SOC 2 Compliance Services Canada

What Is SOC 2 and Why Do Canadian SaaS Companies Need It

SOC 2 stands for System and Organization Controls 2. It is an attestation standard published by the American Institute of Certified Public Accountants (AICPA) that evaluates the security, availability, processing integrity, confidentiality, and privacy practices of service organizations — companies whose products process, store, or transmit data on behalf of their customers.

In Canada, SOC 2 is not a statutory requirement under any federal or provincial law. What makes it unavoidable for B2B SaaS companies is the procurement process of their customers. Enterprise buyers in financial services, healthcare, legal, and government sectors routinely distribute vendor security questionnaires during onboarding — and a SOC 2 Type II report has become the only accepted answer at many large organizations. Without one, deals stall or collapse at the security review stage, sometimes months into a sales cycle.

According to Vanta's State of Trust report, over 75% of enterprise buyers cited a security attestation requirement in vendor onboarding. Canadian SaaS companies selling into the US market face the same scrutiny. A CPA Canada survey noted that Canadian tech companies pursuing US enterprise expansion ranked SOC 2 alongside PCI-DSS as the most-requested third-party assurance document. The pattern is consistent: you build the product, you land the initial conversation, and then security review kills the deal because you cannot produce a signed SOC 2 report.

The standard also has indirect operational benefits. Going through a SOC 2 engagement forces an organization to document its control environment, assign ownership, and build repeatable security processes. Companies that complete SOC 2 typically respond faster to security incidents, maintain cleaner vendor management programs, and find subsequent compliance programs — ISO 27001, FedRAMP, ITSG-33 for federal contracts — significantly less painful because the evidence library already exists and controls are already operating.

In 2026, three clusters of Canadian companies are actively pursuing SOC 2: early-stage SaaS companies that have just landed their first enterprise prospect asking for it in procurement; growth-stage companies expanding from Canada into the US market; and managed service providers responding to customer security questionnaires from financial institutions and healthcare organizations. If your company is in any of these categories, this guide covers the full path from decision to signed report.

SOC 2 Type I vs Type II: Choosing the Right Report

The distinction between Type I and Type II is the most consequential decision in your SOC 2 program. Both report types evaluate the same Trust Services Criteria and use the same CPA auditor, but they differ fundamentally in what they attest to — and enterprise buyers know the difference.

A SOC 2 Type I report attests that your controls are suitably designed as of a specific point in time — say, December 31, 2025. The auditor reviews your policies, procedures, and system descriptions, and forms an opinion on whether the controls you have in place are designed to meet the relevant Trust Services Criteria. The observation window is a single day. Type I is faster (4–6 months from kickoff) and roughly 40% cheaper than Type II. Some companies use it as an interim measure to unblock a deal while they build toward Type II. It is increasingly insufficient on its own — most buyers now require Type II, and security teams at sophisticated buyers treat a Type I-only posture as a yellow flag.

A SOC 2 Type II report attests that controls were suitably designed and operated effectively over a defined observation period, typically 3, 6, or 12 months. The auditor tests whether controls ran as designed throughout that entire window — reviewing access logs, change management records, incident response tickets, vendor review records, backup test results, and more. Because it demonstrates sustained operation rather than a single-day snapshot, it is the report enterprise buyers require and actually trust.

The practical path for most Canadian startups: if you have 12 months before a deal deadline, go straight to Type II with a 6-month observation window — one audit fee, one report, the right report. If you have an immediate deal requiring something in the next 4 months, obtain Type I first, use it to unblock the deal, and produce Type II at month 12–14. This two-report path adds roughly $12,000–$20,000 CAD in additional auditor fees but protects revenue that cannot wait 14 months.

One nuance specific to Canada: SOC 2 reports issued under Canadian standards fall under CSAE 3000 (Canadian Standard on Assurance Engagements), performed by CPA Canada member firms. US-based AICPA member firms can also audit Canadian companies and issue reports under AT-C 205 — common when a US enterprise buyer has a preferred Big Four auditor they recognize. Both are valid; check which format your target buyers expect before selecting an auditor.

