Back

Getting SOC 2 Done: Lessons from Sandstone's First Audit

JP Zimmer

JP Zimmer

July 15, 2026

JP Zimmer is on the operations team at Sandstone, where he focuses on the systems and infrastructure.

Security, data protection, and compliance are hard at any company. Add AI to the equation, and they get harder, especially when the data you're handling includes sensitive legal information, confidential business communications, and the institutional knowledge of your customers' legal departments. At Sandstone, security wasn't an afterthought — it was a founding consideration, baked in before we had a product to protect. While there's no shortage of AI compliance frameworks to navigate (SOC, ISO, GDPR, the EU AI Act), the one that comes up most in enterprise conversations is SOC. So that's where I'll focus.

A Brief History

The SOC frameworks we know today trace back to the 1970s, when the American Institute of Certified Public Accountants (AICPA) released the Statement on Auditing Standards (SAS) 1 — a foundational document defining the role and responsibilities of an independent auditor. For the next two decades, SAS frameworks stayed focused on a company's internal financial controls. That changed in 1992 with SAS 70, the first framework to address information security and how companies handle data.

The modern era of SOC reporting began in 2010, when the AICPA released the Statement on Standards for Attestation Engagement (SSAE 16). Under SSAE 16, the three reports most people reference today — SOC 1, SOC 2, and SOC 3 — were formally established. The last major update came in 2017 with SSAE 18, which simplified and refined the standards into what we work with now.

The Three SOC Frameworks

There are three main frameworks, each designed for a different context.

SOC 1 centers on internal controls over financial reporting. It matters most for companies that directly touch their customers' financial statements.

SOC 2 is the one most relevant for technology and AI companies. It evaluates the strength of your cloud and data center security controls, measured against the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. For a company handling sensitive legal data on behalf of corporate legal departments and in-house teams — contract terms, negotiation positions, regulatory exposure — it's the framework that signals you've done the work.

SOC 3 is essentially a public-facing summary of your SOC 2 report just with less detail and broader distribution. Useful for prospects who want a high-level read on your security posture without the full report.

Type 1 vs. Type 2

Within SOC 2, there are two types of assessments worth distinguishing.

Type 1 evaluates whether your security controls are properly designed at a single point in time. It's a snapshot, useful for getting on the board early and demonstrating intent.

Type 2 is more rigorous. It evaluates whether those controls are actually operating effectively over a sustained period — typically around three months for a first audit, with longer observation windows expected as your company matures. Enterprise customers almost always want Type 2, because it proves continuous compliance rather than a one-time check. It's also the foundation of enterprise trust: customers aren't just buying your product; they're trusting you with their data.

TRDL: Both matter. Type 1 gets you moving. Type 2 is what closes deals.

How We Did It

In the early days of Sandstone, we knew SOC 2 would be one of our biggest GTM hurdles. It's consistently one of the top deal-breakers for early-stage companies pursuing enterprise contracts — and beyond the commercial necessity, handling sensitive legal data carries a real obligation. A data breach in an in-house legal environment isn't just a technical incident; it can expose confidential business information, compromise negotiation positions, and erode the trust that in-house teams depend on to do their jobs. Our CTO, Liam Germain, and I set out to complete both Type 1 and Type 2 within a matter of months, without cutting corners.

Getting organized first. The first real decision was choosing a compliance platform. The options range from spreadsheets and shared drives to AI-enabled systems, and the efficiency differences are significant. We chose Vanta based on prior experience, and it was the right call. A good compliance platform does two things well: it gives you a clear picture of exactly which controls and evidence are required, and it provides continuous monitoring to keep you compliant long after the audit closes.

Evidence collection is where the real work is. Once our foundation was in place, we started on evidence collection and control implementation — easily the most time-consuming part of the process. Integrations and automated monitoring help, but there's no avoiding the setup work. One of our biggest early challenges wasn't producing the right information; it was knowing where to find it. We used Vanta's readiness assessment tools to identify any gaps and remediate them before the audit officially began.

The Audit

I'll focus on our Type 2 audit since it's significantly more involved.

Our Type 2 kicked off immediately at the close of our Type 1 and ran for a three-month observation period (3-6 months is typical for a first audit while later audits are typically 12 months to ensure continuous compliance). Throughout that window, auditors continuously review the controls and monitor systems. This is where continuous monitoring pays off — a lot of that work can happen automatically in the background.

Near the end of the audit, it's common to receive requests for additional evidence on controls that weren't fully satisfied or simply needed more context. We found this the most demanding phase: several weeks of back-and-forth, tracking down evidence, and submitting it to the auditing team. This is normal for a first audit. Both sides are learning — the auditors are getting familiar with your company and its nuances, and you're figuring out what types of evidence actually satisfy a given control.

One thing I'd emphasize: the relationship with your auditors matters more than most people expect. We spent hours on calls to ensure both sides had a clear, shared understanding of the requirements. Treat it as a collaborative process. The first audit is a learning experience for everyone involved, and the more openly you communicate, the faster it moves.

Once all evidence is submitted and every follow-up is resolved, the auditors draft your report — typically around a month from when you provide your final piece of evidence. A full Type 2 report often runs 50+ pages. After both sides have reviewed and signed off, you receive your SOC 2 certification and a report you can share directly with customers.

What We'd Tell Anyone Starting This Process

SOC 2 is one of the more demanding operational milestones for an early-stage company. It's also entirely manageable with the right preparation. A few things we'd do the same way again:

Invest in a compliance platform early. It's the foundation everything else is built on. The difference between a spreadsheet-based approach and a proper platform isn't marginal — it's structural.

Start your readiness assessment well before you begin the audit. