COMPLIANCE / SOC 2
COMPLIANCE, SOC 2
SOC 2: the buyer-ready attestation.
SOC 2 is the AICPA Trust Services Criteria attestation, the de-facto standard for SaaS, fintech and any technology vendor selling to US enterprises. Increasingly demanded by Australian AFSL holders and APRA-regulated entities. BaseHost builds and runs the technical controls (access, change, monitoring, logging) that a SOC 2 auditor expects to see. We work alongside a US-based audit partner who issues your Type I or Type II report.
TRUST SERVICES CRITERIA
Five categories. Pick what's in scope.
REQUIRED
Security (Common Criteria)
The baseline. Always in scope. Information protection against unauthorised access, disclosure and damage.
OPTIONAL
Availability
System availability for operation and use as committed. Usually in scope for SaaS vendors with uptime SLAs.
OPTIONAL
Processing Integrity
System processing is complete, valid, accurate, timely and authorised. Important for transactional systems.
OPTIONAL
Confidentiality
Information designated as confidential is protected. Useful where contracts require confidentiality categorisation.
OPTIONAL
Privacy
Personal information is collected, used, retained, disclosed and disposed of in conformity with commitments and criteria.
RECOMMENDED
Most common scope
SaaS vendors usually start with Security + Availability + Confidentiality. We help scope deliberately, extra TSCs add real audit cost.
TYPE I vs TYPE II
Pick your starting point
TYPE I
Point-in-time
Controls were designed and implemented as of a specific date. Faster to get, most clients can produce a Type I within 12-16 weeks of engagement.
Use when: you need an attestation quickly to unblock a sale, or as an interim while working toward Type II.
TYPE II, the gold standard
Operating effectively over a period
Controls operated effectively over a 6-12 month period. Significantly more credible, most enterprise procurement specifies Type II.
Use when: enterprise sales require it (most do), or when you want the credibility that point-in-time can't deliver.
HOW WE SUPPORT SOC 2
SOC 2 readiness focused on the controls auditors actually test.
Type I and Type II preparation against the Trust Services Criteria your business actually uses (Security, plus any of Availability, Confidentiality, Privacy and Processing Integrity that apply). Control design, evidence pipelines (Halo, Vanta-style continuous monitoring, AWS Config, log aggregation), policy uplift and direct liaison with the audit firm. We focus the work on the controls a customer or auditor will actually exercise, not every theoretical CC.
A SOC 2 report is a sales tool. We help build one that holds up to actual customer scrutiny, not just the audit fieldwork. Year two and year three are easier because the evidence pipeline is the operating system, not a project, and the auditor walks through the same controls every year without surprises.
SCOPE OF SERVICE
What BaseHost owns. What we don’t.
Your auditor decides whether you meet the Trust Services Criteria. We build and run the technology that lets them say yes.
What BaseHost owns
- Implement and operate access, change, logging, monitoring and incident-response controls aligned to the TSC you’re scoped against.
- Provide the evidence pipeline an auditor will sample: system descriptions, control narratives, automated artefact collection.
- Sit alongside your auditor (US-based partner available) through readiness, the Type I window and the Type II observation period.
- Keep controls operating consistently across the observation period, not just at the start.
What we don’t
- Issue your Type I or Type II report.
- Act as your CPA firm or sign the auditor’s opinion.
- Write your policies, board minutes or vendor-management documentation.
- Define your service description or commit on your behalf to customer-facing controls.
Working toward SOC 2? Or already certified and looking for ongoing support?
30-minute call to discuss scope, timing, audit body, and the realistic engagement model. We'll send a written proposal within five business days.
RELATED READING