Free Assessment · 4 Minutes

Are you SOC 2 Type II audit-ready?
Find out in 4 minutes.

12 questions mapped to AICPA Trust Services Criteria. Get an instant gap report with remediation guidance — free, no signup required.

All 5 AICPA Trust Services Criteria PDF gap report delivered instantly Built for RIAs, legal firms, family offices
🔒

Ready to assess your SOC 2 readiness?

This assessment covers 12 controls across all five AICPA Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Answer 12 questions about your controls
Get your readiness score and top gaps instantly
Receive a PDF gap report by email within seconds
Question 1 of 12
🔒 Security · CC6.1

Do you enforce MFA and least-privilege access controls for all systems holding customer data?

Covers role-based access control (RBAC), multi-factor authentication, and documented provisioning/deprovisioning procedures.

Please select an answer to continue.
Question 2 of 12
🔒 Security · CC6.7

Is customer data encrypted at rest (AES-256) and in transit (TLS 1.2+)?

Covers database and object storage encryption at rest, TLS enforcement on all endpoints, and documented key management including rotation schedules.

Please select an answer to continue.
Question 3 of 12
🔒 Security · CC7.1

Do you run formal vulnerability scans and at least annual penetration tests?

Covers automated vulnerability scanning, SLA-bound patching (critical: 24–72h), and third-party penetration testing with documented remediation tracking.

Please select an answer to continue.
Question 4 of 12
📡 Availability · A1.1

Do you have continuous uptime monitoring with documented SLAs and incident response runbooks?

Covers synthetic monitoring, alerting, documented SLA commitments, and incident escalation procedures with defined RTO/RPO targets.

Please select an answer to continue.
Question 5 of 12
📡 Availability · A1.2

Have you documented, tested, and validated a disaster recovery and business continuity plan?

Covers backup strategy (3-2-1 rule), documented failover procedures, RTO/RPO targets, and at least annual DR drill with recorded outcomes.

Please select an answer to continue.
Question 6 of 12
⚙️ Processing Integrity · PI1.1

Do you validate and sanitize all system inputs with audit trails for processing errors?

Covers server-side input validation with schema enforcement, error logging with correlation IDs, and periodic review of error patterns.

Please select an answer to continue.
Question 7 of 12
⚙️ Processing Integrity · PI1.2

Do you have automated error detection, alerting, and logging for all data processing failures?

Covers structured logging integrated with alerting on error rate thresholds, SLAs for error investigation, and documented error classification/escalation.

Please select an answer to continue.
Question 8 of 12
🔐 Confidentiality · C1.1

Do you classify data by sensitivity level with access controls mapped to each classification?

Covers a documented data classification policy (e.g., Public / Internal / Confidential / Restricted) with access controls, encryption requirements, and handling procedures per tier.

Please select an answer to continue.
Question 9 of 12
🔐 Confidentiality · C1.2

Are all employees, contractors, and vendors required to execute NDAs before accessing customer data?

Covers signed NDAs as part of onboarding, a maintained executed-NDA registry, and quarterly coverage reviews.

Please select an answer to continue.
Question 10 of 12
🔐 Confidentiality · C1.3

Is customer data logically or physically segregated between tenants?

Covers row-level security or schema-per-tenant isolation in all data stores, with periodic access reviews confirming no cross-tenant exposure.

Please select an answer to continue.
Question 11 of 12
🛡️ Privacy · P1.1

Do you collect documented affirmative consent for personal data collection with defined retention periods?

Covers consent management covering collection purpose, retention period, and third-party sharing disclosures — with a consent audit log and withdrawal process.

Please select an answer to continue.
Question 12 of 12
🛡️ Privacy · P6.1

Do you have documented processes to handle data subject requests (access, deletion, portability) within 30 days?

Covers a data subject request (DSR) intake and fulfillment process for access, deletion, correction, and portability — with SLA tracking and periodic dry-runs.

Please select an answer to continue.
One last step

Where should we send your gap report?

Your personalized SOC 2 gap report — with AICPA TSC-by-TSC remediation guidance — will be emailed to you instantly.

Optional — helps us personalize your report.
Please enter a valid work email.

No spam. One gap report + a 3-email follow-up on SOC 2 audit prep.
You can unsubscribe at any time. Privacy policy →

Generating your gap report…

Scoring your answers against AICPA Trust Services Criteria.
Your PDF will be emailed within seconds.

%
Score by Trust Services Category

Sturna's compliance agents auto-document SOC 2 controls

RIAs, legal firms, and family offices use Sturna to close SOC 2 gaps and generate auditor-ready evidence packages — in 30 days.

Start a Pilot — $2,500 →

A copy of your report has been emailed to you. Questions? Reply to that email.

Frequently Asked Questions

What is SOC 2 Type II?

SOC 2 Type II is an audit standard from the AICPA that evaluates a service organization's controls over security, availability, processing integrity, confidentiality, and privacy over an observation period (typically 6–12 months). Unlike Type I (point-in-time design assessment), Type II tests operating effectiveness.

What are the AICPA Trust Services Criteria?

The Trust Services Criteria (TSC) are five categories used to evaluate service organization controls: Security (CC — required), Availability (A), Processing Integrity (PI), Confidentiality (C), and Privacy (P). This assessment evaluates all five for the broadest readiness picture.

How long does SOC 2 Type II audit preparation take?

Most organizations need 3–6 months to remediate gaps and establish the evidence base required. The audit observation period itself is 6–12 months. Starting with a readiness assessment to identify gaps is the recommended first step — it lets you prioritize before engaging a CPA firm.

Which industries require SOC 2 Type II?

SOC 2 is most commonly required by: SaaS and cloud services, financial services and RIAs (institutional clients require it), legal technology, healthcare technology, and any sector where enterprise buyers conduct vendor security reviews. Enterprise procurement increasingly uses SOC 2 Type II as a vendor qualification condition.

How is this assessment scored?

Each of the 12 controls is scored: Yes = 1 point, Partial = 0.5 points, No or Don't Know = 0. Your readiness percentage = (total / 12) × 100. Audit-Ready: 85%+. Gaps Identified: 60–84%. Significant Work Required: below 60%.

Do I need all five Trust Services Categories in scope?

Security (CC) is the only mandatory category. However, most enterprise buyers now expect Availability, Confidentiality, and Privacy to be in scope — especially for SaaS, financial services, and healthcare-adjacent technology. This assessment evaluates all five to give you the broadest picture.

What does the PDF gap report include?

Your personalized PDF includes: your overall readiness score, per-category scores, gap-by-gap remediation guidance with AICPA TSC primary-source citations, and a recommended 90-day audit preparation timeline. It's generated instantly from your answers and emailed to you.

What's the difference between SOC 2 Type I and Type II?

SOC 2 Type I assesses whether controls are suitably designed at a single point in time. SOC 2 Type II assesses whether those controls operated effectively over an observation period (typically 6–12 months). Enterprise buyers require Type II because it demonstrates sustained effectiveness, not just design intent.