Hexafusion
Get a Quote

Compliance · Vancouver, BC

SOC 2 Readiness for Vancouver SaaS and Technology Companies

Hexafusion runs SOC 2 readiness and ongoing compliance programs for BC SaaS, technology, and B2B service companies. Control design, evidence-collection tooling, walkthrough preparation, and coordination with your audit firm so the first report is on schedule and the renewal is not a fire drill.

Book a SOC 2 readiness call Back to compliance overview

Written by Alex Barari, founder of Hexafusion and a former PCI DSS Internal Security Assessor (ISA). The methodology here comes from running readiness programs and supporting auditor walkthroughs for BC SaaS clients from seed-stage through Series B.

Why SOC 2 matters for Vancouver SaaS

SOC 2 has become the default security questionnaire short-circuit for enterprise B2B sales. Buyers ask for a SOC 2 Type 2 report instead of running their own due-diligence questionnaire. For Vancouver SaaS companies selling to mid-market and enterprise in the US and Canada, the practical reality in 2026 is that:

  • Enterprise procurement teams routinely block contracts without SOC 2 Type 2.
  • Series A and B investors expect SOC 2 readiness on the due-diligence checklist.
  • Cyber insurance underwriters apply preferential pricing to insureds with current SOC 2 reports.
  • Channel partner programs (AWS Marketplace, Azure Marketplace, Google Cloud) increasingly require SOC 2 for tiered listings.

The cost of not having SOC 2 is increasingly a deal-blocking issue, not a nice-to-have. The opportunity cost of doing it badly (extending the audit window, failing the first review, repeating evidence work every quarter) is the more common pain.

Type 1 vs Type 2: pick the right starting point

SOC 2 Type 1

Point-in-time assessment of control design. Auditor reviews policies, procedures, and configurations on a single date and confirms they are suitably designed. Typical timeline: 2-4 months from readiness kickoff to report. Useful as a stepping stone or as a sales-cycle accelerant while you build the operating record for Type 2. Most enterprise buyers eventually want Type 2.

SOC 2 Type 2

Audit of design AND operating effectiveness across a defined period (3-12 months). Auditor samples evidence from across the audit window to verify the controls actually ran. Type 2 is the report enterprise procurement teams want. Renewal is annual with a rolling audit window. Total elapsed time for a cold-start first Type 2: 9-15 months.

Our recommended path for most BC SaaS companies: Type 1 in months 3-4 (close enterprise deals immediately), then move directly into the Type 2 audit window with the same controls.

The Trust Services Criteria explained

SOC 2 evaluates controls against the Trust Services Criteria (TSC) published by the AICPA. Five categories, one mandatory (Security), four optional:

Criteria Mandatory? Covers
SecurityYes (Common Criteria)Protection against unauthorised access, including the broad control families: organisation, communication, risk assessment, monitoring, control activities, logical and physical access, system operations, change management, risk mitigation.
AvailabilityOptionalSystem available for operation and use. Uptime SLAs, capacity monitoring, business continuity. Almost always added for SaaS.
Processing IntegrityOptionalProcessing is complete, valid, accurate, timely, and authorised. Often added for fintech, healthcare, or any platform where data integrity is a primary value proposition.
ConfidentialityOptionalInformation designated as confidential is protected. Added when customer contracts include confidentiality obligations beyond personal information.
PrivacyOptionalPersonal information collection, use, retention, disclosure, and disposal. Rarely added because PIPEDA, GDPR, or CCPA cover the same ground more directly. We typically handle privacy through a dedicated PIPEDA program instead.

The 9 Common Criteria control families

The Security TSC (mandatory) breaks into 9 Common Criteria control families. Every SOC 2 readiness program covers all 9.

CC1. Control environment

Governance, board oversight, organisational structure, accountability, ethics policy, hiring and termination procedures.

CC2. Communication and information

Internal and external communication of security objectives, policies, and obligations. Customer-facing security commitments documented.

CC3. Risk assessment

Documented risk identification, evaluation, and treatment process. Annual review minimum, more often if material change.

CC4. Monitoring activities

Ongoing monitoring of controls, internal audits, deficiency tracking. Evidence of corrective action.

CC5. Control activities

Operational control implementation. The "we actually do the things" family.

CC6. Logical and physical access

Identity and access management, multi-factor authentication, privileged access management, physical premises security, media disposal.

CC7. System operations

Vulnerability management, patching, monitoring, incident response, recovery, threat detection.

CC8. Change management

Code changes, infrastructure changes, configuration changes all flow through documented approvals. Production change records retained.

CC9. Risk mitigation

Business continuity, disaster recovery, vendor management, insurance coverage of residual risk.

