← All questionnaires
AICPA SSAE 18 / SOC 2 TSC · 23 QUESTIONS · FREE TEMPLATE

SOC 2 Subservice Organization Questionnaire — what your customer's auditor needs

Your customer is a SaaS, and they listed you as a subservice organisation in their SOC 2. Now their auditor (Deloitte / EY / PwC / KPMG / a CPA boutique) is sending you a questionnaire to satisfy AICPA SSAE 18 testing of your complementary subservice controls.

Total questions
23
Categories
6
Typical timeline
5–7 business days (auditor windows are tight)
Effort
8–15 hours
Who requests it
  • Your customer's external SOC 2 auditor
  • Your customer's compliance team building a vendor evidence binder
Who fills it out
  • Security / GRC, with engineering input on availability and PI controls
  • Often the CISO and Head of Customer Success co-sign

The questionnaire — every question, inline

1. Security (Common Criteria)

6 questions
TSC CC1–CC9: governance, communication, risk, access, change, ops.
  1. 1.1
    Most recent SOC 2 Type II report — audit period, audit firm, opinion (unqualified / qualified). Provide a bridge letter if older than 12 months.
    Critical
  2. 1.2
    List any qualifications, exceptions, or carve-outs in the latest SOC 2 and the remediation status of each.
    Critical
  3. 1.3
    Logical access — describe provisioning, quarterly access reviews, and termination workflow for production access.
    Critical
  4. 1.4
    Change management — describe approvals, segregation of duties, and emergency-change controls.
    High
  5. 1.5
    Vulnerability management — scanning frequency, patch SLAs by severity, evidence of remediation.
    High
  6. 1.6
    Risk assessment — frequency, methodology, link to compensating controls.
    Medium

2. Availability

4 questions
Uptime, monitoring, capacity, DR.
  1. 2.1
    Published uptime SLA and current trailing-12-month actual availability per region.
    Critical
  2. 2.2
    RTO and RPO commitments, plus the date and result of the most recent DR test.
    High
  3. 2.3
    Capacity-planning process and how customers are notified of degraded performance.
    Medium
  4. 2.4
    24/7 monitoring and on-call structure — internal SOC, MSSP, or hybrid?
    High

3. Confidentiality

4 questions
Encryption, data classification, retention.
  1. 3.1
    Encryption at rest and in transit — algorithms, key length, KMS provider, rotation cadence.
    Critical
  2. 3.2
    Data classification scheme and corresponding handling controls.
    High
  3. 3.3
    Customer data retention defaults and termination-deletion SLA (production + backups).
    Critical
  4. 3.4
    Non-disclosure obligations for workforce — sample NDA terms.
    Medium

4. Processing Integrity

3 questions
Completeness, accuracy, validity of processing.
  1. 4.1
    How do you detect and reconcile incomplete or duplicate processing of customer transactions?
    High
  2. 4.2
    Describe input-validation, business-rule, and reconciliation controls in the critical processing path.
    High
  3. 4.3
    How are processing errors surfaced to customers? Provide a sample error notification.
    Medium

5. Privacy (if in scope)

4 questions
Notice, choice, collection, use, retention, disclosure, quality, monitoring.
  1. 5.1
    Public privacy notice URL. Last review date and the legal review log.
    Critical
  2. 5.2
    How are data subject rights (access, deletion, portability) handled — process, owner, SLA?
    High
  3. 5.3
    Cross-border transfer mechanisms (SCCs, BCRs, adequacy decisions) and the countries involved.
    High
  4. 5.4
    Privacy-incident response procedure and notification triggers.
    Critical

6. Complementary Subservice Controls (CSOCs)

2 questions
Controls your customer must operate for the combined system to work.
  1. 6.1
    Provide the list of CSOCs your customer is expected to perform (e.g. manage their own users, configure SSO, monitor their own usage).
    Critical
  2. 6.2
    How do you communicate CSOC updates to customers (release notes, banner, email)?
    High
Email me a clean copy of this questionnaire
Polished HTML — paste into Word, Sheets, or a Notion page. We'll send one delivery email plus one invitation to build an auto-answered version from your audit. No drip spam.
We'll send the questionnaire + one audit-invitation follow-up. Unsubscribe anytime.

Common pitfalls

Want this pre-filled with YOUR controls?

Run a free SOC 2 / AICPA TSC audit. ComplianceIQ uses your audit responses and generated policies to populate an answer pack you can paste into any SIG, CAIQ, or custom enterprise questionnaire — in minutes, not days.

Run free SOC2 audit See answer-pack plans

FAQ

What's the difference between a subservice organisation and a vendor?
A subservice organisation provides controls the customer relies on for THEIR control assertions (e.g. AWS for your customer). A vendor is anyone you buy from. Subservice carries higher evidence burden.
Inclusive vs carve-out method — which is better for me?
Carve-out (your controls excluded from the customer's report, customer relies on your independent SOC 2) is far more common and lower friction. Provide your SOC 2 + a bridge letter and you're usually done.
What if our SOC 2 doesn't cover all 5 TSC?
Most B2B SaaS only cover Security + Availability + Confidentiality. If a customer needs Privacy or PI coverage and you don't have it, expect a much longer custom questionnaire.

Related free policy templates

SOC 2 Access Control PolicySOC 2 Incident Response Plan

What happens when these answers are wrong

Uber
$148M
Paid hackers $100K to hide a 57M-record breach for over a year

More questionnaires

SaaS VendorCloud ProviderHIPAA BA AssessmentGDPR Art. 28PCI DSS SP