The Five Trust Services Criteria Explained

SOC 2 is organized around five Trust Services Criteria (TSC). Only Security is mandatory. The others are selected based on what matters to your customers and the service commitments in your contracts.

1. Security (Common Criteria, CC1–CC9) — Mandatory

The Security criterion covers 60+ control points across nine categories: control environment, communication and information, risk assessment, monitoring of controls, logical and physical access (the largest category), system operations, change management, and risk mitigation. This is the backbone of every SOC 2 report. Every other optional criterion layers on top of it. CC6 (logical access) and CC8 (change management) are where most first-time engagements surface gaps.

2. Availability (A1)

Covers whether the system is available for operation and use as committed or agreed. Evidence includes uptime SLAs, infrastructure monitoring configuration, incident response records, and disaster recovery and failover documentation. B2B SaaS vendors with uptime guarantees written into their MSAs almost always include Availability. It also creates a natural mandate to formalize your DR program — see our business data backup and disaster recovery guide for what auditors expect.

3. Processing Integrity (PI1)

Addresses whether system processing is complete, valid, accurate, timely, and authorized. Most relevant to financial processing platforms, payroll SaaS, and e-commerce back-ends where a calculation error has direct dollar consequences. Canadian fintech companies, payroll vendors (like those building in Toronto's growing fintech corridor), and billing platforms are the primary candidates. If your product transforms or computes customer data with financial consequences, expect enterprise customers in financial services to require this criterion.

4. Confidentiality (C1)

Covers how information designated as confidential is protected across its lifecycle — collection, use, retention, and disposal. Evidence includes data classification policies, encryption standards (at-rest and in-transit), NDA tracking for third parties, and data destruction certificates. This criterion is popular because it directly maps to the data protection clauses in enterprise vendor agreements and addresses the question buyers most frequently ask: "How do you protect our data once we give it to you?"

5. Privacy (P1–P8)

Maps closely to privacy regulations including PIPEDA, Quebec Law 25, and PHIPA. Covers notice, consent, collection limitation, use and retention, access, disclosure, quality, and monitoring. The Privacy criterion has eight sub-criteria and generates more audit evidence than any other optional criterion. Canadian companies that handle personal data for regulated-industry customers often include it — and doing so creates meaningful overlap with PIPEDA and Law 25 obligations, reducing the effort of running both programs simultaneously.

The most common scope for Canadian B2B SaaS vendors in 2026 is Security + Availability + Confidentiality. Adding Privacy is worth the investment if your product handles personal data and your buyers are in healthcare, financial services, or legal sectors. Processing Integrity is only added when explicitly required by a customer or when computation accuracy is your core product promise.

Who Performs SOC 2 Audits in Canada

SOC 2 reports are issued exclusively by licensed CPA firms — not by security consultants, not by ISO certification bodies, and not by internal audit teams. This is a hard independence requirement of both the AICPA standard and its Canadian equivalent under CSAE 3000.

In Canada, the following types of firms perform SOC 2 engagements:

• Big Four and mid-market Canadian CPA firms — Deloitte, KPMG, PwC, EY, and mid-tier firms like MNP, BDO, and Grant Thornton all have dedicated assurance practices. Auditor fees typically range $28,000–$60,000 CAD per engagement. Engaged primarily by larger companies or those with US enterprise buyers who recognize the firm's name in the report signature.
• Boutique IT audit CPA firms — Smaller firms specializing in technology attestation. Fee ranges: $15,000–$28,000 CAD for Type I; $22,000–$42,000 CAD for Type II. Often the right choice for early-stage SaaS because they move faster, are more flexible on observation window scoping, and have less overhead in their process.
• US-based AICPA firms auditing Canadian clients — Common when a US enterprise customer stipulates a preferred auditor, or when the company is US-headquartered with Canadian operations. The report is issued under AT-C 205 rather than CSAE 3000 but is accepted by both Canadian and US buyers.

