SOC 2 · Type I & Type II

Pass the security review that's holding up your enterprise deal

SOC 2 is the report your enterprise buyers ask for before they'll sign. Arclight takes you from zero to a clean report — scoping the right controls, writing your policies, standing up the evidence, and managing your auditor — led start to finish by one senior expert.

The basics

What SOC 2 actually is

SOC 2 is not a certification — it's an independent attestation report issued by a licensed CPA firm. It examines how your company protects customer data against a set of criteria developed by the AICPA. For most B2B SaaS companies in North America, it's the single most-requested proof of security in enterprise procurement.

Type I

Attests that your controls are designed correctly as of a specific date. Faster to obtain — a useful proof point to hand a prospect while your Type II window runs.

Type II

Attests that your controls operated effectively over a period of time, usually 3–12 months. This is what enterprise buyers almost always want to see.

Scope

The five Trust Services Criteria

Every SOC 2 report covers Security (the required baseline). You choose which of the other four to include based on what your customers and contracts demand — Arclight helps you scope this so you're not paying to audit criteria no one asked for.

Security

Required. Protection against unauthorized access.

Availability

Systems are available for operation as committed.

Processing Integrity

Processing is complete, valid, accurate, and timely.

Confidentiality

Confidential information is protected as committed.

Privacy

Personal information is handled per your privacy notice.

The engagement

How Arclight gets you there

You work directly with a senior GRC practitioner — no junior handoffs, no project-manager telephone game. A focused gap assessment is built into onboarding.

01

Scope & gap assessment

We define the right criteria and system boundary, then assess your current state against every applicable control and hand you a prioritized remediation plan.

02

Build the program

We write your policies, stand up the missing controls, and wire evidence collection into whatever platform you use — Vanta, Drata, Secureframe, or none.

03

Manage the audit

We select and manage the CPA auditor, handle evidence requests, and fix issues before they become findings — through to a clean report.

Questions

SOC 2 FAQ

What is SOC 2?

SOC 2 is an independent attestation report, issued by a licensed CPA firm, that examines how a service organization protects customer data across five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. It's the de facto trust standard for B2B SaaS in North America.

What's the difference between Type I and Type II?

A Type I report attests that your controls are suitably designed as of a single date. A Type II report attests that those controls operated effectively over a period of time, usually three to twelve months. Enterprise buyers almost always want Type II; Type I is a useful interim proof point while your observation window runs.

How long does SOC 2 take?

Readiness typically takes 6 to 10 weeks to close gaps and stand up controls. A Type I can be issued shortly after. A Type II then requires an observation window, commonly 3 to 6 months, before the auditor can issue the report.

How much does it cost?

Arclight manages SOC 2 under the Arc Model with published flat pricing from $2,000/mo, and a standalone full-scope gap assessment starts at $5,500. The independent CPA audit fee is separate and paid directly to the audit firm. See the Services page for all pricing.

Do I need Vanta or Drata for SOC 2?

No. A compliance platform helps automate evidence collection and monitoring, but it doesn't scope your controls, write your policies, or represent you to your auditor. Arclight works with whatever you use, or with none, and closes the gaps a platform only surfaces.

Other frameworks

SOC 2 is the North American standard, but your buyers may ask for something else. Arclight runs these under one roof.

Ready to close the deal?

Book a free 30-minute call. We'll tell you exactly what your SOC 2 scope should be, how long it'll take, and what it costs — no sales team, no pressure.

Book a Free SOC 2 Call