SOC 2 appears in roughly 60% of enterprise security questionnaires. It's the most common security certification that enterprise buyers ask about. But the questions they ask are sometimes vague, sometimes overlap with other frameworks, and sometimes require nuanced answers.
Here are the 15 most common SOC 2-related questions that appear in security questionnaires, with model answers and guidance on how to explain your certification accurately to buyers who may not understand the fine points.
1. Are You SOC 2 Compliant / Do You Have SOC 2 Certification?
The Question
Are you SOC 2 certified? Do you have a current SOC 2 report?
Model Answer
We maintain a SOC 2 Type II certification through [Auditor Name], with our most recent report covering the period [dates] and issued on [date]. The report covers the Trust Service Criteria for Security, Availability, and Integrity. We can provide our SOC 2 report under NDA to customers as part of due diligence. (If you don't have SOC 2: "We are in the process of completing our initial SOC 2 Type II audit, expected completion in [month/year]" or "We maintain SOC 2 Type I certification, with a Type II audit planned for [timeline].")
Why This Answer
Buyers want to know if you have objective third-party validation of your security program. Type II is stronger than Type I (covers a longer audit period), and they want to know the specific Trust Service Criteria you cover. Always mention your auditor and report dates—it shows specificity and verifiability.
2. What Is Your SOC 2 Report Type?
The Question
Do you have SOC 2 Type I or Type II? Or both?
Model Answer
We maintain a SOC 2 Type II report, which provides greater assurance than Type I. Type II covers a minimum 6-month period of operations (our current report covers 12 months), demonstrating sustained compliance and operational maturity. Type II audits evaluate both the design of our controls and their actual operating effectiveness over time.
Why This Answer
Type II is objectively stronger because it proves your controls work in practice, not just on paper. Explain the difference so buyers understand why Type II matters. If you only have Type I, commit to a Type II timeline.
3. Which Trust Service Criteria (TSCs) Does Your SOC 2 Report Cover?
The Question
Does your SOC 2 cover Security, Availability, Processing Integrity, Confidentiality, and/or Privacy (CC)?
Model Answer
Our SOC 2 Type II report covers three Trust Service Criteria: (1) Security—controls over logical and physical access, (2) Availability—controls ensuring our systems are available as committed, and (3) Integrity—controls ensuring completeness and accuracy of processing. We are assessing Privacy coverage for our next audit cycle to address customer data residency and processing requirements.
Why This Answer
Different buyers care about different criteria depending on their industry and regulatory obligations. Healthcare buyers care about Security and Confidentiality. B2B SaaS buyers care about Security and Availability. Be specific about what you cover, and if you don't cover something important for your market, commit to adding it.
4. How Often Do You Undergo SOC 2 Audits? What Is Your Audit Frequency?
The Question
How often do you have SOC 2 audits? Is it annual or more frequent?
Model Answer
We conduct annual SOC 2 Type II audits covering a rolling 12-month period. Our audit timeline is [Jan-Dec / your specific cycle], with results issued by [month]. Between formal audits, we perform quarterly control assessments and monthly risk reviews to ensure sustained compliance. Additionally, we undergo [relevant industry-specific audits: HIPAA/HITRUST for healthcare, PCI-DSS for payment processing, etc.].
Why This Answer
Annual is the industry standard. Buyers want to know your audit cycle timing and want confidence that you don't just pass an audit once and then forget about controls. Mention interim reviews to show ongoing commitment.
5. Can We Obtain a Copy of Your SOC 2 Report? Can You Share Your SOC 2 Report Under NDA?
The Question
Will you provide your SOC 2 report for our security review?
Model Answer
Yes. We share our SOC 2 Type II report with prospective and existing customers under a Standard Mutual Non-Disclosure Agreement (NDA). We will provide our current report within 5 business days of receiving your signed NDA. Note that the report includes a restricted use statement limiting use to the customer's assessment of our security controls.
Why This Answer
This is a yes/no question with minor conditions. Be clear about your process (5 days, requires NDA) so there's no confusion during the negotiation phase. Mention the restricted use statement so they understand the report is confidential.
