AICPA · Trust Services Criteria · Type I & Type II
FRAMEWORKStop treating SOC 2 like an annual fire drill. Uproot reads your real stack, maps it to the Trust Services Criteria, and proves your posture continuously.
Median time to readiness: 38 days
Big-Four and boutique auditors supported
acme-security · SOC 2 Type II
obs window · 2026-01-15 → 2026-07-15
82%
audit-ready
Trust Services Criteria
61 controls
Security · Common Criteria
33 controls · CC1–CC9
94%
Availability
3 controls · A1.1–A1.3
88%
Confidentiality
2 controls · C1.1–C1.2
75%
Processing Integrity
5 controls · PI1.1–PI1.5
60%
Privacy · Out of scope
18 controls · P1–P8
Evidence freshness
14m ago
Auditor invited
A-LIGN · Marcus K.
Days to report
23
CC6.1 re-evidenced automatically
After your okta.policy change, 312 MFA states were re-pulled and re-hashed.
Trust Services Criteria
5Security is required. Availability, Confidentiality, Processing Integrity, and Privacy are scoped to fit.
Common Criteria controls
33/ 61CC1 through CC9. The same controls every SOC 2 report carries Uproot ships them pre-mapped.
Type II observation
3–12monthsWe default to 3 months for your first Type II. Continuous evidence makes it cheap to extend.
Authority
AICPASSAE-18 attestation, performed by a licensed CPA firm. Not a certification.
Renewal cadence
AnnualMost enterprise customers expect a current Type II report (≤ 12 months old) on request.
Security is the only required category. The rest Availability, Confidentiality, Processing Integrity, Privacy are opt-in.
Security
Access, change management, risk, and incident response the Common Criteria behind every SOC 2 report.
Availability
Capacity, monitoring, and recovery whether customers can reach the product, and what happens when they can't.
Confidentiality
Confidential customer data protected at rest, in transit, and through secure disposal.
Processing Integrity
Processing that's complete, accurate, timely, and authorized for billing, transaction, and pipeline products.
Privacy
Personal information handled per a stated privacy notice and the GAPP framework.
Take logical access the control everyone underestimates. Here's how a single rule travels from your IdP to the auditor's PDF, without a screenshot in sight.
Restrict access to data, software, and infrastructure to authorized users; revoke it when they leave. Sounds simple. In reality it's tied to every system you've ever provisioned: IdP, MDM, code host, cloud account, every internal tool.
"Uproot PtaaS offers the perfect suite of features to ensure the highest security standards for our clients. We are impressed by their dedication to continuous testing. Their seamless integration combined with the hacker mindset and thorough manual pentesting approach, truly sets them apart."
CC6.1 · LOGICAL ACCESS
Logical and physical access controls
Last evidenced 09:14:02 UTC · 312 records · sha256 verified
The criterion
What CC6.1 actually asks for
Your real stack
What we read from your systems
Uproot points at the systems that actually enforce access not the policy doc that describes them.
Evidence collected
Cryptographic, timestamped, immutable
Every artifact is pulled directly from the source API, hashed, and stored. No screenshots, no Slack threads, no "send me a CSV."
For the auditor
Read-only portal, no email attachments
Marcus from A-LIGN logs in to the scoped portal, expands CC6.1, and gets the proof, the population, and the sample selection already done.
Population · 312 · Sample· 25 (auditor-selected) · Exceptions · 0
A real timeline from a real Series-B customer. Most teams move faster after the first one.
Day 0 · Mon
Connect 6 systems
OAuth or service account in your terminal. AWS, Okta, GitHub, Jamf, Rippling, Datadog online in under an hour.
Day 1 · Tue
Auto-map controls
Uproot maps 61 SOC 2 controls against what your stack already enforces. Day-one readiness: typically 60–70%.
Day 2–14
Close real gaps
Findings are issued as tickets to the right team, with the diff. Engineering closes them; policies follow, not lead.
Day 15–38
Audit-ready
Posture is provable. Auditor is invited to a read-only portal. Type I report can be issued here, if you need one.
Day 38 → 128
Observation
3-month Type II window starts. Evidence accumulates on autopilot. You ship product; we collect proof.
Day ~145
Report delivered
Auditor issues the SOC 2 Type II. You ship it to the customer who asked. Then it just keeps running.
Spreadsheet of 61 controls maintained by hand, drifting from your stack by the day
Screenshots from the IdP, the cloud console, the MDM. Re-collected every quarter, every renewal, every prospect.
An engineer-week per month donated to compliance prep and a panicked one before the auditor’s site visit
A 90-day Type II readiness sprint that takes 9 months and consumes a quarter’s roadmap
Controls are computed from your real systems, recomputed every 15 minutes
Evidence is API-pulled, hashed, and timestamped auditor reads from the portal, never your inbox
Findings ship as tickets to the right team, with the resource, the diff, and the rollback path
First Type II in under five months end-to-end; renewals take a week of attention
A Type II report rests on ~1,800 evidence artifacts. Here's a partial map of what Uproot pulls, and from where.
Logical access
Okta · MFA enrollment
312
Okta · session policy
1
AWS · IAM role-trust
14
GitHub · org members + SSO
84
Rippling · offboarding cadence
7d
Jamf · device posture
198
Operations
Datadog · prod monitors
218
PagerDuty · on-call rotation
12w
Sentry · error budget
99.94%
Statuspage · incident log
3 / yr
AWS GuardDuty · findings
live
Change management
GitHub · PR approval trail
14 / d
GitHub · branch protection
main
CircleCI · deploy log
live
Linear · change tickets
132 / q
Terraform Cloud · plan diff
live
Vendor & risk
Vanta-migrate · vendor inventory
42
Snowflake · DPA + SOC 2
on file
Jira · risk register
28
Rippling · BAA / NDA
84 / 84
Stripe · PCI subprocessor
linked
Uproot is auditor-agnostic Big Four, boutique CPA firms, and everyone between. They get a read-only portal scoped to your engagement.
A-LIGN
cpa firm
Schellman
cpa firm
Prescient Assurance
cpa firm
Sensiba
cpa firm
BARR Advisory
cpa firm
Insight Assurance
cpa firm
Deloitte
big four
EY
big four
KPMG
big four
PwC
big four
Moss Adams
cpa firm
+ 23 more
on request
No. Type I is a point-in-time attestation useful if a customer needs proof nowand you don't have an observation window yet. If you can wait for a Type II (3-month minimum), skip Type I. About 60% of our customers go straight to Type II.
Three months is the AICPA-acceptable minimum. We default to it. After your first report, most teams extend to a rolling 12-month window because continuous evidence makes it free.
SOC 2 is a US attestation report; ISO 27001 is an international certification. They share roughly 70% of their controls. Uproot maps them against the same underlying evidence implementing one buys you most of the other.
Yes. Evidence is pulled from the source system, hashed with SHA-256, timestamped, and stored immutably. Auditors get the population, sample selection, and chain of custody what they’d ask for anyway, only without the email back-and-forth.
Uproot imports your existing controls, policies, evidence library, and vendor inventory overnight. Most migrations from Vanta or Drata complete in a single weekend, with cryptographic continuity.
Uproot for SOC 2 starts at $8k / year for a single entity, single framework, up to 200 employees. Auditor fees are separate and paid to the CPA firm directly typically $15k–$35k for a first Type II. We don't take a cut.
Connect your first system in five minutes. See your real readiness by lunch. Invite the auditor when you're ready they'll have nothing left to ask for.
