Security11 min read

SOC 2 Compliance for SaaS: How to Get Certified in 2026

SOC 2 compliance for SaaS: the engineering controls you must implement, how to choose Type 1 vs Type 2, and how to generate audit evidence automatically.

SOC 2 compliance for SaaS has moved from a nice-to-have to a hard blocker on enterprise revenue. Enterprise procurement teams now reject vendors that cannot provide a SOC 2 Type 2 report before the contract is signed — 85% of mid-market buyers and 98% of Fortune 500 companies require it. For a SaaS product with enterprise ambitions, failing a security review questionnaire at the procurement stage can kill a six-figure deal that took six months to develop.

The problem with most SOC 2 guides is that they are written by compliance automation vendors with a vested interest in making the process appear manageable. The actual work of passing a SOC 2 audit is an engineering project, not a documentation project. Before an auditor can sign off on your controls, your infrastructure must be built in a specific way, your development process must generate specific types of evidence, and your team must be able to demonstrate that controls are not just present but consistently operating. The difference between companies that fail their first SOC 2 attempt and those that pass is almost always in the engineering — not in whether they purchased the right compliance dashboard.

This guide covers what engineering teams must actually implement to pass a SOC 2 audit: the Trust Services Criteria that engineering owns, the difference between Type 1 and Type 2 and when each makes sense, the specific infrastructure and process controls auditors test, how to generate evidence automatically through your CI/CD pipeline, and how to scope your first audit without creating a year-long distraction. Belsoft's security and scalability engineering practice has helped SaaS teams structure their infrastructure for SOC 2 from day one, making the eventual audit a formality rather than a scramble.

Why SOC 2 Is Now a Hard Gate on Enterprise Revenue

The security review process at enterprise companies has professionalized significantly over the past three years. What used to be a loosely enforced questionnaire sent to vendors after contract negotiation is now a mandatory gate before a procurement request can be approved. Most enterprise security teams use a standardized vendor risk assessment process that scores vendors on data security, access controls, incident response, business continuity, and subprocessor risk. A SOC 2 Type 2 report — issued by a licensed CPA firm, covering a 6–12 month observation period — is the most widely accepted way to satisfy that review without consuming weeks of your engineering team's time answering custom questionnaires.

The math for most B2B SaaS companies is straightforward. A first-year SOC 2 Type 2 engagement costs between $50,000 and $120,000 in auditor fees, tooling, and engineering time. A single enterprise contract blocked by the absence of a SOC 2 report is usually worth several times that in annual recurring revenue. More importantly, a SOC 2 report is a one-time infrastructure investment that reuses across every subsequent enterprise deal, while the cost of answering bespoke security questionnaires compounds with every new prospect. The real question for most SaaS companies is not whether to pursue SOC 2 but how to get there without losing six months of product velocity.

The Five Trust Services Criteria: What Engineering Is Responsible For

SOC 2 is organized around five Trust Services Criteria (TSC), each of which maps to a domain of operational controls. Most SaaS companies start with Security only — formally called the Common Criteria (CC) — and add the others in later audits once the first is complete. Trying to cover all five on a first engagement multiplies complexity and almost always results in a delayed audit or a qualified opinion.

  • Security (Common Criteria — CC): the mandatory criterion for every SOC 2 report. It covers logical and physical access controls, change management, risk assessment, monitoring, and incident response. This is almost entirely an engineering concern: who can access production systems, how access is granted and revoked, how code changes flow from development to production, what is logged, and how you respond when something goes wrong. The CC contains the largest number of auditor test points and is the primary reason the first audit is predominantly an engineering project
  • Availability: covers uptime commitments and the infrastructure patterns that support them — redundancy, disaster recovery, backup and restore, and capacity planning. If your SaaS product has an uptime SLA, this criterion is directly relevant. Engineering owns the architecture decisions — multi-AZ deployments, RTO and RPO targets, tested recovery procedures — and must document them in a runbook that auditors can inspect
  • Confidentiality: covers how you identify data that must be kept confidential and the controls that enforce those restrictions. In practice this means data classification policies, encryption at rest and in transit, column-level masking for sensitive fields, and data access patterns that enforce the principle of least privilege at the application layer
  • Processing Integrity: covers whether system processing is complete, valid, accurate, timely, and authorized. This criterion is most relevant for SaaS products that process financial transactions, medical records, or other data where incorrect output creates downstream liability. Engineering controls here include input validation, error handling that surfaces anomalies, and reconciliation mechanisms that catch processing failures
  • Privacy: covers the handling of personal information throughout its lifecycle. This criterion largely maps to GDPR and CCPA requirements: data collection notices, consent management, data subject request handling, retention and deletion policies, and subprocessor disclosure. Engineering controls include automated data deletion pipelines, audit trails for data access, and data minimization patterns in your data model

