FRAMEWORK

SOC 2

The AICPA trust-services audit (TSP 100) enterprise buyers ask for first. Not an AI law — but the report that unlocks enterprise deals, now extended to how you govern AI.

Book a demo See coverage

Coverage updated2 min ago

Coverage · SOC 2

Framework coverage

84%

Coverage

5 Trust Services Criteria

Obligations mapped

+4% wk

Files on record

Live · synced 2 min ago · 7-day trend

Recent activity

Annex IV v4Approved

FRIA v2Approved

Monitoring plan v1Draft

THE OBLIGATION

The report enterprise procurement asks for before anything else.

SOC 2 is an independent audit against the AICPA Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality and Privacy. It is the proof enterprise buyers demand before signing, delivered as a Type I or Type II report.

As buyers extend due diligence to AI, the System Description and control evidence increasingly need to cover how AI systems are governed — not just the surrounding infrastructure.

At a glance

Applies toSaaS and service organisations selling to enterprises

Your likely roleService organisation under audit

Key deadlineVoluntary — expected by enterprise buyers

Penalty exposureNo penalty; absence stalls or kills enterprise deals

ARTEFACTS

The files this framework actually requires.

SOC 2 needs a System Description and control evidence. Hael generates the AI-governance portions and keeps them current.

Files · Evidence pack

PDFSystem Descriptionv3updated 2 min agoApproved

PDFControl Matrix — TSCv2updated 14 MayApproved

PDFAI Governance Control Evidencev2updated 11 MayApproved

PDFRisk Assessmentv2updated 04 MayApproved

PDFVendor & Subprocessor Registerv1updated 02 MayDraft

PDFAccess & Change Logsv1updated 28 AprApproved

GRC tools tell you these are missing. Hael generates them — from each system's real configuration.

THE DIFFERENCE

A checklist tells you what's missing. Hael puts it on record.

A checklist lists the controls you owe. Hael generates the System Description and the AI-governance evidence behind them.

Typical GRC tool

System Descriptionupload required

Control Matrix — TSCupload required

AI Governance Control Evidenceupload required

Risk Assessmentupload required

Vendor & Subprocessor Registerupload required

Access & Change Logsupload required

Tracks the gap. You still author every document.

Hael

System Descriptionv3Generated 2 min agoview

Control Matrix — TSCv2Generated · Approvedview

AI Governance Control Evidencev2Generated · Approvedview

Risk Assessmentv2Generated · Approvedview

Vendor & Subprocessor Registerv1Generated · Draftview

Access & Change Logsv1Generated · Approvedview

Generated from each system's real configuration, versioned, and kept current as it changes.

HOW HAEL WORKS

Discover, classify, produce — for SOC 2.

01DISCOVER

Find the systems in SOC 2 scope, including embedded third-party AI.

Inventory · 14 systems

Credit scoring enginehigh

HR screening bothigh

Salesforce Einsteinlimited

02CLASSIFY

Assess each against SOC 2's risk tiers and obligations.

Risk tier

Prohib.HighLimitedMin.

Role: ProviderArt. 9 · 11 · 14

03PRODUCE

Generate the SOC 2 records, versioned and current.

Generated files

Annex IV v4Approved

FRIA v2Approved

Monitoring v1Draft

COVERAGE

Every obligation, mapped to the control that satisfies it.

Rows are the framework's clauses.

Columns are the controls and files that satisfy them.

Cells update as the underlying configuration changes.

Explore the platform

Coverage Map

Obligation → Control

5 obligations · 4 controls

84%

covered

System Desc.

Control Matrix

Evidence

Risk Assessment

Security

✓

Availability

✓

—

Processing Integrity

✓

—

Confidentiality

✓

—

Privacy

✓

—

•

Security

System Desc.

v3 · sealed

Approvedopen file →

MAPPING

Clause by clause.

Obligation
What it requires
Hael control / file
Status

SecurityCommon Criteria controlsControl MatrixApproved

Processing IntegrityComplete, accurate processingAI Governance Control EvidenceApproved

ConfidentialityProtection of sensitive dataSystem DescriptionApproved

PrivacyPersonal information handlingRisk AssessmentIn progress

REUSE

Author once. Satisfy many.

The System Description and control evidence behind a SOC 2 report overlap with ISO 42001's management system and feed directly into your buyer-facing Trust Center — answer due diligence once.

→ shared evidenceISO/IEC 42001NIST AI RMFGDPR

Trust & Security

SOC 2 Type IIISO/IEC 27001EU & US data residencySSO / SCIMEncryption in transit & at restAudit logging

On record before the deal stalls, not scrambled during diligence.

Hael generates the System Description and AI-governance control evidence the SOC 2 audit needs.

Book a demo Explore the platform