How we run a SOC 2 readiness engagement

  1. Scoping (week 1). Decide on Type 1 vs Type 2 path, decide which optional TSCs to include, define the system boundary (which product, which environments), pick the audit firm.
  2. Gap assessment (weeks 2-3). Map current state against the TSC and Common Criteria. Identify policy gaps, technical control gaps, evidence collection gaps. Written report with priority ranking.
  3. Tooling setup (weeks 3-4). Implement a GRC platform (Vanta, Drata, Secureframe, Sprinto) if not already in place. Connect cloud providers, identity provider, MDM, ticketing, code repo. Continuous evidence collection starts.
  4. Policy buildout (weeks 4-8). Information security policy, access control policy, change management policy, incident response plan, business continuity plan, vendor management policy, acceptable use policy. All written, ratified, communicated to staff.
  5. Technical remediation (weeks 4-12). Close technical gaps in priority order: MFA, EDR, vulnerability scanning, log aggregation, encrypted backups, segregated environments, code review enforcement.
  6. Walkthrough preparation (weeks 10-14). Dry runs of the auditor's likely walkthrough questions. Evidence packages prepared in the GRC platform's structure. Sample-testing readiness.
  7. Type 1 audit (weeks 12-16) or Type 2 audit window starts. Coordinate with the audit firm. Respond to evidence requests. Walkthroughs. Type 1 report issued in week 16-18. Type 2 audit window runs for the next 3-12 months.
  8. Ongoing program management. Continuous evidence collection, quarterly internal audits, annual policy review, vendor reviews, annual renewal audit.

SOC 2 controls we implement directly

Many SOC 2 controls are IT-and-security work that we deliver as the managed service provider. Cluster pages cover each area in depth:

Multi-factor authentication

CC6 requires MFA on all access. We deploy Entra ID, Okta, or Google Workspace MFA with phishing-resistant factors.

EDR and MDR

CC7 requires threat detection and incident response. EDR on every endpoint, 24/7 SOC coverage on Enterprise plans.

Vulnerability management

CC7 vulnerability identification, prioritisation, and remediation. Monthly external scans plus internal scans, tracked in ticketing.

Awareness training

CC1 and CC2 require security training. Annual training plus monthly phishing simulation with documented completion.

Backup and DR

CC9 risk mitigation. Immutable backups, tested restores, documented RTO and RPO.

Logging and monitoring

CC4 monitoring activities. Centralised log aggregation, retention, alerting on anomalous patterns.

GRC platforms we support

Vanta

Widest provider integration footprint. Common choice for AWS-heavy SaaS. Good auditor familiarity.

Drata

Strong automation around evidence collection and policy management. Popular at later-stage SaaS.

Secureframe

Strong onboarding experience and good fit for first-time SOC 2 teams. Good multi-framework support (SOC 2 + ISO 27001 + HIPAA).

Sprinto

Price-competitive for smaller teams. Solid automated evidence collection across the common cloud providers.

Common SOC 2 readiness failure modes

  • Buying the GRC platform first. Tooling without policies and procedures produces a polished dashboard with no underlying program. The auditor sees through it.
  • Writing policies the team will not follow. Boilerplate policies imported from a template fail Type 2 the moment the auditor samples evidence and finds the team did not actually do what the policy says.
  • Skipping risk assessment. CC3 is a foundational control. A meaningful risk register that is reviewed annually is non-negotiable. We deliver a working one, not a template.
  • Treating Type 1 as the destination. Type 1 closes some doors but enterprise buyers are increasingly asking for Type 2. The audit window for the first Type 2 starts the day after Type 1 closes. Plan accordingly.
  • Not engaging the audit firm early. Different audit firms emphasise different sample sizes and evidence preferences. We coordinate firm selection up front and build the readiness program to that firm's known preferences.
  • Vendor management as an afterthought. Every cloud, SaaS, and outsourced provider needs a security review and a written commitment. The auditor asks for the register. Building this from scratch during the audit window is expensive.

FAQ

What is SOC 2 and who issues it?

An attestation report on a service organisation's controls, issued by a licensed CPA firm under AICPA standards. No certificate or registration. Only the report.

What is Type 1 vs Type 2?

Type 1 is point-in-time design assessment. Type 2 is design plus operating effectiveness across a 3-12 month audit window. Enterprise buyers want Type 2.

How long does a SOC 2 take?

Readiness 3-6 months, audit window 3-12 months for Type 2, audit fieldwork 4-8 weeks, report issuance shortly after. Total elapsed for a cold-start first Type 2: 9-15 months.

What are the Trust Services Criteria?

Security (mandatory), Availability, Processing Integrity, Confidentiality, Privacy. Most BC SaaS Type 2 reports include Security + Availability + Confidentiality.

What does a SOC 2 cost?

Audit fees CA$20-70k depending on scope and stage. Readiness work varies based on starting maturity. GRC tooling CA$10-25k annually but cuts evidence work dramatically.

Do we need Vanta, Drata, or similar?

Not strictly required but strongly recommended for rolling Type 2. We are platform-agnostic and have implemented Vanta, Drata, Secureframe, and Sprinto for clients.

Does Hexafusion perform the audit?

No. SOC 2 audits must be issued by a licensed CPA firm. We do readiness, control design, evidence systems, ongoing management, and audit-firm coordination. We can introduce you to several SOC 2 audit firms we have worked with.

How does SOC 2 interact with other frameworks?

Heavily overlapping with PIPEDA safeguards, PCI DSS requirements 5-12, and ISO 27001 Annex A. We build one program that produces evidence across frameworks.

Book a SOC 2 readiness call

30-minute call to scope your SOC 2 path, recommend a GRC platform, and identify the audit firm match for your stage. Free.

Book a SOC 2 readiness call

Related compliance topics

Part of our broader compliance coverage for Vancouver and BC businesses.

Compliance BC (overview) PCI DSS Compliance PIPEDA Compliance FINTRAC Compliance Cybersecurity Vancouver EDR & MDR Multi-Factor Authentication Vulnerability Scanning