Everything we hand a client at engagement start so the conversation is about evidence and gaps, not template-hunting.
Twenty-three policies, tailored for an actual SaaS operating reality.
74 controls mapped to the five trust services criteria.
What the auditor will ask for; what to hand them.
Week-by-week plan with owners, artifacts, and exit criteria.
The difference between passing SOC 2 and being genuinely better-run is whether the policies match the operating reality. The kit is built for the latter.
Word + Markdown. Each policy lists which control(s) it satisfies and the evidence to collect.
Spreadsheet — each control mapped to trust services criterion, owner role, evidence list, refresh cadence.
Pre-built mapping into both platforms so you don’t spend a week wiring it up after purchasing them.
Detailed week-by-week PDF: who does what, what gets produced, what the exit criteria are.
The exact shape of artifacts that go to your auditor in week 12. Reduces fieldwork friction by 30–40%.
If something isn’t answered here, ask in your intro email — we keep this list short on purpose.
It gets you ready. The audit itself is performed by a CPA firm — not us. Our SOC 2 service (under Cybersecurity) handles end-to-end if you want a guided path; this kit is the DIY version.
The same kit covers Type II. Type II requires 3–12 months of observation after Type I — the kit includes the monitoring and refresh cadences you’ll need.
Vanta provides automation; this provides the policy/evidence shape. They’re complementary — and the kit includes specific Vanta mapping so you don’t do that translation work yourself.
The kit is SOC 2 focused. ISO 27001 has ~70% overlap and we include a notes appendix. HIPAA and FedRAMP have substantial additional requirements not covered here.
We do bespoke kits, too. Send a paragraph about the problem and we’ll come back inside 48 hours.