Modular SOC 2 compliance software with AI-assisted evidence linking, guided audit walkthroughs, and Bring-Your-Own LLM keys. All five Trust Services Criteria, audit-ready reports, no all-or-nothing platform tax.
From scoping the TSC categories to passing the Type II report, every phase has the bricks it needs and none it doesn't.
Security (required Common Criteria CC1–CC9) plus Availability, Confidentiality, Processing Integrity, and Privacy as scope-selectable add-ons. Each criterion has guided implementation tasks, evidence templates, and 5-level maturity scoring.
Type I (point-in-time design) and Type II (continuous evidence over 6–12 months) handled in the same brick. Get the design right, then keep the evidence flowing for the audit window without switching tools or re-implementing controls.
Drop in a policy, a screenshot from your IDP, an access review export, a meeting note — the AI Coach maps each artifact to the SOC 2 criteria it actually evidences and flags where you're thin. Cuts the manual evidence wrangling that traditionally consumes 60% of a Type II project.
Connect your OpenAI, Anthropic, Azure OpenAI, or local model. SOC 2 evidence is processed under your provider relationship, your data isolation rules, your billing. Per-tenant isolation, EU-resident hosting available.
One-click export of the System Description, the control matrix mapped to each TSC criterion, evidence with citations, exception logs, and management responses — formatted for direct submission to your SOC 2 auditor. Skip the late-night formatting before the kickoff.
Type II is a 6–12 month evidence-collection marathon. BrickGRC tracks control maturity continuously, schedules evidence refresh cycles, and flags drift before the auditor does. The Type II report stays a paperwork checkpoint, not a fire drill.
SOC 2 (System and Organization Controls 2) is a voluntary attestation, not a certification, issued by an independent auditor (a CPA firm) under the AICPA's Trust Services Criteria. Unlike ISO 27001, SOC 2 doesn't certify; it attests. The deliverable is a SOC 2 report — a document the auditor produces describing your controls and the auditor's findings — that you share under NDA with prospects and customers.
SOC 2 reports come in two types. Type I attests to the design of your controls at a single point in time — "you have these controls and they're well-designed". Type II attests to operating effectiveness over a defined audit window (typically 6 or 12 months) — "you have these controls and they actually work". Type II is the standard buyers expect from production-grade vendors.
The criteria are organized into five categories under the AICPA Trust Services Framework:
You always include Security; the other four are scope decisions based on what your buyers ask for. Most B2B SaaS startups start with Security only and add Availability when uptime SLAs become a sales topic.
Companies pursue SOC 2 for one main reason: enterprise procurement requires it. "Do you have a SOC 2 Type II?" is the second-most-common security questionnaire item after "Do you have ISO 27001?" — and answering "yes, here's the report" closes deals that would otherwise stall in security review for months. BrickGRC was built modularly so frameworks can stack; SOC 2 alongside ISO 27001 is the standard EU-and-US-targeting startup combination.
Yes. The SOC 2 brick covers Security (the required category) plus Availability, Confidentiality, Processing Integrity, and Privacy. You select which TSC categories are in scope; the brick walks you through each Common Criteria (CC) and the additional criteria for the optional categories.
Both. Type I is a point-in-time design assessment; Type II is the continuous-evidence assessment over 6–12 months. The brick handles both — start with Type I to get the design controls in place, then switch to continuous evidence collection for Type II without changing tools.
The audit window is the SOC 2 standard 6 or 12 months. The work to get audit-ready (Type I-equivalent) is typically 6–10 weeks with BrickGRC, depending on existing security controls.
Yes. On Professional and Enterprise plans, you can connect your own OpenAI, Anthropic, Azure OpenAI, or local model. Your evidence is processed under your provider relationship — never shared between tenants.
Yes. The platform exports the System Description, control matrix mapped to each TSC criterion, evidence with citations, exception logs, and management responses — formatted for direct submission to the SOC 2 auditor.
Depends on your buyers. SOC 2 is the de facto standard for North American enterprise procurement. ISO 27001 is more common globally and especially in Europe. If you're selling to both, do them in parallel — most controls overlap meaningfully. See our ISO 27001 page for the companion brick.
Pick the SOC 2 brick, scope your TSC categories, and let the AI Coach handle the evidence collection. Audit-ready in weeks, not months.