Soc2Done
Fixed price, fixed scope, stated timeline.
The done-for-you SOC 2 service. Our engineers implement your controls and collect the evidence. An independent US CPA firm performs and signs your audit. One fixed price. Weeks, not quarters — and under four hours of your team's time.
Audits signed by a peer-reviewed, Washington-based CPA firm · Delivered by the team operating 300+ production servers
Compliance platforms sell you software — then the work is still yours.
Soc2Done is the other way around: one fixed price, audit included, and the hours are ours — not yours. You approve decisions; we do everything else.
Founding pricing — locked for our first ten clients
Every tier includes the CPA audit fee. No platform seats, no per-employee pricing, no renewal creep.
Scope, systems, timeline. The last meeting you're required to attend.
Policies written, controls implemented, monitoring wired into your cloud, evidence collecting itself.
A peer-reviewed US CPA firm examines the evidence and performs the attestation. We never audit our own work.
Monitoring and evidence upkeep continue, so next year's report is a renewal — not a project.
Your team's total time across the whole engagement: under four hours.
Fixed price, fixed scope, stated timeline.
Controls, evidence, remediation — done for you by the team that runs 300+ production servers.
Peer-reviewed, Washington-based. Performs and signs the attestation.
The separation is the point: the firm that prepares you is never the firm that attests you. That independence is what makes the report credible to your customer's security team.
Yes. The attestation is performed by an independent, peer-reviewed US CPA firm — the same class of firm behind reports from any major platform. We prepare you; they examine and sign. We are structurally unable to audit our own work, which is exactly what keeps your report credible.
Under four hours across the entire engagement: one kickoff call, a few asynchronous approvals, and a readout. Everything else — policies, controls, evidence, auditor coordination — is done by our engineers.
Type I typically lands in 4–6 weeks from kickoff. Type II requires an observation window and lands in 10–12 weeks. If there’s a deal blocked on it, say so on the kickoff call — we sequence for the deal.
Yes — we’re platform-agnostic. We’ll operate the tool you already pay for, or migrate you off it if it isn’t earning its subscription. The work is what you’re buying, not the software.
The control library we build for your SOC 2 maps onto other frameworks — most of the work carries over. When the next requirement arrives, it’s an extension, not a fresh project.
There's a deal waiting on this. Send us the questionnaire, and go back to building.