What gets mapped
Providers and what they supply
Each organization your report names, and the specific product or service it
provides - hosting, identity, monitoring, the audit itself.
How it relates to your system
Whether the relationship is stated as hosting, storing, processing, or
supporting your system, and the control-reliance posture your report
describes - inherited, carved out, monitored, or reference only.
Suggestions, not facts
Nothing in the map becomes official on its own. Every provider, offering, and
relationship starts as a suggestion, anchored to the exact sentence and page it
came from. You confirm what’s accurate or dismiss what isn’t - the console never
promotes a suggestion to confirmed on your behalf.
Why this instead of a spreadsheet
A flat vendor list answers “who do we work with.” It doesn’t answer “which of these does our SOC 2 report actually describe, and how.” The map exists so that question has a citable answer - one you can point an auditor to, not one you have to reconstruct from memory before the next audit period.Review my SOC 2 - free
Start with the free review. The third-party map is part of ongoing management afterward.