Enterprise

SOC 2 Type II at Ciao

Independent audit evidence for your security review — reports available under NDA, with the platform controls behind them demonstrable live.

SOC 2 Type II is an independent audit of a vendor's controls operating over a period of time, not a point-in-time snapshot. Ciao makes SOC 2 Type II reports available under NDA, so security reviewers read the auditor's actual findings and scope rather than a marketing summary. Unlike badge-wall attestations, the report itself is the authoritative statement of what was audited and how the controls performed.

Best forSecurity reviewers reading audit evidenceVendor risk scoringCompliance mapping

Published 2026-07-03 · Last updated 2026-07-03

Why Type II is the report worth reading

A SOC 2 Type I report describes controls as designed on a single day. A Type II report tests whether those controls actually operated over an audit period — which is the question your risk assessment is really asking. For a platform that generates, tests and deploys production software, operating effectiveness matters more than design intent: a change-management control that exists on paper but is skipped under deadline pressure is precisely what Type II auditing is built to surface.

Ciao provides SOC 2 Type II reports under NDA. The NDA step is standard for this document class and works in your favor: it means you receive the full report — scope, auditor testing, results — rather than a public summary trimmed for marketing.

There is a procedural benefit worth naming, too. Because the report is a standard artifact, your team can review Ciao with the same rubric it uses for any processor: no special AI exception, no bespoke assessment framework — the same document class, the same scoring, the same evidence bar.

What the report gives your reviewers

  • Independent evidence — The report is produced by an independent auditor, so your scoring does not rest on vendor self-assessment.
  • An explicit scope statement — The report states which systems, criteria and period were audited. Read this section first — it is the authoritative answer to 'what does your SOC 2 actually cover?'.
  • Control descriptions and test results — For each control, the auditor's testing and results are recorded, which lets your team weigh evidence instead of accepting a pass/fail badge.
  • A basis for questionnaire answers — Ciao's security questionnaire responses are grounded in the report and the security pack, so written answers can be checked against audited evidence.

How the audited controls relate to the platform you will evaluate

The control families a SOC 2 review examines are visible in the product itself. Identity and access: SSO via SAML and OIDC, optional MFA and role-based access control. Change management: Guardrails detects risky changes, applies plain-English policies, records human review and leaves an audit trail behind every merge. Monitoring and operations: QA runs smoke gates before publish and production checks after, while Doctor — a read-only AI SRE — probes the live application, DNS and CDN.

This mapping is context, not a substitute for the report. The report itself is the authoritative statement of audit scope and results; treat any webpage summary, including this one, as an index to the real document.

Use the mapping the way you would use a site map: it tells reviewers where to look in the product when a control description in the report feels abstract. Reading the report with the product open turns audit language into observable behavior, which is the fastest route to justified confidence.

How to request the report

  1. 1. Contact the enterprise team

    Use the contact page and state that your security review needs the SOC 2 Type II report. A named contact takes it from there.

  2. 2. Sign the NDA

    A standard step for this document class. Confirm at this point who on your side may read the report, so distribution is settled before delivery.

  3. 3. Receive and review

    Read scope first, then the auditor's testing and results. Send questions back through your contact — auditor-language questions are expected, not an imposition.

  4. 4. Pair it with a live look

    Ask to see the controls the report describes operating in the product: a governed merge with recorded human review, the append-only audit trail, security findings confirmed against a live app.

What reviewers typically check, and where to verify it

Reviewers typically checkWhere it lives at CiaoHow to verify
Access managementSSO via SAML and OIDC, optional MFA, RBACReport under NDA; identity walkthrough
Change managementGuardrails policies, recorded human review, audit trail behind every mergeReport under NDA; live governed-merge demo
System monitoringQA production checks; Doctor probing the live app, DNS and CDNReport under NDA; live demonstration
Data handlingNo training on customer code; zero-retention model contractsDPA and contract terms
Audit evidenceAppend-only trail across prompts, merges, deploys, admin actionsSample reconstruction during evaluation

Beyond the report

A Type II report covers its audit period; your risk does not stop at the period's end date. Two things bridge the gap. First, the security pack — available on request via the contact page — documents current architecture and data handling. Second, the controls themselves are part of the product, so an evaluation can watch them operate today rather than relying only on how they operated during the audited window.

If your vendor-risk process re-scores annually, the annual loop here is straightforward: request the current report, compare the scope statement against last year's, and re-run the live checks your team recorded during the first evaluation. Reviews get cheaper each cycle because the evidence trail is already established.

Frequently asked questions

What is the difference between SOC 2 Type I and Type II?

Type I assesses whether controls are suitably designed at a point in time. Type II tests whether they operated effectively over a period. Ciao provides Type II reports under NDA, which is the stronger evidence for vendor risk decisions.

Which trust services criteria are in scope?

The report's scope section is the authoritative answer, and it is exactly why the full report is shared under NDA rather than summarized publicly. Request the report and read the scope statement before scoring.

Can we distribute the report to our internal audit and legal teams?

Distribution is governed by the NDA's terms. Name the teams who need access when you request the report so the scope of distribution is agreed up front.

How current is the report we would receive?

You receive the current report, and its cover states the audit period it covers. If your review has recency requirements, state them when requesting — you will get a direct answer about the period rather than a vague assurance.

Is a bridge letter available for the gap after the audit period?

Raise it when you request the report. Gap-coverage questions are a normal part of the review, and the enterprise team will tell you what is available for the current period rather than leaving it ambiguous.

Related pages

Get the security pack.

SOC 2 Type II Reports Under NDA | Ciao