Compliance evidence

SOC 2 — domain & certificate controls

US SaaS companies selling to enterprises — the most common compliance ask for B2B software.

Authority: AICPA (American Institute of Certified Public Accountants)

What SOC 2 actually requires

SOC 2 applies to any service organization handling customer data. Type I attests that controls are designed appropriately at a point in time; Type II attests that controls operated effectively over 3-12 months. The Trust Services Criteria cover Security (required), Availability, Processing Integrity, Confidentiality, and Privacy. Cryptographic identity — TLS certificates on systems that handle customer data — falls under the Security criterion.

Full name: SOC 2 (System and Organization Controls 2).

Controls that touch certificates and domains

These are the 4 controls most directly affected by TLS certificate and domain lifecycle. CertRadar produces evidence bundles mapped to each.

Control	Title	How CertRadar helps
`CC6.1`	Logical and Physical Access	Evidence that access to systems handling customer data is protected by TLS, with current certificate inventory.
`CC6.6`	Boundary Protection	Direct fit: boundary protection includes valid, unexpired TLS certificates on all public-facing endpoints.
`CC6.7`	Transmission of Data	Evidence that data in transit is encrypted using current, trusted certificates.
`CC7.2`	Monitoring for Anomalies	Ongoing monitoring of certificate expiry, issuer changes, and chain health with documented alert thresholds.

What the evidence pack contains

CertRadar’s one-click export for SOC 2 includes:

Complete domain and certificate inventory with discovery date and ownership attribution
Per-certificate: issuer, valid_from, valid_to, SANs, chain depth, fingerprint
Exception log: every expiry alert raised, who was notified, when it was resolved
Control mapping: artifacts indexed to CC6.1 / CC6.6 / CC6.7 / CC7.2
Cryptographic manifest hash (tamper-evident evidence bundle)

Example domains in SOC 2 scope

Representative domains often monitored for SOC 2 evidence. Check any of them live:

stripe.com →slack.com →notion.so →linear.app →vercel.com →clerk.com →

Ship the SOC 2 evidence your auditor asks for.

CertRadar gives security, IT, and compliance teams a complete inventory of every domain and cert your company owns — plus a one-click evidence pack mapped to SOC 2 controls. Beta in weeks. Early members get a lifetime Pro discount.

Join the waitlist

Other frameworks

ISO 27001 HIPAA PCI DSS GDPR FedRAMP HITRUST NIST CSF CIS Controls CMMC NIS2 DORA CCPA ISO 27017 IRAP