A critical distinction: the auditor (the CPA firm that signs the opinion) is separate from a readiness consultant (who helps implement controls and collect evidence before the audit). Many Canadian companies work with a managed IT services provider or compliance consultant to close gaps and implement tooling, then engage a CPA firm for the formal audit. This split reduces total cost because readiness consultants bill at lower rates than auditors — and it moves the expensive auditor hours to the final phase where controls are already operating.

One firm cannot play both roles. The CPA auditing firm must be independent of the firm that helped you implement controls. This independence requirement applies regardless of firm size — boutique or Big Four, the separation is mandatory and enforced by the AICPA and CPA Canada attestation standards.

The SOC 2 Audit Roadmap: A 12-Month Timeline

This is the standard path from decision to a signed Type II report. Timelines compress or expand based on your current control maturity and the observation period you choose. Most Canadian companies with no prior compliance program should budget 12–16 months for their first Type II.

1. Month 1: Scope definition and gap assessment (2–4 weeks)
   Decide which Trust Services Criteria to include. Engage a readiness consultant or senior internal resource to run a structured gap assessment against all applicable AICPA control objectives. Document your current control environment and identify every gap — a first-time engagement typically produces 40–90 findings.
2. Month 1–2: Auditor selection and engagement letter
   Issue RFPs to two or three CPA firms with SOC 2 practices. Evaluate their proposed observation window length, sampling methodology, timeline, and references from similar Canadian SaaS engagements. Sign an engagement letter that specifies scope, criteria, observation period start date, and deliverables.
3. Months 2–4: Control remediation
   Implement the fixes identified in the gap assessment. Common work: formal security policies written and signed off by leadership, centralized log management deployed and archiving configured, access review cadence established, multi-factor authentication enforced sitewide, vulnerability scanning tooling onboarded, vendor register built. See our small business cybersecurity guide for practical implementation steps on MFA, endpoint protection, and logging. This phase is the largest driver of both cost and timeline.
4. Month 4: Observation window opens
   Once all material gaps are remediated and controls are operating, the Type II observation clock starts. Minimum observation period: 3 months (accepted by most auditors but viewed skeptically by sophisticated buyers). Recommended: 6 months, which produces a more persuasive report and is the industry standard for Canadian enterprise sales cycles. The window should not open until controls are genuinely running — opening early and capturing a gap creates exceptions in your final report.
5. Months 4–10: Continuous evidence collection
   Throughout the observation window, collect and organize evidence: access review records (must be quarterly), change management tickets, incident log entries, backup test results, vulnerability scan outputs and remediation tracking, security training completion reports, penetration test report, vendor review documentation. A compliance automation platform (Drata, Vanta, Sprinto) integrates with AWS, Azure, GCP, GitHub, Okta, and your ticketing system to auto-collect a large fraction of this evidence, reducing manual effort by 40–60%.
6. Months 10–11: Auditor fieldwork
   The CPA firm pulls samples from your evidence library, interviews control owners, and tests controls against each criterion. Fieldwork for a mid-size SaaS company typically takes 3–6 weeks. Expect detailed questions on 20–40 specific control areas and requests for 10–25 samples per major control category.
7. Month 11–12: Draft report review
   The auditor issues a draft report. Review the system description for accuracy and completeness, and review any exceptions noted. Exceptions are common on first engagements — a testing exception means a sample the auditor pulled showed a control did not operate as described. You can provide management's response, but you cannot remove the exception retroactively.
8. Month 12: Final report issued
   The CPA firm signs and delivers the final SOC 2 Type II report. The report is your confidential property — shared under NDA with customers and prospects who request it as part of vendor due diligence. Most reports are relied upon for 12 months before re-attestation is required. Budget for the annual cycle from day one.

If you need a Type I report to unblock an immediate deal, the auditor can issue it against your current control design at month 4 before the observation window matures, then issue Type II at month 12. This adds $12,000–$18,000 CAD but can protect a deal that cannot wait a full year.

SOC 2 Costs in Canada: Full CA$ Breakdown for 2026

Total SOC 2 cost depends on your security maturity before starting, the number of Trust Criteria in scope, and your observation period length. The figures below reflect typical Canadian market rates in 2026. All currency is Canadian dollars (CAD).

