Yury Pukhov, YuSMP Group
Yury Pukhov CEO, YuSMP Group · SaaS engineering, compliance programs and enterprise procurement readiness since 2014

Type I vs Type II — what enterprise buyers require in 2026

SOC 2 comes in two flavours, and the difference matters more in 2026 than it did even two years ago. A Type I report is a point-in-time attestation: on the date the auditor looked, your controls were designed appropriately. A Type II report attests that those controls also operated effectively over a defined window — typically six or twelve months.

In 2026 the procurement playbook at almost every Fortune 1000 and most Series C+ SaaS buyers reads like this:

  • Below $25k ACV: a Type I plus a security questionnaire is often acceptable.
  • $25k–$250k ACV: Type II with at least a six-month window is the floor. Type I will get you a "come back when you have Type II".
  • Above $250k ACV or any regulated buyer (financial services, healthcare, federal): Type II covering the prior twelve months, ISO 27001 alongside it is increasingly standard, and a penetration test report from a named firm.

Type I has one honest use case in 2026: bridging. You can ship a Type I in 4–6 weeks once readiness is done, hand it to a buyer to unblock the contract, and ship Type II at the end of the next observation window. Spend the Type I budget only if you have a specific buyer waiting on it. Otherwise skip it and go directly to a six-month Type II — your second-year renewal will fall on a cleaner cadence and you avoid duplicate auditor fees.

For founders selling primarily into the European Union, SOC 2 is often paired with — or replaced by — ISO 27001 and a GDPR posture. We cover the EU-side mechanics in our GDPR for US founders selling to the EU article, and the AI-specific add-ons in EU AI Act compliance.

Trust Services Criteria — which to choose

SOC 2 is scoped via the five Trust Services Criteria (TSC), defined by the AICPA. Only one is mandatory; the other four are opt-in and each adds real audit cost. The right choice depends on what your contracts promise.

CriterionRequired?When to includeCost impact
Security (Common Criteria)AlwaysMandatory in every engagementBaseline
AvailabilityOptionalYou sell an uptime SLA or a status-page commitment+10–15%
ConfidentialityOptionalYou handle customer business data under NDA (most B2B SaaS qualifies)+10–15%
Processing IntegrityOptionalCalculation accuracy is central to the product — fintech, payroll, billing, analytics+15–20%
PrivacyOptionalYou collect PII directly from end-users and want to demonstrate it beyond GDPR/CCPA+30–50%

The pragmatic stack for a Series A/B B2B SaaS startup in 2026 is Security + Availability + Confidentiality. That covers the questionnaire questions you actually face, signals an SLA commitment, and keeps the audit fee in the $20k–$35k band. Add Processing Integrity only if a regulator or a top-three buyer asks for it explicitly. Skip Privacy on year one — GDPR and CCPA carry more procurement weight in 2026, and the controls overlap heavily.

Scope: in-scope systems and sub-service carve-outs

Scoping is where most SOC 2 programs leak time. The scope is the production system delivering the service to customers — not your marketing site, not your internal HR Notion, not your dogfood test cluster. Decide what is in scope by asking: "Does this system process or store customer data, or is it part of the production path that does?" If yes, in scope. If no, out.

For a typical SaaS startup, in-scope systems look like:

  • The production AWS / GCP / Azure account hosting the app, including all compute, storage, databases, queues, and secrets managers.
  • The source control system holding the production codebase (GitHub, GitLab, Bitbucket) and its branch protections.
  • The CI/CD pipeline that ships to production (GitHub Actions, CircleCI, Buildkite, Argo).
  • The identity provider used by employees to access production (Okta, Google Workspace, Microsoft Entra ID).
  • The monitoring and logging stack (CloudWatch, Datadog, Grafana, Splunk, Wiz, Sentry).
  • The ticketing and change-management system (Linear, Jira, GitHub Issues) — because that is where you produce evidence of approvals.
  • The MDM solution managing employee laptops that touch production credentials (Jamf, Kandji, Intune).

Out of scope: the marketing WordPress, the sales CRM, the support portal (unless it processes customer data), and pre-production sandbox environments that have no customer data and no shared credentials with prod.

Sub-service organisations — the carve-out method

Almost every SaaS startup runs on third parties: AWS for compute, Stripe for payments, Auth0 for identity, Twilio for messaging, Datadog for monitoring. The carve-out method tells the auditor: "These vendors have their own SOC 2 / ISO 27001 reports. Trust those, don't re-audit them through me."

