Logo Menu

Auditors

Best SOC 2 AuditorsAll SOC 2 Auditors
By Industry
SaaSStartupsAI CompaniesHealthcareFinTechMSPsGovernment Contractors
By Country
πŸ‡ΊπŸ‡Έ United StatesπŸ‡¬πŸ‡§ United KingdomπŸ‡¨πŸ‡¦ CanadaπŸ‡¦πŸ‡Ί AustraliaπŸ‡©πŸ‡ͺ GermanySOC 2 Auditors Near Me
By Platform
Vanta AuditorsDrata AuditorsSecureframe AuditorsSprinto Auditors
By Framework
SOC 2 + ISO 27001SOC 2 + HIPAAFedRAMP 3PAO + SOC 2CMMC C3PAO + SOC 2HITRUST + SOC 2PCI QSA + SOC 2
By Audit Type
SOC 2 Type 1SOC 2 Type 2

Get Ready

SOC 2 Readiness Assessment

Compare service firms

SOC 2 Readiness FirmsPenetration Testing FirmsvCISO FirmsISO 27001 ConsultantsCompliance ConsultantsAll Service Firms

Software

SOC 2 Compliance SoftwareTool Reviews & Comparisons

Platform reviews

Vanta ReviewDrata ReviewSecureframe ReviewSprinto ReviewThoropass Review

Learn

SOC 2 InsightsSOC 2 Buyer Guides
Browse by topic
SOC 2 BasicsAudit PreparationCost & TimelineFramework ComparisonsSOC 2 by IndustryAuditor Selection
Start here
What is SOC 2?SOC 2 Audit CostHow to Choose an Auditor
Reference
Compliance FrameworksMethodology

Free Tools

Find My SOC 2 AuditorSOC 2 Readiness AssessmentSOC 2 Cost CalculatorSOC 2 Timeline CalculatorSOC 2 vs ISO 27001

soc2.zip legalΒ·Last updated

Privacy Policy

This policy covers the soc2.zip product specifically: the intake form, payment flow, document preparation, and email delivery. It is in addition to, not in place of, the SOC2Auditors.org Privacy Policy.

If anything in this policy and the directory privacy policy conflict for soc2zip-specific data, this policy wins for soc2zip data.

TL;DR
  • We collect: your email, company info, form answers, optional supporting documents you email us, payment details (via Stripe), and basic technical info.
  • We use: contracted service providers for document processing, payment, database storage, hosting, and email delivery.
  • We share: only as needed to provide the product, comply with law, or protect the service. We do not sell your data.
  • You can: access, correct, or delete your data at any time by emailing hello@soc2auditors.org.

1. What we collect

You give us

  • Identity and contact: name, work email, company name, role
  • Company shape: headcount, industry, funding stage, location
  • Form answers: your responses to the intake topics covering your stack, security posture, deadlines, budget, and current state
  • Supporting documents (optional): if you choose to email us an org chart, vendor list, architecture sketch, or other documents to improve your package, we'll use them for generation only. We encourage you to redact personal names before sending.
  • Payment info: processed by Stripe. We receive a transaction record (amount, last 4 digits of card, card brand, billing ZIP). We do not see, store, or have access to your full card number.

We collect automatically

  • IP address, user-agent string, browser language
  • Timestamps for form-start, form-complete, payment, package-delivered
  • Pages viewed (basic analytics, no cross-site tracking)
  • Cookies used to maintain your form session

We do not use third-party advertising trackers on the soc2zip pages.

We do not collect

  • Government IDs, SSNs, biometric data
  • Personal information about your customers, employees, or vendors beyond what you choose to include in your form answers or email us
  • Health information, financial account numbers, or any data that would invoke HIPAA, GLBA, or similar specialized regimes

If your business handles such data and you email us documents containing it, please redact first.

2. How we use what we collect

  1. Prepare your package. Form answers and any supporting documents you email us pass through our document-processing workflow to produce your draft policies, evidence index, CAIQ Lite, and auditor introductions.
  2. Deliver your package. Email your package to you as an attachment.
  3. Provide support. Respond to questions, fix issues, process refunds.
  4. Match auditors. The matcher returns three auditor candidates inside your package. Your identity is not shared with those firms unless you explicitly opt in by contacting them directly.
  5. Improve our templates and quality checks. We hash and de-identify submissions for our regression-test set. We do not use your inputs to train third-party models.
  6. Bill you and pay our taxes. Standard accounting use.
  7. Detect fraud and abuse. IP and user-agent help us spot duplicate submissions and payment fraud.
  8. Communicate. Transactional emails (delivery, refund, support): always. Marketing emails: only if you opted in at checkout, and you can unsubscribe any time.

3. Automated processing

We use automated document-processing tools, including generative AI, to turn your inputs into a draft package for human review.

  • Your form answers and any supporting document contents may be sent to a contracted processing provider solely to prepare your package.
  • We use business-grade provider terms that restrict use of API inputs and do not permit your inputs to be used to train public models.
  • A human reviews the package before delivery, but you remain responsible for confirming every statement against your actual controls.
  • Our regression-test set uses hashed, de-identified versions only.

If you do not want your inputs processed by a contracted generative-AI provider, do not purchase soc2zip.

4. Sharing: who sees what

Subprocessors

ProviderPurposeWhat they see
Document-processing providerDraft preparationForm answers and supporting document contents while preparing your package
StripePayment processingEmail, name, billing address, card data
NeonDatabaseForm answers, customer records (encrypted at rest)
PlunkTransactional emailEmail address, send timestamps, your customer record
Cloudflare Pages / WorkersHostingRequest metadata (IP, user-agent), routed data

Auditors

The auditor introductions in your package include three matched firms. We do not share your identity with those firms unless and until you reply to the email or otherwise contact them.

Legal compulsion, fraud, sale of business

We may share your data when required by valid legal process, to prevent fraud, or in connection with a sale of the business. In a sale scenario, we'll notify you by email at least 30 days before the transfer and let you delete your data first.

We do not sell your data

Period. No exceptions.

5. Your rights

You can ask us to access, correct, delete, or port your data. If you are in the EU, UK, or California, additional rights under GDPR, UK GDPR, or CCPA apply. We honor those rights for all customers, regardless of location.

To exercise any of these: email hello@soc2auditors.org from the email address you used at checkout. We respond within 30 days; usually within 5 business days.

6. International transfers

soc2zip operates from the United States. Our subprocessors are primarily in the US. If you are in the EU or UK, your data is transferred to the US. We rely on the EU-US Data Privacy Framework (where the relevant subprocessor is certified) and on Standard Contractual Clauses for those that are not.

7. Security

See Document Retention Policy under "Security posture." Short version: encrypted at rest, encrypted in transit, MFA on production systems. If we discover a security incident affecting your data, we will notify you by email within 72 hours of confirming the incident.

8. Children

soc2zip is a B2B product for businesses. We do not knowingly collect data from anyone under 18.

9. Changes

We may update this Privacy Policy. The version that applies to your purchase is the one in effect on the date you paid. Material changes will be emailed to active customers at least 30 days before they take effect.

10. Contact

Privacy questions / data requests: hello@soc2auditors.org

Operating entity: soc2.zip, operated by the team behind soc2auditors.org, United States