The largest hidden cost is internal staff time. A 15–50 person engineering and IT team will spend an estimated 400–900 hours on a first-time SOC 2 engagement — documenting procedures, responding to auditor evidence requests, implementing tooling, running quarterly access reviews, coordinating the penetration test, and building the vendor register. At a fully-loaded cost of $120–$180 CAD per hour, that is $48,000–$162,000 in equivalent internal cost on top of all out-of-pocket fees.

Compliance automation platforms reduce internal burden by 40–60% by auto-collecting evidence from your cloud infrastructure, source control, identity provider, and ticketing system. The $8,000–$18,000 CAD annual platform cost pays back in hours saved during fieldwork alone for most companies with 10+ engineers.

Gap Assessment and Readiness: Before You Book an Auditor

Booking an auditor before completing a readiness assessment is the single most expensive mistake Canadian companies make in their SOC 2 journey. Auditors charge $200–$400 CAD per hour, and hours spent identifying gaps during fieldwork cost four to six times what a readiness consultant would charge to fix those same gaps in advance.

A gap assessment maps your current practices against all applicable Trust Services Criteria control points and produces two deliverables: a gap register listing every control objective you do not currently meet, and a remediation roadmap with priorities, owners, and effort estimates. For a 20–100 person SaaS company, expect a gap assessment to take 2–4 weeks and cost $8,000–$15,000 CAD externally, or 3–6 weeks if run internally with proper assessment templates from the AICPA.

Common findings in first-time Canadian SaaS gap assessments:

• No formal security policies — acceptable use, incident response, change management, and data classification either do not exist or exist on a forgotten Google Doc that has never been reviewed or acknowledged by staff
• Access reviews never happen — production system access is granted at onboarding and never audited; departures sometimes leave orphaned accounts active for weeks
• No centralized log management — CloudTrail, Azure Monitor, or GCP Audit Logs are enabled in some environments but not archived, not reviewed, and not retained beyond the cloud provider's default window
• Informal vendor management — no vendor register, no formal due diligence for critical subprocessors (AWS, Twilio, Stripe, SendGrid), no process for reviewing their security posture annually
• Background checks incomplete — required for all personnel with privileged access to production systems; often skipped for contractors or early hires
• Vulnerability management absent — scans run ad-hoc if at all; no remediation SLAs; no tracking of findings over time
• DR and backup testing undocumented — backups run nightly but restoration has never been tested end-to-end and the result has never been documented. See our business data backup guide for what a documented restoration test looks like.

Most of these gaps take 4–12 weeks to close with focused effort. The organizational side effect of fixing them — policy documentation, access governance, vendor risk management — makes your business more resilient regardless of SOC 2, which is why the audit has become a preferred forcing function for security maturity at fast-growing Canadian SaaS companies.

Set your observation window start date only after all material gaps are closed. The observation period should capture your controls operating as designed — not your team scrambling to implement them. A control gap that falls inside the observation window becomes an exception in the Type II report that every buyer who reads the report will ask about.

Evidence Collection: What Auditors Actually Test During Fieldwork

The fieldwork phase of a SOC 2 Type II audit is evidence-intensive. Auditors do not take management's assertion that controls operated — they pull samples from your records and test each one. Understanding what they actually request lets you collect evidence efficiently throughout the observation window rather than scrambling at fieldwork time.