This is the right answer in 99% of cases. The mechanic:

  1. List sub-service organisations in your SOC 2 system description.
  2. Collect their current SOC 2 Type II / ISO 27001 reports each year (AWS Artifact, Stripe trust portal, Auth0 trust center, etc.).
  3. Implement the complementary user entity controls (CUECs) that each vendor's report tells you to. These are the things you must do — they cannot. Examples: enable MFA on the AWS root account, never store the root account key in code, rotate Stripe restricted keys every 90 days, configure Auth0 brute-force protection, encrypt customer-managed S3 buckets with SSE-KMS.
  4. Maintain evidence that each CUEC is enforced. The compliance automation platform automates most of this collection.
Engineering team reviewing data residency and compliance scope on a shared whiteboard
Scoping the SOC 2 system description — what counts, what carves out — is a 2-hour engineering conversation, not a security-team afterthought.

Control families with concrete examples

The Common Criteria break down into nine families (CC1 through CC9). Most engineering teams care about five of them in concrete daily work. Below is what each looks like in a 2026 SaaS startup — not the policy language, the actual mechanics.

Access management

  • SSO everywhere. Okta or Google Workspace as the single identity source. SCIM provisioning where the SaaS supports it. No shared service accounts logging in with passwords.
  • MFA enforced on every production-adjacent system. Hardware keys (YubiKey, Titan) for admins; TOTP minimum for everyone else. SMS-only MFA is a finding in 2026.
  • RBAC with least privilege. AWS IAM groups, not inline policies. GitHub teams, not individual collaborators. Annual access reviews recorded in the ticket system — quarterly for prod-tier roles.
  • Off-boarding within one business day. Documented checklist covering Okta, AWS, GitHub, Slack, Notion, Linear, Datadog, Sentry, and every other tenant. Most failed audits start here.

Change management

  • Every production change goes through a pull request. No direct commits to main; protected branches.
  • At least one independent reviewer. Required PR approval before merge; CODEOWNERS for sensitive paths.
  • Automated test gate. CI must pass on the PR before merge. Test failures cannot be bypassed without a documented exception.
  • Production deploys traceable to a PR and a ticket. Deploy logs link to Git SHA; commit messages reference Linear/Jira IDs.
  • Emergency change procedure documented and rarely used. Auditors check that "emergency" is not your default mode.

Monitoring and detection

  • Centralised logs. CloudWatch + Datadog or Splunk; logs retained 365+ days; access to logs themselves logged.
  • Alerting on security events. Failed-login spikes, IAM policy changes, KMS key changes, security-group changes, root-account use.
  • CSPM / CNAPP coverage. Wiz, Orca, Lacework, or Prowler running continuously against the cloud account. Findings triaged within a documented SLA.
  • Endpoint detection. CrowdStrike, SentinelOne, or Jamf Protect on every laptop with prod access.
  • Vulnerability management. Dependabot / Renovate plus Snyk or GitHub Advanced Security; SLA for criticals (typically 30 days) is the control that's tested, not the scanner choice.

Incident response

  • Written IR plan with severity ladder, on-call rotation, communication template, and customer-notification thresholds.
  • At least one tabletop exercise per year with minutes filed.
  • Post-mortem on every customer-visible incident with action items tracked to closure.
  • Forensics and breach-notification path documented — even if you've never used it, the auditor will ask.

Vendor management

  • Vendor inventory. A living list of every sub-processor and SaaS that touches customer data. The compliance platforms keep this for you if connected.
  • Risk tier per vendor (low/medium/high) based on data sensitivity and integration depth.
  • SOC 2 / ISO 27001 report collected annually for tier-medium-and-up vendors.
  • DPA / BAA signed where required. If you sell into healthcare you also need HIPAA-grade BAAs on top.

Compliance automation platforms compared

You can run a SOC 2 program on spreadsheets. We did, in 2018. In 2026 nobody should — the cost of a compliance automation platform is recovered in roughly 80 hours of evidence-collection time saved over an observation window.

