The email usually arrives on a Friday afternoon. Your sales team just got off a call with a Fortune 500 prospect, and they're ready to sign—pending one small detail. "We'll need to see your SOC 2 report before we can move forward with procurement."

Suddenly, a compliance acronym you've been vaguely aware of becomes the most important thing standing between your company and a deal that could double your ARR. You Google "SOC 2 timeline" and see estimates ranging from 6 months to over a year. Your prospect wants to close this quarter.

Here's the reality: with focused effort and the right approach, you can achieve SOC 2 Type II readiness in 90 days. It won't be easy, and it will require commitment from leadership, engineering, and operations. But it's absolutely achievable—and this playbook will show you exactly how.

Why SOC 2 Requests Are Skyrocketing

If it feels like every enterprise prospect is asking for SOC 2, you're not imagining things. Three factors are driving this trend:

Supply chain security concerns have reached boardroom-level priority. After high-profile breaches like SolarWinds and the MOVEit vulnerability, enterprise security teams are scrutinizing every vendor that touches their data or infrastructure. SOC 2 has become the de facto standard for demonstrating you take security seriously.

Cyber insurance requirements now often mandate that vendors maintain certain compliance certifications. When your prospect's insurance policy requires them to only work with SOC 2 compliant vendors, there's no negotiating your way around it.

Procurement standardization means that even if the technical team loves your product, the procurement and legal teams have checklists. SOC 2 is increasingly a non-negotiable checkbox—not because anyone doubts your security practices, but because organizations need scalable ways to evaluate vendors.

SOC 2 Basics: What Engineers Actually Need to Know

SOC 2 (Service Organization Control 2) is an auditing framework developed by the American Institute of CPAs (AICPA). Unlike prescriptive standards like PCI-DSS that tell you exactly what to implement, SOC 2 is principles-based. It evaluates whether you've designed and implemented controls that achieve specific objectives.

Type I vs. Type II: Why Type II Matters

Type I is a point-in-time assessment. An auditor looks at your controls on a specific date and confirms they're designed appropriately. You can achieve Type I quickly, but it's increasingly seen as insufficient by sophisticated buyers.

Type II examines whether your controls operated effectively over a period of time—typically 3-12 months. This is what enterprise prospects actually want. They need assurance that you don't just have good policies on paper, but that you consistently follow them.

The 90-day timeline in this guide gets you to Type II readiness, with controls operating effectively. Your formal audit period starts when you're ready, not when you first implement controls.

The Five Trust Service Criteria (In Engineer Terms)

SOC 2 is organized around five Trust Service Criteria. Most companies certify against Security (required) plus whichever additional criteria are relevant to their business:

Security (Required): Can you protect your systems against unauthorized access? This covers network security, access controls, encryption, monitoring, and incident response. Think: Can someone who shouldn't be in your systems get in? Would you know if they did?

Availability: Can customers reliably access your service? This covers uptime commitments, disaster recovery, capacity planning, and incident management. Think: If AWS us-east-1 goes down, what happens to your customers?

Processing Integrity: Does your system process data accurately and completely? This is critical for companies handling transactions, calculations, or data transformations. Think: If a customer sends you data, does the right thing happen to it?

Confidentiality: Can you protect confidential information beyond just security controls? This covers data classification, retention policies, and secure disposal. Think: Do you know where all your customer data lives, and can you delete it when required?

Privacy: Do you handle personal information according to your privacy commitments and regulations? This overlaps with GDPR and CCPA requirements. Think: Are you doing what your privacy policy says you're doing?

For most B2B SaaS companies, Security + Availability is the right starting point. Add Confidentiality if you handle sensitive business data, and Privacy if you process significant personal information.

The 90-Day Timeline: Your Week-by-Week Playbook

This timeline assumes you're starting with reasonable engineering practices but limited formal documentation. Adjust based on your starting point.

Phase 1: Foundation (Weeks 1-2)

The first two weeks are about understanding your current state and building the foundation for everything that follows.

Week 1: Assessment and Planning

• Day 1-2: Inventory all systems that store, process, or transmit customer data. This is your "in-scope" environment. Include production infrastructure, CI/CD systems, source control, cloud consoles, and any SaaS tools with customer data access.
• Day 3-4: Map your current controls to SOC 2 requirements. You likely already have many controls in place—they just aren't documented. Identify gaps between what you do and what SOC 2 requires.
• Day 5: Select an auditor and compliance automation platform. For auditors, get referrals from companies similar to yours. For automation, evaluate Vanta, Drata, Secureframe, or similar tools—they dramatically reduce the manual effort required.

