How it works

From an uploaded report to a tracked SOC 2 program.

The whole process, including the parts most tools gloss over: who sees your report, what the review contains, what it deliberately leaves out, and what the compliance console does after delivery.

Watch it end to end

The whole workflow, in about half a minute.

A real console: commitments mirrored to their source, evidence attached, each control verified by an assessor, and the count climbing toward audit-ready.

Walkthrough: commitments mirrored to source, evidence attached, controls verified by an assessor, audit-readiness tracked — all in the soc2doc console.
STEP 1 / NDA & UPLOAD

Protected before it leaves your hands

You sign a mutual NDA and give explicit permission for analysis by our systems and our experts. Then — and only then — the upload is enabled.

STEP 2 / EXTRACTION

AI reads it. Experts verify it.

We pull out every commitment, frequency, third-party dependency, and inherited control. The same vetted assessors who verify customer evidence in the console check your extraction before it ships.

STEP 3 / YOUR REVIEW

See your year in your console

Your Commitment Review lands in your soc2doc console — everything you promised, how often, and what demonstrating it will take. You get an email the moment it is ready. No framework jargon, no audit codes.

The deliverable

What's in your Commitment Review — and what isn't.

IN · EVERY COMMITMENT

What you promised, in plain language.

Every commitment in your report, organized by business function — governance, access, vendors, operations — with no framework IDs and no control numbers.

IN · EVERY CADENCE

How often, and what it implies.

The stated frequency of each commitment, what demonstrating it at audit time will involve, and a “who owns this today?” prompt for each one.

OUT · GAP ANALYSIS

We don't score you.

The review mirrors what your report says — it doesn't judge whether your organization lives up to it. Gaps require assessing the organization, which is an engagement, not a free tool.

OUT · CHECKLISTS

No DIY templates attached.

A checklist would teach you to guess. The review shows you the actual size of the year your report committed you to — then you decide who runs it.

After the review: your compliance console

Track every commitment you made, year-round.

The free Commitment Review is the way in. The paid One Plan gives you a login to the compliance console — built for teams running SOC 2 between audits, not just preparing for one.

PHASE 3 · CONTROLS

Red, yellow, green — every control you committed to.

The console loads your committed controls and lets you track status across the year. In place, drifting, or under review — the state is visible at a glance, not buried in a spreadsheet.

PHASE 3 · EVIDENCE

Evidence is first-class, not an afterthought.

Attach supporting evidence directly to controls. One piece of evidence can satisfy many controls — the many-to-many relationship is built in, so you don't duplicate uploads or lose the link between proof and commitment.

PHASE 3 · VERIFICATION

An assessor signs off — on the record.

A vetted practitioner reviews your evidence and control record in the console and signs off with their real identity. The sign-off is auditable — a timestamped, attributable record, not an invisible back-office pass.

PHASE 6 · READINESS

Audit-readiness before your auditor asks.

The audit-readiness view flags controls with stale or missing evidence against your next audit date. The output is presentable in an exec update — not a raw data dump.

Confidentiality

Who sees your report.

Three parties, in this order, and nobody else: the automated extraction pipeline, the vetted assessor — the same practitioner who verifies customer evidence in the console — and you. The mutual NDA is executed before upload is enabled, your consent to machine and human analysis is logged separately with a timestamp, and the report is encrypted in transit and at rest. Deletion on request — or guaranteed with a certificate via the $99 secure-deletion option.

After the review

Then the real question: who runs the year?

Most teams find 30–60 commitments they can't name an owner for. When that happens, the path is a free urgent compliance call with Vikas, then — if you want the help — year-round management on the One Plan. The One Plan includes a login to the compliance console, where you track your committed controls, hold evidence, and see audit-readiness between audits. Or your team takes the list and runs it alone. The review is yours either way.

Review my SOC 2 — free Book the urgent compliance callSee pricing