Evidence auditors typically request across the Security Common Criteria:

• Access control (CC6): User provisioning and deprovisioning tickets (10–25 samples from the observation period), quarterly access review records for all production systems, privileged access lists, MFA configuration screenshots, SSO and directory service configuration
• Change management (CC8): Code commit logs, pull request approval records, deployment pipeline configuration showing peer review gates, change ticket samples demonstrating approval before production deployment
• Incident management (CC7): Full incident log covering the observation period, post-mortem documents for significant events, SLA compliance tracking
• Vendor management (CC9): Vendor register, security questionnaires or SOC 2 reports for all critical subprocessors, vendor contract data processing clauses, annual vendor review records
• Risk assessment (CC3): Annual risk register, risk treatment decisions with management sign-off, evidence that risk assessments informed control design
• Monitoring (CC4, CC7): Log retention configuration screenshots, alert rule exports, evidence of alert review cadence during the observation window
• Security training (CC1): Training platform completion reports covering all employees during the observation period, signed policy acknowledgement records
• Vulnerability management (CC7): Scan reports from throughout the observation period, remediation tracking by severity with SLA compliance evidence
• Penetration test (CC7): Signed penetration test report from an independent third-party firm, evidence of remediation for all critical and high findings

The most common area where evidence falls short is access reviews. Companies run them once just before fieldwork closes, but cannot produce records showing they occurred quarterly throughout the observation window. The fix is straightforward: put access reviews on a recurring calendar at the observation window start and store every output in a timestamped shared folder your auditor can access.

Log retention is the second most common weak point. AWS CloudTrail and Azure Monitor default to 90-day retention — a 6-month observation window loses the first 3 months of logs if you do not configure long-term archiving before the window opens. Configure your log archive to S3, Azure Blob, or a SIEM on Day 1 of the observation period. This is also sound business data backup practice independent of SOC 2 — an unretained log is a log you cannot use to investigate an incident.

SOC 2 vs ISO 27001: Which Framework Fits Your Canadian Company

The SOC 2 versus ISO 27001 question comes up for every Canadian B2B SaaS company that has customers or prospects in both North America and Europe. The two frameworks share significant control overlap but serve different audiences and produce different outputs. Here is a direct comparison across the dimensions that matter.

The standard advice for Canadian B2B SaaS companies in 2026: start with SOC 2 because it is what deals demand. Add ISO 27001 when you are winning EU business or government contracts that specifically require it. The two frameworks share roughly 70% of their control evidence, so completing SOC 2 first makes ISO 27001 substantially faster and cheaper — estimate 30–40% reduction in ISO 27001 implementation effort when you already have a mature SOC 2 program. See also our Canadian compliance frameworks matrix for a full picture of how all major frameworks interlock.

How SOC 2 Aligns with PIPEDA, Quebec Law 25, and PHIPA

Canadian companies pursuing SOC 2 frequently ask whether the program simultaneously satisfies their PIPEDA or Quebec Law 25 obligations. The short answer: partially, if you include the Privacy criterion — but not completely, and the gaps are meaningful.

PIPEDA alignment: PIPEDA's 10 Fair Information Principles map closely to SOC 2's Privacy sub-criteria P1 through P8. A Privacy criterion scope that covers all eight sub-criteria generates evidence directly relevant to PIPEDA Articles 4.7 (safeguards), 4.1 (accountability), 4.4 (limiting collection), 4.5 (limiting use, disclosure, and retention), and others. Where PIPEDA diverges from SOC 2: mandatory breach notification requirements (report to the OPC and affected individuals for breaches that pose significant harm) are not attested to under SOC 2. You need a documented breach response procedure and notification workflow independent of your SOC 2 program. Reference: priv.gc.ca for current PIPEDA breach notification guidance.

Quebec Law 25 alignment: Law 25 (An Act to modernize legislative provisions respecting the protection of personal information, in force since 2022 with full obligations by September 2023) requires a named privacy officer, mandatory privacy impact assessments for new projects involving personal information, explicit consent frameworks, enhanced individual rights (portability, right to be forgotten), and breach notification within 72 hours to the Commission d'accès à l'information. SOC 2 does not require a PIA program or portability mechanism — these are Law 25-specific governance obligations that fall outside the AICPA Trust Services Criteria. The technical safeguards required by Law 25 (access controls, encryption, retention limits) do overlap substantially with SOC 2 Security and Privacy controls. See our Quebec Law 25 compliance guide for the full obligation checklist.