6. What Is Included in Your SOC 2 Scope? What Systems/Applications Does It Cover?
The Question
Does your SOC 2 cover your entire platform or just specific components?
Model Answer
Our SOC 2 audit covers our primary SaaS platform [Product Name], including authentication systems, data processing engines, storage infrastructure, and backup systems. Our scope includes [on-premises/cloud providers used: AWS, Azure, etc.] and our managed third-party services [list major processors]. Our SOC 2 does not cover [website, mobile app, legacy systems]—these are covered separately through [alternative assessments].
Why This Answer
Scope matters because a buyer might assume SOC 2 covers your entire company when it actually only covers your main product. Be specific about what's in and out of scope so there's no misunderstanding. If something important is out of scope, explain how you handle it.
7. What Exceptions or Non-Conformances Were Noted in Your Most Recent SOC 2 Audit?
The Question
Were there any exceptions, control deviations, or audit findings in your report?
Model Answer
Our most recent SOC 2 Type II report resulted in an unqualified opinion with zero exceptions or deviations. All tested controls operated effectively throughout the audit period. [If you had exceptions: "We identified one control deviation in [specific area] related to [root cause], which we remediated through [corrective action] by [date]. Our follow-up audit confirmed the remediation."]
Why This Answer
Zero exceptions is ideal, but real organizations sometimes have minor deviations. If you do, be transparent and explain your remediation. Buyers respect honesty and quick fixes more than zero exceptions followed by undisclosed problems.
8. Do You Use Subservice Organizations? How Do You Manage Them Under SOC 2?
The Question
Do you use third-party vendors or cloud providers? Are they SOC 2 compliant?
Model Answer
Yes, we use AWS for cloud infrastructure and [other major processors]. Under our SOC 2 audit, these are classified as subservice organizations. We require all subservice organizations to maintain SOC 2 Type II certification. We obtain and review their SOC 2 reports annually, and we include their control environment in our risk assessment. For any subservice organization that doesn't have SOC 2 (e.g., [specific vendor]), we perform compensating controls through [describe: third-party audits, contractual requirements, etc.].
Why This Answer
Buyers care about your entire vendor chain. Showing you actively manage subservice organization risk is key. If you use vendors without SOC 2, explain your mitigation strategy rather than hiding it.
9. Do You Perform Penetration Testing? How Frequently?
The Question
Are your systems regularly tested for vulnerabilities?
Model Answer
We conduct both internal and external penetration testing annually through [Security Firm Name]. Our testing scope includes our web application, API, and infrastructure. We also perform quarterly vulnerability scans and remediate findings within [timeframe] based on severity. Critical vulnerabilities are remediated within 24 hours, high-severity within 7 days, medium within 30 days. Our penetration test results and remediation status are documented in our SOC 2 audit.
Why This Answer
Annual penetration testing is the standard expectation. Show you do it consistently, specify the frequency of scans, and show clear remediation timelines. This demonstrates active threat management, not just reactive patching.
10. How Do You Encrypt Customer Data? What Encryption Standards Do You Use?
The Question
Do you encrypt data at rest and in transit?
Model Answer
We encrypt all customer data at rest using AES-256-CBC encryption with keys managed through AWS Key Management Service (KMS). We encrypt data in transit using TLS 1.2+ for all APIs and web connections. Encryption keys are rotated [weekly/monthly] and are isolated by customer. We maintain separate encryption keys for different data classification levels (public, internal, confidential, highly-confidential).
Why This Answer
Buyers want to know the specific encryption standards (AES-256 is industry standard), that both at-rest and in-transit encryption are covered, and that key management is properly implemented. Specificity here builds confidence.
11. What Is Your Data Retention and Deletion Policy?
The Question
How long do you keep customer data? Can we request deletion?