SOC 2 Type 1 vs Type 2: Which to Pursue and When

The distinction between Type 1 and Type 2 is categorical, not a spectrum. A Type 1 report is a point-in-time assessment: an auditor reviews your system description and the design of your controls on a single date and attests that your controls are appropriately designed to meet the relevant Trust Services Criteria. A Type 2 report covers a 3–12 month observation period and attests that your controls operated effectively throughout that window — meaning the auditor tests whether the controls actually ran as designed, not just whether they existed on audit day.

Enterprise buyers overwhelmingly require Type 2. A Type 1 demonstrates intent; a Type 2 demonstrates history. Most enterprise procurement teams are trained to recognize the difference and will accept a Type 1 only as a bridge document while a Type 2 is in progress. For a SaaS startup with no existing compliance history, the practical approach is to begin building toward Type 2 from the start — choosing the observation period start date once your controls are stable, then scheduling the audit after the observation window closes. Targeting Type 1 first as an intermediate step makes sense only if a specific enterprise deal requires proof of compliance within a timeframe that does not allow for a Type 2 observation period.

The Engineering Controls Checklist: What Auditors Actually Test

Auditors for the Common Criteria test a specific set of controls, and the evidence they require is generated almost entirely by your infrastructure and development process. Integrating these controls with your DevSecOps and CI/CD pipeline is the most efficient way to generate evidence continuously rather than scrambling to reconstruct it at audit time. The following controls are the ones that require the most engineering effort and are most commonly cited as gaps in first-time SOC 2 preparation.

  • Multi-factor authentication on all production access: MFA must be enforced at the identity provider level — not optional, but enforced by policy — for every user account with access to cloud infrastructure consoles, code repositories, CI/CD systems, and customer data. Auditors test this by attempting to identify accounts without MFA enforcement, so enforced-by-policy configurations are required, not just user-enabled settings
  • Role-based access control with least privilege: every production access right must be tied to a documented business role. Engineers should not have unrestricted production database access by default; support staff should not have infrastructure console access. Auditors pull your IAM policy configuration and test whether access rights match documented roles. Quarterly access reviews — documented with timestamps showing who reviewed what and what changed — are a separate control requirement under the CC
  • Centralized audit logging with tamper-evident storage: all production system access, infrastructure changes, and data access events must be logged to a centralized sink that production engineers cannot modify. AWS CloudTrail, GCP Cloud Audit Logs, or equivalent must be enabled in all regions where customer data is processed. Log retention must meet or exceed the observation period of your audit — for a 12-month Type 2, that means at least 12 months of logs available and searchable
  • Vulnerability management with documented remediation timelines: automated vulnerability scanning must run on a defined cadence — at minimum weekly for infrastructure and on every build for dependencies — and findings above a defined severity threshold must have documented remediation timelines. Critical vulnerabilities must be tracked to closure with evidence showing the date discovered, the person assigned, and the date remediated. The scanning tool's output, not just a policy document, is what auditors examine
  • Formal change management for production deployments: code changes to production must pass through a review process with at least one reviewer who is not the author. Pull request approvals in your version control system serve as evidence — auditors sample a set of production deployments and verify that each had a corresponding approved pull request. Deployments that bypass the PR process must be logged as exceptions and reviewed after the fact
  • Incident response plan with documented exercises: auditors require both a documented incident response plan and evidence that the plan has been tested. A tabletop exercise — a structured walk-through of a hypothetical incident scenario with documented attendance and outcomes — is the most common form of testing evidence. The plan must define severity levels, on-call escalation paths, communication templates, and post-mortem requirements
  • Encryption in transit and at rest: TLS 1.2 minimum (TLS 1.3 preferred) must be enforced on all customer-facing endpoints. Data at rest must be encrypted using platform-managed or customer-managed keys with documented key rotation policies. Database encryption, object storage encryption, and secrets storage in a dedicated secrets manager — not plaintext environment variables or hardcoded config files — are all testable controls that auditors verify through infrastructure configuration inspection

Generating SOC 2 Evidence Automatically Through Your CI/CD Pipeline

The single largest factor in whether a SOC 2 audit is straightforward or painful is whether evidence generation is automated and continuous versus manual and retrospective. An audit that requires your engineering team to spend three weeks pulling logs, writing policy documents, and reconstructing deployment history is a recurring engineering tax on every audit cycle. Structuring your CI/CD pipeline and infrastructure to generate evidence as a byproduct of normal operations eliminates most of that cost.

