. We prepare you, help you select the right auditor, and participate in auditor calls. The audit report comes from your auditor; independence stays intact.
What if we haven't started SOC 2 at all?
Then you don't have a report to upload yet — start with the One Plan, which covers templates, weekly Strategy Hours, and the 90-day project plan. Once your first report is issued, the Commitment Review is how you keep it honest.
Who are the assessors?
Security practitioners — CISOs and security leaders who have built and run programs themselves — reviewing anonymized extractions matched to their expertise. If that's you, apply to the network.
Can I cancel anytime?
Yes. 30 days written notice, no long-term contracts, no setup fees. The free review carries no obligation at all.

Review my SOC 2 — free