Model Answer
Customer data is retained for the duration of the customer's subscription plus 30 days (to allow for account recovery). Upon request or account termination, customer data is deleted within 10 business days. Backups containing deleted data are overwritten within 90 days through our standard backup rotation cycle. Log data is retained for 90 days to support security monitoring and troubleshooting. Deletion is performed cryptographically (key destruction) on our primary systems and through degaussing/physical destruction on backup media.
Why This Answer
Customers are increasingly concerned about data retention and deletion, particularly for GDPR compliance. Be specific about timelines and deletion methods. The standard is 30 days for active data, 90 days for backups.
12. What Is Your Incident Response Process? How Quickly Do You Notify Customers of Breaches?
The Question
What happens if there's a security breach?
Model Answer
We maintain a formal Incident Response Plan that is tested quarterly. Upon detection of a confirmed security incident, we notify customers within 24 hours. Our incident response process includes: (1) Detection and triage, (2) Containment and mitigation, (3) Investigation and root cause analysis, (4) Customer notification with details of exposure, (5) Remediation and recovery, (6) Post-incident review. We also notify law enforcement and regulators as required. Our security team is on-call 24/7 for incident response.
Why This Answer
24-hour notification is the expected standard (though some regulations require faster). Showing a formal process, testing, and on-call coverage demonstrates maturity. Being specific about steps shows you've thought through incident response, not just reacting.
13. Do You Have Business Continuity and Disaster Recovery Plans? What Is Your RTO and RPO?
The Question
How quickly can you recover if there's an outage or disaster?
Model Answer
We maintain a Business Continuity Plan with a Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 1 hour. Our infrastructure is deployed across multiple AWS availability zones with automatic failover. We perform quarterly disaster recovery testing to validate our recovery procedures. We maintain off-site backups with encryption and store backups in a geographically separate region from our primary infrastructure. Our SLA commits to [99.9%/99.95%] uptime.
Why This Answer
RTO and RPO are specific metrics buyers want. Typical targets are 4 hours RTO, 1 hour RPO for most SaaS. The key is testing—untested disaster recovery plans don't work. Mention testing frequency to show this isn't theoretical.
14. How Do You Manage Access to Customer Data? What Controls Do You Have Around Administrator Access?
The Question
Who can access customer data and how do you prevent unauthorized access?
Model Answer
We implement least-privilege access controls: employees only have access to systems and data required for their role. All access is authenticated via single sign-on (SSO) with multi-factor authentication (MFA). Admin access is further restricted to named individuals with business justification, approved by management. All access is logged and monitored. We perform annual access reviews to validate that access rights remain appropriate. Customer data access by support staff is audited—we maintain logs of every access to customer data, and access requires approval and is performed within a secure session. We also disable unused accounts within 30 days of role change.
Why This Answer
This is a critical control. Show least-privilege, MFA for all, logging of access, and regular reviews. Buyers want confidence that only authorized people can access their data, and you have controls to detect unauthorized access.
15. Do You Conduct Annual Risk Assessments? How Do You Manage Identified Risks?
The Question
How do you identify and manage security risks?
Model Answer
We conduct comprehensive annual risk assessments that include threat analysis, vulnerability assessment, and control effectiveness review. Our CISO leads the annual risk assessment process with input from all departments. Identified risks are scored by likelihood and impact using a standard risk matrix, and we develop mitigation plans for all high and medium risks. Risk owners are assigned accountability for remediation with specific timelines. We review risk status quarterly and track metrics such as mean time to remediate and percentage of high-risk items resolved. Our risk assessment is integrated with our SOC 2 audit scope.
Why This Answer
Showing a formal, documented, ongoing risk management process demonstrates maturity. Annual is the minimum; quarterly reviews show you're serious. Tracking metrics shows accountability.
Final Note
These 15 questions cover 80% of SOC 2-related questionnaire items. Document your answers to these thoroughly, get them reviewed by your CISO and legal team, and reuse them consistently. The more detailed and specific you are, the faster your customers will move through their security review and the more confidence they'll have in your security program.
Systematize your SOC 2 answers with a security KB
KBPilot helps you document, organize, and automatically deploy consistent SOC 2 answers.
Get started free