Skip to main content
The process is intentionally narrow and explicit: NDA first, upload second, machine extraction third, practitioner verification before delivery.

The three steps

1

NDA and upload

You accept a mutual NDA and authorize machine and human analysis. Only then is upload enabled. The NDA text is public at soc2doc.ai/nda.
2

Extraction, then verification

The extraction pipeline reads the report for commitments, cadences, third-party dependencies, and inherited controls. A practitioner then checks the output before it is sent to you.
3

Your review

Your Commitment Review is delivered by email: what the report says you committed to, how often the work recurs, and what ownership questions it raises.

What the review is - and is not

In: commitments and cadences

The promises stated in the report, the frequencies attached to them, and ownership prompts written for operators rather than auditors.

Out: scoring and templates

The review does not do gap analysis and does not attach a generic checklist. It mirrors the report; it does not grade the organization.

Then what

Many teams use the review to find which commitments lack a clear owner. From there, you can book a compliance call, move into year-round management on the One Plan, or take the list back to your own team. The review is yours either way. See after the review.

Review my SOC 2 - free

Start with your issued SOC 2 report.