SOC 2 · For Indian SaaS · Updated June 2026

Complete guide to SOC 2 for Indian SaaS

SOC 2 — the attestation report US enterprise customers require. Type 1 vs Type 2, Trust Services Criteria, the audit process, critical controls, common findings, choosing an auditor, and India-specific considerations.

Type 1 / 2
Two report types
6–12 mo
Type 2 period
9 CC
Common Criteria
CPA
Auditor type

01SOC 2 in 60 seconds

SOC 2 (Service Organization Controls 2) is the report most US enterprise customers ask Indian SaaS vendors to produce before signing. It is not a regulation or a certification — it is an attestation by an independent auditor (CPA firm) that your controls operate effectively.

  • Created by AICPA (American Institute of Certified Public Accountants)
  • Performed by CPA firms (auditors must be licensed CPAs)
  • Two types: Type 1 (point in time) and Type 2 (over a period)
  • Two main report variants: SOC 2 Type 1 and Type 2; SOC 3 is a public summary
  • Scoped against five Trust Services Criteria — at least Security; you choose to add Availability, Confidentiality, Processing Integrity, Privacy
  • Most enterprise customers ask for SOC 2 Type 2 covering at minimum Security + Availability

02Type 1 vs Type 2

Type 1Type 2
Point-in-time snapshotOver a period (typically 6 or 12 months)
Attests controls are designed appropriatelyAttests controls operated effectively over time
2–3 months to obtain8–12 months minimum (preparation + observation + audit)
Lower assurance; some customers won't acceptThe standard expectation in enterprise sales

Practical pattern: most teams do Type 1 once (to unblock initial sales), then Type 2 on the next 12-month cycle.

03Trust Services Criteria

  • Security (Common Criteria) — required for every SOC 2; covers logical/physical access, change management, risk management, etc. ~100 sub-criteria
  • Availability — system availability for operation per commitments. Common addition for SaaS
  • Confidentiality — protection of confidential information. Common when handling customer secrets
  • Processing Integrity — system processing complete, valid, accurate, timely. Common for financial / data-processing SaaS
  • Privacy — collection, use, retention, disposal of personal information. Less common; many use GDPR/DPDP for privacy instead

Most Indian SaaS targeting US enterprises: Security + Availability. Add Confidentiality if storing significant customer data.

04The 9 Common Criteria categories

  1. CC1: Control Environment — governance, ethics, oversight
  2. CC2: Communication and Information
  3. CC3: Risk Assessment
  4. CC4: Monitoring Activities
  5. CC5: Control Activities
  6. CC6: Logical and Physical Access Controls
  7. CC7: System Operations
  8. CC8: Change Management
  9. CC9: Risk Mitigation

Each has multiple sub-criteria. Modern SaaS-focused control frameworks (Vanta, Drata, SecureFrame templates) implement the standard set; customisation is at the margins.

05The audit process

Pre-audit (months 1–6)

  1. Choose auditor and tooling (in-house vs platform like Vanta/Drata/SecureFrame)
  2. Define scope — services, systems, locations, criteria
  3. Implement controls; collect evidence
  4. Run readiness assessment with auditor or independent consultant
  5. Address gaps

Observation period — Type 2 only (6 months minimum)

Controls must operate consistently over the period. Auditors will sample evidence from this window. Evidence collected during the observation period is what matters; pre-period evidence is moot.

Audit fieldwork (4–8 weeks)

  1. Auditor requests evidence (typically 200–400 items)
  2. Walk-throughs of major controls
  3. Interviews with control owners
  4. Sampling and testing
  5. Findings discussion

Report issuance (2–4 weeks after fieldwork)

  • Auditor opinion: Unqualified (clean), Qualified (some exceptions), Adverse (controls not effective), Disclaimer (couldn't form opinion)
  • Description of system + controls
  • Description of tests performed and results
  • Management's response to any exceptions

06What enterprise customers do with the report

  • Procurement / Vendor Risk reads the auditor opinion + executive summary
  • Security team reviews exceptions and complementary user entity controls (CUECs — controls the customer must implement)
  • Legal reviews scope and any disclaimers
  • The report is shared under NDA — customers don't redistribute, generally
  • Refreshed annually; expired SOC 2 reports get flagged in vendor risk reviews

07Critical controls

  • Background checks on employees with system access (CC1.4)
  • Onboarding/offboarding with documented access provisioning and revocation
  • Least-privilege access reviews quarterly, evidenced
  • MFA on all admin and external-facing systems
  • Vulnerability management with SLA-tracked remediation
  • Patch management with documented schedule + exceptions
  • Change management with reviews/approvals before production deploy
  • Incident response with documented procedure + evidence of recent incidents handled
  • Encryption at rest and in transit (with documented standards)
  • Backup and recovery tested at least annually
  • Vendor risk management with assessments of critical vendors
  • Logging and monitoring with documented log review
  • Disaster recovery testing

08Common findings on first SOC 2

  • Access review evidence missing for certain quarters
  • Change tickets without documented testing for emergency changes
  • Background check evidence missing for some legacy employees
  • Vulnerability remediation past SLA without documented exception
  • Vendor risk assessments missing or out-of-date
None of these are catastrophic but they will appear as exceptions in the auditor opinion if not remediated before fieldwork ends.

09Choosing an auditor

  • Big 4 (PwC, EY, Deloitte, KPMG) — high-trust to enterprise customers, expensive, slow, less flexible
  • Mid-tier (BDO, Grant Thornton, Crowe) — credible, more affordable, often more responsive
  • SOC-focused boutiques (BARR, A-LIGN, Schellman, Insight Assurance) — specialise in SaaS SOC 2; familiar with SaaS controls; often the right pick for tech companies
Cost benchmark: ₹15–30 lakh for first Type 2 with a SOC-focused boutique; ₹30–60 lakh for Big 4. Annual recurring approximately 60–80% of initial cost.

10Compliance platforms

Vanta, Drata, SecureFrame, Sprinto (India-built) automate evidence collection, vendor management, and control monitoring. Pros: dramatic time savings; consistent evidence; integration with cloud, HR, and ticketing systems. Cons: $20–50K USD per year; lock-in. Worth it for any team pursuing SOC 2 + ISO 27001 + multiple frameworks.

11SOC 2 + ISO 27001 — the dual play

Once SOC 2 is established, adding ISO 27001 is significantly easier — most controls overlap. Sequence:

  1. Year 1: SOC 2 Type 1 → Type 2
  2. Year 2: Add ISO 27001 (extends SOC 2 with risk assessment, ISMS framework, statement of applicability)
  3. Year 3+: Maintain both with shared evidence collection

12India-specific considerations

  • Background checks must comply with Indian labour law — limited criminal history scope
  • Data residency may be a customer concern; document where data lives
  • DPDP compliance now expected alongside SOC 2 for Indian operations
  • Time zone — auditor working hours may misalign; plan for asynchronous evidence delivery

From first SOC 2 to enterprise-ready

A 30-minute consultation. We scope your SOC 2 (Type 1 or 2), map the critical-control gaps, choose the right audit framework, and give you a 90-day plan to get observation-period-ready.