PHIPA (Ontario) alignment: The Personal Health Information Protection Act applies to health information custodians and their technology agents in Ontario. SOC 2 is not a PHIPA compliance program, but a SOC 2 Type II report covering Security, Confidentiality, and Privacy provides strong independent assurance for health-tech vendors. Ontario hospitals and clinics increasingly accept a current SOC 2 Type II report alongside a completed PHIPA agent agreement in lieu of demanding a full independent PHIPA security review — saving vendors $20,000–$40,000 CAD in duplicated audit effort.

Federal government (ITSG-33): The Canadian Centre for Cyber Security's ITSG-33 guidance governs IT security for federal government systems and their vendors. SOC 2 is not a substitute for federal Security Assessment and Authorization (SA&A), but a current SOC 2 Type II report from a respected CPA firm substantially reduces the scope and cost of SA&A fieldwork by providing pre-existing independent assurance on your control environment. Reference: cyber.gc.ca/en/guidance/it-security-risk-management-itsg-33.

Seven Common Mistakes Canadian Companies Make During SOC 2

Most of the cost overruns and timeline extensions in first-time SOC 2 engagements trace back to a handful of avoidable mistakes. These are the ones that consistently show up across Canadian SaaS companies going through the process for the first time.

1. Starting the observation window before controls are ready. Opening the clock before gaps are remediated means your Type II report will contain exceptions. Exceptions persist in the report for 12 months and require a management response that every buyer who reads the report will notice and ask about. The fix costs nothing — wait until controls are actually running.
2. Underestimating the impact of scope additions late in the engagement. Adding a Trust Criterion after the engagement letter is signed adds 20–30% to auditor hours and resets portions of evidence collection. Decide scope before signing, and accept that the answer might change after you see what your enterprise prospects actually require.
3. Not documenting DR and backup tests before the observation window opens. Auditors pull backup test records as samples. If you have never run a documented restoration test, this becomes an exception. Test your backup restoration — including RTO measurement — before the observation window starts and store the written result.
4. Omitting critical subprocessors from vendor management. AWS, Twilio, Stripe, Cloudflare, and other critical third parties must be in your vendor register with annual review evidence. Auditors will request their SOC 2 reports or equivalent and verify you have reviewed them. Missing subprocessors are one of the most common exceptions on first-time engagements.
5. Treating SOC 2 as a one-time project rather than a recurring program. Re-attestation is required every 12 months. Companies that sprint to their first report and let controls lapse scramble the next year and pay full remediation costs again. Build quarterly access reviews, monthly vulnerability scans, and annual penetration tests into your operational calendar from day one.
6. Selecting a readiness consultant who also wants to be the auditor. Independence is non-negotiable under CSAE 3000. The firm that helps you implement and test controls cannot be the firm that attests to them. Plan your vendor selection with this separation in mind from the start.
7. Failing to configure long-term log archiving before the observation window opens. Cloud default log retention is 90 days on most platforms. A 6-month observation window requires 6 months of retained logs. Configure S3 archiving, Azure Blob, or a SIEM retention policy before Day 1 of the observation period — not when the auditor asks at fieldwork.

Case Study: How a Toronto HR-Tech SaaS Achieved SOC 2 Type II in 14 Months

The following composite is drawn from patterns common across Canadian B2B SaaS SOC 2 engagements. All identifying details are generalized.

The company: A Toronto-based HR-tech SaaS with 38 employees processing payroll and benefits data for 200+ Canadian mid-market clients. Revenue at engagement start: $4.2M ARR. Target market: financial services and professional services firms across Ontario and British Columbia.

The trigger: A Vancouver-based financial services firm representing $580,000 ARR stalled in procurement when its information security team required a SOC 2 Type II report and an annual penetration test before countersigning the MSA. The deal had been in legal review for 11 weeks when security review issued the requirement. Three other enterprise prospects in the pipeline were also holding pending a SOC 2 report.

Gap assessment findings (selected): No formal incident response plan existed beyond a shared Notion page. Production system access was never reviewed — 4 former employees still had read access to the production database. No centralized SIEM. Background checks had not been run for 9 of 14 engineers with production privileges. AWS CloudTrail was enabled but not archived beyond 90 days. Backup restoration had never been tested end-to-end.