The four platforms that actually compete in 2026:

Platform2026 price (startup tier)StrengthsWeaknesses
Vanta$18k–$30k/yrLargest integration catalog (300+), most polished UI, mature trust center feature, biggest auditor networkMost expensive; lock-in via custom controls
Drata$15k–$28k/yrSharpest evidence collection automation, strong continuous-monitoring views, deep AWS/GCP/Azure coverageLess mature on the policy-template side; vendor management lighter than Vanta
Secureframe$12k–$22k/yrBest price/feature ratio for first-time SOC 2; good built-in auditor marketplaceFewer integrations than Vanta/Drata; reporting feels older
Sprinto$8k–$18k/yrCheapest at the startup tier; strong in APAC; quick onboardingSmaller auditor network in the US; UI density takes getting used to

What all four do well: continuously pull evidence from AWS / GCP / Azure / GitHub / Okta / Jamf / Datadog / Linear and similar; map that evidence to control tests; flag drift when a control fails; ship policy templates; provide an auditor portal at audit time.

What none of them do: write your secure SDLC, perform threat modelling, fix findings, actually do the off-boarding, run the tabletop. Budget one part-time owner inside engineering — usually CTO, head of platform, or a senior DevOps engineer — to drive the program. Outsourcing the owner role to the platform vendor is the single most common reason a first audit fails or slips.

Observation window — 3, 6, or 12 months?

The minimum any reputable auditor will accept is three months, and several Big Four firms will not go below six. The defaults we recommend:

  • Three months: only if a specific enterprise buyer has accepted it in writing. Brittle, and almost guaranteed to require an immediate second engagement.
  • Six months: the standard first Type II. Long enough for auditors to sample evidence convincingly, short enough that program fatigue does not set in.
  • Twelve months: the default from year two onward, because it matches the report validity period and the renewal cadence buyers expect.

Practical sequencing for a startup with no prior compliance: 8–12 weeks of readiness work, then a Type I (optional) to unblock immediate buyers, then a 6-month observation window for Type II. Total time from "decide to do SOC 2" to "Type II report in hand": 9–12 months.

Auditor selection and cost

Only a licensed CPA firm can issue a SOC 2 report. The field in 2026 sorts into three tiers:

TierExamplesTypical fee (year 1)When to pick them
Big FourDeloitte, EY, KPMG, PwC$40k–$60k+Buyer explicitly requires "Big Four signature" — uncommon outside Fortune 100 and regulated sectors
National CPA firmsBDO, Schellman, A-LIGN, Coalfire, Moss Adams$25k–$40kYou want a recognised brand and a deep team without Big Four pricing
CPA boutiquesInsight Assurance, Prescient, Johanson, Sensiba, Linford, Risk3sixty$15k–$25kFirst Type II, startup budget, no specific buyer demand

Pick the smallest tier your buyers will accept. We have not yet seen a buyer reject a Schellman, A-LIGN, or Insight Assurance report in 2026. We have seen buyers reject reports from auditors no one has heard of — verify the firm has a public client list and at least 100 SOC 2 reports issued.

Hidden costs beyond the auditor fee: a penetration test from a named firm (Cobalt, NetSPI, Bishop Fox: $8k–$25k), the compliance platform ($12k–$30k/yr), engineering time (0.3–0.6 FTE over the window), and remediation of findings during the audit (usually 40–80 engineering hours). Realistic year-one all-in for a Series A/B SaaS startup: $50k–$120k.

Common audit findings to avoid

Across the SOC 2 engagements we have observed, four findings appear on roughly 70% of first-year reports. Each one is preventable with discipline, not engineering.

  1. Terminated employee still active in at least one system. Off-boarding covered Okta and AWS but not the standalone Datadog tenant created two years ago, or the Postman team, or the Sentry org. Fix: maintain a deprovisioning checklist that lists every tenant by name; review it monthly; have HR sign off when an employee leaves.
  2. Production change with no corresponding ticket. A hotfix went out as a direct commit, or a manual database migration ran without a PR. Fix: enforce protected branches; enforce that every deploy log references a PR; have a documented (and rarely used) emergency procedure.
  3. Untested disaster recovery. The runbook exists but no one has actually restored from backup in the observation window. Fix: schedule a quarterly restore-from-backup drill, file the minutes, even if the drill takes 30 minutes.
  4. Vendor review skipped. A new sub-processor was added mid-window with no risk assessment and no SOC 2 collected. Fix: gate every "Add integration" decision behind a 15-minute vendor intake form in your compliance platform.
Engineering and security leads doing a tabletop incident-response exercise
One tabletop exercise per year with minutes filed is enough to satisfy the IR criterion — and far more useful than a 40-page incident-response policy nobody reads.

