Skip to main content
Your issued SOC 2 report already names the organizations your system depends on: the CPA firm that performed the audit, the cloud provider that hosts production, an identity provider, a subservice organization carved out of scope. The console reads that language and turns it into a map you review, instead of a list you build by hand. This is a console capability, part of ongoing management on the One Plan. It is separate from the free Commitment Review, which mirrors commitments only.

What gets mapped

Providers and what they supply

Each organization your report names, and the specific product or service it provides - hosting, identity, monitoring, the audit itself.

How it relates to your system

Whether the relationship is stated as hosting, storing, processing, or supporting your system, and the control-reliance posture your report describes - inherited, carved out, monitored, or reference only.

Suggestions, not facts

Nothing in the map becomes official on its own. Every provider, offering, and relationship starts as a suggestion, anchored to the exact sentence and page it came from. You confirm what’s accurate or dismiss what isn’t - the console never promotes a suggestion to confirmed on your behalf.
If your report is silent about a relationship, the console leaves it out. It does not infer a vendor from context, and it does not fill gaps with a generic list of “common” providers.

Why this instead of a spreadsheet

A flat vendor list answers “who do we work with.” It doesn’t answer “which of these does our SOC 2 report actually describe, and how.” The map exists so that question has a citable answer - one you can point an auditor to, not one you have to reconstruct from memory before the next audit period.

Review my SOC 2 - free

Start with the free review. The third-party map is part of ongoing management afterward.