Remediation: Engaged a compliance readiness consultant for 14 weeks to close all critical and high-priority gaps. Deployed Vanta as the automation platform, integrated with AWS, GitHub, Okta, and Jira, with automated access review workflows and evidence collection. Engaged a Toronto-based security firm for a penetration test covering the web application and cloud infrastructure (cost: $21,500 CAD). Completed all critical gap remediation and opened the observation window at Month 4.

The audit: Engaged a mid-tier Canadian CPA firm (not Big Four) for a 6-month observation period Type II audit at $34,000 CAD. Observation window: Months 4–10. Fieldwork Month 11, draft report Month 12, final signed report Month 13. Scope: Security + Availability + Confidentiality.

Result: SOC 2 Type II report issued at Month 13 with zero exceptions. The Vancouver deal closed at Month 14 — 14 months after the security requirement was first raised. Total out-of-pocket cost: $86,000 CAD excluding internal staff hours (estimated at 680 hours across the security, engineering, and legal team). Three additional enterprise prospects who had been on hold converted within 90 days of the report being made available under NDA. The total incremental ARR unlocked within 6 months of report issuance exceeded $1.4M — a 16× return on the compliance investment within one year.

As a secondary benefit, the company used SOC 2 Privacy criterion evidence as the foundation for their Quebec Law 25 compliance program serving their Montreal-area clients, covering approximately 65% of Law 25 technical safeguard requirements with controls already in place. What would have been a separate $25,000 CAD compliance engagement cost roughly $8,000 CAD in incremental work because the evidence library already existed.

SOC 2 Readiness Checklist for Canadian SaaS Companies

Use this checklist before opening your Type II observation window. Every unchecked item is a potential audit exception. Items marked with an asterisk generate the most questions from enterprise buyers reading your report.

• ☐ Security policies written, dated, reviewed by leadership, and distributed to all staff: acceptable use, incident response, change management, data classification, remote work security, and vendor management
• ☐ All employees completed security awareness training within the past 12 months — completion records retained in a platform (not just email confirmations)
• ☐ Background checks completed for all personnel with privileged access to production systems, including contractors and long-tenured staff who were never formally screened
• ☐ Formal user provisioning and deprovisioning procedure in place — a ticket or workflow exists for every access grant and every termination; no orphaned accounts from departures *
• ☐ Quarterly access reviews scheduled and first completed — records with reviewer name, date, and access decisions stored and retrievable *
• ☐ Multi-factor authentication enforced on all production systems, cloud consoles, and corporate applications; SSO configured where available
• ☐ Centralized log management deployed — CloudTrail / Azure Monitor / GCP Audit Logs archiving to long-term storage (S3, Azure Blob, or SIEM) with minimum 12-month retention *
• ☐ Vulnerability scanning running on at minimum a monthly cadence — results tracked against remediation SLAs (critical: ≤30 days; high: ≤60 days; medium: ≤90 days)
• ☐ Penetration test completed within the past 12 months by an independent third-party firm — written report available; all critical and high findings remediated with evidence *
• ☐ Backup restoration tested end-to-end — written record of test date, scope, RTO achieved, any issues found, and sign-off by an owner
• ☐ Disaster recovery plan documented — tabletop exercise completed and recorded
• ☐ Vendor register current — all critical subprocessors listed; their SOC 2 reports or equivalent assurance documents collected and annual review recorded *
• ☐ Risk register in place — reviewed by leadership at least annually; treatment decisions for top risks documented
• ☐ Change management process enforced — all production deployments go through a version-controlled pipeline with mandatory peer review and approval before merge
• ☐ Incident log maintained throughout the observation period — all security and availability incidents tracked with detection time, response actions, and resolution
• ☐ CPA auditor engaged — engagement letter signed, observation window start date confirmed, evidence repository access provisioned
• ☐ Compliance automation platform configured (strongly recommended) — automated evidence collection running and verified before observation window opens

SOC 2 Compliance in Canada — Common Questions Answered