Week 2: Infrastructure Hardening

Focus on the technical controls that take time to implement properly:

• Network segmentation: Ensure production environments are isolated from development and corporate networks. If you're running on Kubernetes, implement network policies that restrict pod-to-pod communication.
• Encryption verification: Confirm encryption at rest for all data stores and encryption in transit for all network communication. Document the encryption standards used (AES-256, TLS 1.2+).
• Access control audit: Review who has access to what. Remove unnecessary access, enforce MFA everywhere, and ensure you're following least-privilege principles.

If you're using a platform like Convox, many of these controls are already configured. For example, Convox Racks deploy into private VPCs with proper network isolation by default, and all traffic is encrypted in transit automatically. You can verify your rack's security configuration:

$ convox rack params
high_availability     true
private               true
node_capacity_type    on_demand
...

Phase 2: Policy and Process Development (Weeks 3-6)

This is the phase most engineering teams underestimate. Technical controls are only half the battle—you need documented policies and evidence that you follow them.

Week 3-4: Core Policy Development

Write (or customize templates for) these essential policies:

• Information Security Policy: Your overarching security commitment and principles
• Access Control Policy: How you grant, review, and revoke access
• Change Management Policy: How code and infrastructure changes are reviewed and deployed
• Incident Response Plan: What happens when something goes wrong
• Business Continuity/Disaster Recovery Plan: How you maintain operations during outages
• Vendor Management Policy: How you evaluate and monitor third-party services
• Data Classification Policy: How you categorize and handle different types of data

Don't write policies that describe an ideal future state. Write policies that describe what you actually do (or can realistically commit to doing immediately). Auditors check whether you follow your policies—a simpler policy you follow beats a comprehensive one you don't.

Week 5-6: Process Implementation

• Implement quarterly access reviews: Schedule recurring reviews of who has access to production systems. Document each review and any access changes made.
• Formalize change management: Ensure all production changes go through pull requests with required reviews. Your CI/CD pipeline should enforce this automatically.
• Set up security awareness training: Every employee needs annual security training. Use a platform that provides completion certificates—auditors want evidence.
• Document your SDLC: Write down how code goes from idea to production, including security considerations at each stage.

Your convox.yml can serve as documentation of your deployment configuration. Auditors appreciate seeing infrastructure-as-code that enforces consistent deployments:

services:
  web:
    build: .
    port: 3000
    health: /health
    scale:
      count: 2-10
      targets:
        cpu: 70
    deployment:
      minimum: 50
      maximum: 200
    environment:
      - DATABASE_URL
      - ENCRYPTION_KEY
resources:
  database:
    type: postgres
    options:
      storage: 100

This configuration demonstrates high availability (multiple instances), health checks, and controlled deployments—all things auditors want to see.

Phase 3: Monitoring and Evidence Collection (Weeks 7-10)

Now that controls are in place, you need to prove they're working. This phase focuses on logging, monitoring, and evidence collection.

Week 7-8: Logging and Monitoring

• Centralized logging: All production systems should send logs to a central location with at least 90 days of retention. Include application logs, access logs, and security events.
• Alerting: Set up alerts for security-relevant events: failed login attempts, privilege escalations, configuration changes, and anomalous activity.
• Uptime monitoring: External monitoring of your application's availability. This provides evidence for availability controls and helps calculate your actual uptime percentage.

Convox provides built-in logging that can be forwarded to your SIEM or log aggregation platform. Configure syslog forwarding at the rack level:

$ convox rack params set syslog=tcp+tls://logs.example.com:1234

For more granular monitoring, Convox's built-in monitoring and alerting capabilities can help you track the metrics auditors care about. See the monitoring documentation for setup details.

Week 9-10: Evidence Automation

• Connect your compliance platform: Link your cloud infrastructure, source control, HR system, and other tools to your compliance automation platform. This automatically collects evidence of control operation.
• Screenshot and document manual processes: For controls that can't be automatically verified, establish a cadence for collecting evidence manually.
• Test your incident response process: Run a tabletop exercise to verify your incident response plan works. Document the exercise and any improvements identified.

