You need a SOC 2 report to close your first enterprise deal, satisfy a US health system's vendor requirements, or demonstrate security maturity to investors. ThreeShield delivers the readiness work — gap analysis, evidence automation via Lavawall®, control design, policy library, staff training, and auditor coordination. The CPA firm partner performs the examination and issues the attestation opinion. One contract, one price, one SOC 2 report.
US hospital systems, health insurers, and enterprise health tech buyers increasingly require SOC 2 Type II as a vendor prerequisite. ThreeShield has a specific 90-day track for health tech companies that need to satisfy HIPAA Business Associate obligations simultaneously with SOC 2.
Canadian fintech companies selling to US financial institutions face SOC 2 requirements as a condition of vendor onboarding. This engagement pairs naturally with OSFI B-13 readiness for companies serving Canadian financial institutions simultaneously.
A SOC 2 Type II report demonstrates that your managed services practice has independently-verified controls. Combined with ThreeShield's MSP augmentation model, this positions your firm for contracts your competitors can't pursue.
Investors conducting technical due diligence increasingly check for SOC 2 readiness as a signal of operational maturity. A Type I report in hand during fundraising removes a common investor objection.
An attestation opinion issued by the firm that designed the controls is not credible to enterprise buyers — they understand the conflict of interest. The CPA firm's independence is what gives the report weight. ThreeShield coordinates the engagement; the CPA firm operates independently for opinion integrity.
Gap analysis against Trust Services Criteria. Lavawall® deployed. Control inventory documented. Policy gaps identified.
Missing controls designed and implemented. Policy library completed. Staff training delivered. Evidence collection begins via Lavawall®.
CPA firm engaged. Type I examination performed on control design at this point in time. Type I report issued.
Lavawall® automates evidence collection. Controls monitored continuously. ThreeShield manages any findings or exceptions.
CPA firm completes examination of operating effectiveness. SOC 2 Type II report issued. You can share with enterprise prospects immediately.
Custom control design outside the five Trust Services Criteria categories. Remediation of major architectural changes identified in assessment (quoted separately). Penetration testing (available as add-on). Ongoing post-report monitoring beyond the engagement period (available as a separate Lavawall® subscription). CPA firm fees — these are coordinated through ThreeShield as part of the total engagement price; they are not a surprise add-on.
For most US enterprise deals, Type I satisfies the initial vendor review and gets you into the conversation. Type II is typically required to close a contract with a large health system, financial institution, or federal contractor. ThreeShield recommends pursuing Type I immediately (90 days) to unblock your sales pipeline, then proceeding to Type II in parallel. Your enterprise buyer will usually accept Type I as an interim measure while Type II is in progress.
Security (CC1–CC9) is mandatory for every SOC 2 report. Availability, Confidentiality, Processing Integrity, and Privacy are optional and depend on your service commitments. ThreeShield scopes the applicable criteria during the readiness assessment based on what your service agreements and enterprise buyers actually require. Over-scoping wastes time and money; under-scoping produces a report your buyers don't accept.
Fixed-scope engagement. The quote after your scoping call covers ThreeShield's readiness work and the CPA firm's examination fees — one number, no surprises. No hourly billing. No change orders for work within scope. We'll have a quote within two business days of your scoping call.
Yes — and this is the most common combination for Canadian health tech companies. Lavawall® maps evidence to both SOC 2 and HIPAA simultaneously. Policy work overlaps significantly. ThreeShield runs the combined engagement as one project. See our HIPAA Compliance package.
ThreeShield delivers SOC 2 Type I and Type II readiness, evidence automation via Lavawall®, and remediation. The Type II opinion is issued by our licensed CPA audit partner. You get one integrated engagement, one contract, one price — the CPA firm operates independently for opinion integrity. This is the same model used by Drata and Vanta; ThreeShield simply states it plainly.
Our full audit authority statement →Book a scoping call. Fixed scope, fixed price, no surprise invoices.
Book a Scoping CallFree Domain Scan →Fixed scope. No hourly billing. No minimums. B-Corp standards.