  • Require PR approvals as a branch protection rule, not a convention: enforced branch protection on your main and production branches means that merged PRs without approvals are technically impossible, and the enforcement is visible in your repository settings. This is stronger evidence than a policy document stating that reviews are required — auditors can see the enforcement configuration, not just the policy
  • Integrate SAST and dependency scanning into every build: tools like Semgrep, Trivy, or Snyk running as required CI steps create a timestamped record of security checks on every code change. If the check fails, the build fails — creating evidence that findings are not being ignored. Export scan results to a retention-compliant storage location so auditors can review historical scan output across the entire observation period
  • Log infrastructure changes through infrastructure-as-code: all production infrastructure changes that go through Terraform, Pulumi, or CDK runs in CI create an automatic audit trail tied to a PR and an approval. Ad-hoc console changes that bypass IaC — the most common source of undocumented infrastructure drift — should be detected by a drift detection job and alerted on. This closes the most common gap auditors find in change management evidence
  • Automate access review evidence: quarterly access reviews are a required control, but generating the review evidence manually — exporting IAM reports, cross-referencing them with HRIS data — is time-consuming and error-prone. Connecting your identity provider and HR system to a compliance automation tool creates access review reports automatically, with an approval workflow that generates the documented evidence the auditor needs without engineering involvement

Compliance Automation Tools: What They Do and What They Do Not

Compliance automation platforms — Vanta, Drata, Secureframe, Sprinto, and several others — have become the standard approach for SaaS companies pursuing SOC 2. They connect to your cloud provider, code repositories, identity provider, and HR system via API integrations and continuously collect evidence against each control. They also provide a policy library, a vendor risk management module, and an auditor collaboration portal. Organizations using these platforms typically reduce audit preparation time by 60–70% compared to manual approaches, and most qualified auditors now accept their output directly.

The critical caveat is that these tools collect evidence for controls that exist — they do not implement controls that do not. If MFA is not enforced in your identity provider, the compliance platform will flag it as a failing control, not fix it. If you do not have centralized logging, the integration has nothing to connect to. Purchasing a compliance automation tool before your engineering team has implemented the underlying controls is one of the most common ways SaaS companies waste money on their first SOC 2 engagement. The correct sequence is to implement the controls first, then connect a compliance platform to collect evidence from them.

How to Scope Your First SOC 2 Audit Without Boiling the Ocean

Audit scope determines how much of your infrastructure, how many of your services, and how many of your vendors fall within the auditor's review. Scoping too broadly on a first audit multiplies complexity, extends timelines, and increases cost without proportional benefit to buyers who want a focused and clean report. The following principles guide a minimal-viable scope for a cloud-native SaaS company pursuing its first SOC 2 Type 2.

  • Security criterion only: do not attempt to add Availability, Confidentiality, or other criteria on the first audit unless a specific customer contract demands it. Security covers the controls that buyers care most about, and a clean Security-only Type 2 satisfies the majority of enterprise procurement reviews. Add criteria in subsequent audit cycles once the Security controls are stable and the evidence collection process is mature
  • Define a tight system boundary: the system description in a SOC 2 report defines exactly what infrastructure, services, and processes are in scope. A cloud-native SaaS on AWS should list specific services — the production VPC, specific RDS instances, EKS clusters serving customer traffic, the identity provider — and explicitly exclude internal tooling, development environments, and corporate infrastructure that does not touch customer data. Every service in scope is a service the auditor tests controls on
  • Audit your subprocessors before the auditor does: every third-party service that processes or stores customer data on your behalf is a subprocessor that must be listed in your system description and reviewed for their own security posture. For a typical SaaS product this includes the cloud provider, managed database services, email delivery, error tracking, analytics, and payment processing. Collect SOC 2 reports or security questionnaire responses from all subprocessors before your observation period starts — missing subprocessor documentation is one of the most common causes of first-audit delays
  • Start the observation period when controls are stable, not when you sign the audit contract: the observation period begins when your controls are fully implemented and generating evidence consistently. If you start the period while controls are still being rolled out, the auditor's evidence sample will include gaps that produce exceptions in the report. Spend 4–8 weeks implementing and stabilizing controls before formally starting the observation period — this planning phase is when a compliance automation platform earns its cost by showing you exactly which controls are passing and which are still failing before the clock starts

Frequently Asked Questions

What is the difference between SOC 2 Type 1 and Type 2?