Continuous compliance after the report

The day the Type II report is issued, the next observation window starts. There is no break. Evidence freshness degrades immediately; controls drift as the engineering team ships features; new vendors get added; people leave and join. Three habits keep the program healthy:

  1. Monthly drift review. 30 minutes in the compliance platform looking at any failing checks. Almost always trivial — an MFA reset that was rolled back, a Datadog user not in SSO, an expired SOC 2 report from a sub-processor.
  2. Quarterly internal mini-audit. Sample five controls at random, pretend you are the auditor, collect evidence. If you can't, fix the gap before the real auditor finds it.
  3. Annual program review. Re-scope as the product changes — new TSCs, new sub-service organisations, new business lines.

SOC 2 also overlaps with adjacent frameworks you may need: ISO 27001 (more common in Europe), HIPAA (US healthcare — see our HIPAA software development checklist), GDPR (EU data residency and rights — see GDPR for US founders), and the new EU AI Act obligations for AI-augmented SaaS (see EU AI Act compliance). Roughly 70% of controls overlap, so once SOC 2 is healthy adding a second framework is incremental, not duplicative.

FAQ

Do enterprise buyers in 2026 still accept SOC 2 Type I?

Rarely, and only as a stop-gap. In 2026 mid-market and enterprise procurement teams treat Type I as evidence that you intend to be compliant, not that you are. A Type I unlocks a security questionnaire conversation; a Type II unlocks the contract. If your buyer is regulated (financial services, healthcare, public sector), expect them to refuse Type I outright and ask for Type II covering at least the prior six months.

Which Trust Services Criteria should a SaaS startup choose?

Security (the Common Criteria) is mandatory in every SOC 2 engagement. For a typical multi-tenant SaaS, add Availability if you sell an uptime SLA, and Confidentiality if you process customer business data under NDA. Add Processing Integrity only when accuracy guarantees are central to the product (fintech calculations, payroll, billing). Privacy is rarely worth it on the first engagement — GDPR or CCPA usually does more for buyers and Privacy adds 30–50% audit cost.

How long does the SOC 2 Type II observation window need to be?

The minimum that auditors will accept is three months and almost every Big Four firm refuses anything under six. The pragmatic default for a first Type II is six months. Stretch to twelve only if a strategic enterprise buyer explicitly demands it or you intend to skip Type I and go directly to Type II for renewal cadence.

What does SOC 2 Type II actually cost in 2026?

For a Series A/B SaaS startup, expect $15,000–$25,000 for the auditor fee at a reputable CPA boutique, $25,000–$40,000 at a national firm, and $40,000–$60,000+ at Big Four. Add $12,000–$30,000/year for a compliance automation platform (Vanta, Drata, Secureframe, Sprinto), plus 0.3–0.6 FTE of engineering and security operations time over the observation window. Total first-year all-in: $50,000–$120,000.

Does Vanta, Drata or Secureframe actually replace a security engineer?

No. They replace the spreadsheet that tracks evidence and the consultant that copy-pastes policy templates. The platforms continuously collect evidence from AWS, GCP, Azure, GitHub, Okta, Jamf and similar sources, map it to control tests, and flag drift. They do not write your secure SDLC, perform threat modelling, or fix findings. Plan on one part-time owner inside engineering for the first year — usually the CTO or a senior DevOps engineer.

Can sub-service organisations like AWS, Stripe and Auth0 be carved out?

Yes — and they almost always should be. The carve-out method removes the sub-service organisation's controls from your scope and points the auditor at their own SOC 2 / ISO 27001 reports. The complementary user entity controls (CUECs) that AWS, Stripe and Auth0 publish do still apply to you — you must implement them (for example, enabling MFA on the AWS root account, rotating Stripe restricted keys) and have evidence the auditor can sample.

What are the most common SOC 2 Type II audit findings?

Four reliably appear on first-year audits: (1) terminated employees still active in at least one system because off-boarding did not cover every SaaS tenant, (2) production changes deployed without a corresponding ticket or PR approval, (3) a disaster recovery or backup-restore test that was scheduled but never executed, (4) vendor reviews skipped or missing security questionnaires for sub-processors. All four are preventable with discipline and a 30-minute monthly review.

What happens after the report — is SOC 2 a one-off?

No. SOC 2 Type II reports are valid for twelve months from issue date and enterprise buyers expect annual renewal with no gap. The "continuous compliance" problem is that evidence freshness degrades, controls drift as the engineering team ships features, and the next observation window starts the day the prior report covers through. Treat SOC 2 as an annual cadence with quarterly internal mini-audits and a compliance automation platform watching for drift.

Last updated 27 May 2026. Auditor fees, platform pricing and procurement norms reflect rate cards and field observations as of May 2026.