Phase 4: Audit Preparation (Weeks 11-13)

The final stretch is about ensuring everything is documented and ready for auditor scrutiny.

Week 11-12: Gap Remediation and Documentation

• Review all controls: Go through your compliance platform's checklist and verify every control has evidence. Address any gaps immediately.
• Employee acknowledgments: Ensure all employees have acknowledged relevant policies. This is easy to overlook but required.
• Vendor inventory: Document all third-party services with access to customer data, including their security certifications.
• Risk assessment: Conduct a formal risk assessment identifying threats, vulnerabilities, and mitigating controls.

Week 13: Readiness Assessment

• Internal audit: Review all documentation as if you were the auditor. Are policies clear? Is evidence complete?
• Pre-audit call: Most auditors offer a readiness check before the formal audit begins. Use this to identify any remaining issues.
• Team preparation: Brief team members who may be interviewed by auditors on what to expect and how to respond.

Infrastructure Compliance Checklist

Use this checklist to verify your infrastructure meets SOC 2 requirements. Items marked as "Platform-provided" are automatically handled if you're using a modern PaaS like Convox.

Network Security

• ✅ Production environment in private subnets (Platform-provided with Convox)
• ✅ Network segmentation between environments
• ✅ Firewall/security groups restrict unnecessary traffic
• ✅ No direct SSH access to production servers (use bastion/VPN)
• ✅ DDoS protection enabled

Encryption

• ✅ TLS 1.2+ for all external connections (Platform-provided)
• ✅ Encryption at rest for databases and storage
• ✅ Encryption in transit for internal communication
• ✅ SSL certificates auto-renewed (Platform-provided with Convox SSL)
• ✅ Secrets stored in encrypted secret management (not in code)

Access Control

• ✅ MFA required for all administrative access
• ✅ Role-based access control implemented
• ✅ Quarterly access reviews conducted and documented
• ✅ Immediate access revocation process for terminated employees
• ✅ Unique credentials for each user (no shared accounts)

Convox's RBAC functionality helps implement least-privilege access control across your team.

Logging and Monitoring

• ✅ Centralized log aggregation with 90+ day retention
• ✅ Audit logs for administrative actions
• ✅ Alerting for security events
• ✅ Uptime monitoring with historical data
• ✅ Log integrity protection (immutable storage)

Backup and Recovery

• ✅ Automated daily backups
• ✅ Backup encryption
• ✅ Regular backup restoration testing (quarterly minimum)
• ✅ Documented RTO and RPO objectives
• ✅ Geographic redundancy for critical data

Change Management

• ✅ All changes through version control
• ✅ Required code reviews before merge
• ✅ Automated testing in CI/CD pipeline
• ✅ Rollback capability for deployments
• ✅ Separation between development and production

Convox's deployment model enforces many change management controls by default. Every deployment creates a new release that can be easily rolled back if issues arise.

The Tooling Landscape: What You Actually Need

The compliance tool market is overwhelming. Here's what's actually required versus what's nice to have:

Required:

• Compliance automation platform (Vanta, Drata, Secureframe): The ROI is enormous. These platforms automate evidence collection, provide policy templates, and integrate with auditors.
• MDM (Mobile Device Management): Required if employees use company devices. Kandji, Jamf, or similar for Mac; Intune for Windows. Must enforce disk encryption and password policies.
• Password manager: 1Password, LastPass, or similar. Business plan with admin controls for visibility into password hygiene.
• Security awareness training: KnowBe4, Curricula, or similar. Provides training content and completion tracking.

Highly recommended:

• SIEM or log aggregation: Datadog, Splunk, or similar. Required for meaningful security monitoring. Some compliance platforms include basic SIEM functionality.
• Vulnerability scanning: Snyk, Dependabot, or similar for application dependencies. Cloud security posture tools for infrastructure.
• Background check service: Checkr or similar for employee background checks.