SOC 2 Type 1 is a point-in-time report attesting that your controls are designed appropriately as of a specific date. SOC 2 Type 2 covers a 3–12 month observation period and attests that your controls operated effectively throughout that window. Enterprise buyers overwhelmingly require Type 2 because it demonstrates that controls actually run consistently, not just that they were in place on audit day. A Type 1 may be accepted as a temporary substitute while a Type 2 is in progress.

How long does SOC 2 take for a SaaS startup?

A realistic timeline for a first SOC 2 Type 2 engagement is 9–14 months end to end: 4–8 weeks to implement and stabilize engineering controls, a 6-month observation period (the minimum most auditors accept for a first engagement), and 4–8 weeks for auditor fieldwork and report issuance. Teams with significant infrastructure gaps — no centralized logging, no automated vulnerability scanning, no enforced PR reviews — should budget 12–16 months to allow time for engineering remediation before the observation period begins.

What controls does engineering need to implement for SOC 2?

For the Security criterion, engineering must implement: enforced MFA on all production system access; role-based access control with documented roles and quarterly access reviews; centralized audit logging with tamper-evident retention covering the full observation period; automated vulnerability scanning with tracked remediation timelines; enforced PR review gates for all production deployments; a tested incident response plan; and encryption at rest and in transit across all services. These controls generate the evidence auditors sample during the observation period.

How much does SOC 2 certification cost?

Total first-year cost for a SaaS startup pursuing SOC 2 Type 2 typically ranges from $50,000 to $120,000, covering auditor fees ($15,000–$40,000), compliance automation tooling ($15,000–$30,000 annually), and engineering time implementing and documenting controls. Companies that start with a well-structured DevSecOps infrastructure spend toward the lower end; teams retrofitting security controls onto an existing system spend toward the higher end. SOC 2 Type 1 as a standalone engagement costs $12,000–$40,000 and takes 3–6 months total.

Does SOC 2 require penetration testing?

Penetration testing is not explicitly required by the SOC 2 Trust Services Criteria, but it is a control that auditors commonly expect to see documented under the risk assessment and vulnerability management criteria of the Common Criteria. Most enterprise buyers also request penetration test reports in their security questionnaires, independent of the SOC 2 report itself. An annual external penetration test with documented findings and remediation evidence is the practical standard for a SaaS company undergoing SOC 2. Some auditors accept automated vulnerability scanning programs as sufficient for smaller-scope systems, but a penetration test produces the stronger evidence.

How Belsoft Helps SaaS Companies Get SOC 2 Ready

SOC 2 is an engineering problem before it is a compliance problem. The teams that get through their first audit without significant rework are the ones that built their infrastructure with auditability in mind from the start — enforced access controls, automated evidence pipelines, and a development process that generates a natural audit trail. For teams that did not start that way, the first SOC 2 engagement is an opportunity to retrofit the right foundation, but it requires honest assessment of the current state and a structured remediation plan. Belsoft's security and scalability engineering team works with SaaS companies at both stages: building security controls into greenfield products and helping existing teams close the gaps that block their first audit. Our SaaS product engineering practice designs for SOC 2 readiness from the architecture phase, so compliance is a byproduct of sound engineering rather than a separate project.

If your engineering team is preparing for a first SOC 2 audit, planning a second-cycle expansion to additional Trust Services Criteria, or trying to understand which infrastructure changes will have the highest impact on your compliance posture, book a technical review with our team — we cover the controls gap, the evidence pipeline, and the audit scope in the same conversation.

SOC 2 is not a security certification — it is proof that your security program runs consistently. The controls are the easy part. The evidence that they operated is the work.

Written by

Belsoft Team

Ready to build?

Let's talk about your project.

30 minutes. No pitch. We map your requirements and tell you honestly what it will take.

Book a Strategy Call
logo

Enterprise software engineering SaaS, AI, cloud, and security for companies that need more than an agency.

Copyright Ⓒ 2026 BelSoft. All Rights Reserved.

social-media-1social-media-2social-media-3social-media-4