SOC 2 Type II
The Trust Services Criteria attestation that has become the de-facto B2B SaaS security baseline globally.
Service organisations whose customers want assurance over Security, Availability, Confidentiality, Processing Integrity, or Privacy.
Safeguard maintains a current SOC 2 Type II report; available under NDA.
What SOC 2 actually requires.
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
Security (Common Criteria) is mandatory; the other four are optional and chosen by management.
Type II covers a defined audit period (typically 12 months) with operational effectiveness testing.
Designed and operating controls aligned to the COSO Internal Control framework.
Sub-service organisation reliance — either inclusive or carve-out method.
Independent licensed CPA firm performs the engagement.
Pre-mapped controls. Continuous evidence.
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
Common Criteria (CC1–CC9) mapped to live telemetry with control owners and testing cadence.
Pre-built crosswalks to ISO 27001, HIPAA, and PCI-DSS — one evidence base, four reports.
Auditor portal: read-only auditor access with evidence sampling and download.
Continuous control monitoring replaces evidence sprint at year-end.
Artifacts your auditor accepts.
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
Control matrix with testing procedure and sample population.
Auditor evidence portal — sampled artifacts retrievable by control reference.
Sub-service organisation reliance documentation.
Annual SOC 2 Type II report, exported as bridge letters at quarter boundaries.
One evidence base. Many regulators.
These frameworks share substantial control overlap with SOC 2. Customers running one assessment typically satisfy the others with the same evidence base.
ISO/IEC 27001:2022
Cross-jurisdictional
The global Information Security Management System standard, updated in 2022 with 93 Annex A controls in four themes.
PCI-DSS v4.0
Global (Payments)
The global payment-card data security standard, now in v4.0 with future-dated requirements becoming mandatory in March 2025.
HIPAA / HITECH
North America
Privacy, security, and breach notification rules for Protected Health Information (PHI) in the United States.
Ready for SOC 2?
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.