Nice to have but not required for initial certification:

• Penetration testing (recommended annually but not always required for initial audit)
• Bug bounty program
• Advanced threat detection platforms

Common Mistakes That Derail Audits

After helping many companies through their first SOC 2 audit, these are the mistakes we see repeatedly:

The Documentation Gap

Engineers often think: "We do this, so we're compliant." But if it's not documented, it doesn't exist to an auditor. The most common documentation gaps:

• Security decisions made in Slack but never formalized
• Access reviews conducted mentally but not recorded
• Incident responses handled well but not documented
• Vendor evaluations done informally without written assessments

Fix: Create a habit of documenting decisions in a centralized location. Your compliance platform should be your system of record.

The "We'll Fix It Before the Audit" Trap

SOC 2 Type II examines controls over time. You can't implement MFA the week before the audit and claim it's been a control. Auditors will ask for historical evidence.

Fix: Start your observation period immediately. The 90-day timeline assumes controls are operating from week 3 onward, giving you 10+ weeks of evidence before audit.

Employee Onboarding/Offboarding Gaps

This is surprisingly often the finding that trips up companies. Common issues:

• No documented onboarding checklist
• Access granted informally without tickets/records
• Terminated employee access not revoked same-day
• Background checks not completed before access granted

Fix: Create checklists for onboarding and offboarding with required sign-offs. Automate access revocation where possible.

Ignoring Employee Devices

Your production infrastructure might be bulletproof, but if an engineer's laptop doesn't have disk encryption, that's a finding. Endpoint security is part of SOC 2.

Fix: Implement MDM on all company devices. Enforce disk encryption, automatic updates, and screen lock policies.

Underestimating Vendor Management

Every SaaS tool with access to customer data is a potential audit finding. Auditors want to see:

• Inventory of all vendors with data access
• Security assessment before onboarding
• Evidence of their security certifications
• Annual review of vendor security posture

Fix: Start your vendor inventory now. Most SaaS companies have 50-200 vendors; identifying them all takes time.

Ongoing Maintenance: What to Expect

SOC 2 isn't one-and-done. After your initial certification, expect ongoing requirements:

Continuous activities:

• Access reviews (quarterly)
• Security awareness training (annual, plus new hire)
• Vendor security reviews (annual)
• Policy reviews and updates (annual)
• Risk assessment updates (annual)
• Business continuity plan testing (annual)

Annual audit:

Each year, your auditor will examine a new observation period. The good news: subsequent audits are typically smoother because controls are already in place. Budget for 20-40 hours of engineering time for annual audits versus 100+ hours for the initial audit.

Control evolution:

As your company grows, your controls need to evolve. What worked at 20 employees won't scale to 200. Plan for periodic reviews of whether your controls still match your risk profile.

How the Right Infrastructure Accelerates Compliance

One of the biggest factors in how quickly you can achieve SOC 2 is your starting infrastructure. Companies running on well-architected platforms can move significantly faster than those building from scratch.

Convox Rack deployments provide many SOC 2 infrastructure controls out of the box:

• Network isolation: Private VPCs with proper subnet configuration
• Encryption in transit: Automatic TLS for all services
• Access control: RBAC with audit logging of all administrative actions
• High availability: Multi-AZ deployments for redundancy
• Change management: Immutable releases with one-command rollbacks
• Logging: Centralized logging with configurable retention

This doesn't eliminate all compliance work—you still need policies, processes, and evidence—but it dramatically reduces the infrastructure hardening phase. Instead of spending weeks configuring network security and encryption, you can focus on the documentation and process controls that typically take longer.

For teams using Convox, the rack parameters documentation shows exactly which security configurations are available, many of which map directly to SOC 2 control requirements.

Getting Started

SOC 2 compliance is a significant undertaking, but it's manageable with the right approach. The key is starting immediately—every week you delay is a week less of evidence for your observation period.

Here's your first week action plan:

• Day 1: Inventory your in-scope systems
• Day 2: Evaluate compliance automation platforms
• Day 3: Request proposals from 2-3 auditors
• Day 4: Assess your current infrastructure against the checklist above
• Day 5: Create your project plan and assign ownership

If your current infrastructure requires significant hardening, consider whether a platform migration might actually be faster than building compliance controls from scratch. Convox provides a Getting Started Guide that can have you deployed in a compliance-ready environment within a day.

Ready to simplify your path to SOC 2? Create a free Convox account and see how a well-architected platform can accelerate your compliance journey. For enterprise deployments or questions about specific compliance requirements, reach out to our team.

You can close that enterprise deal. Let's make it happen.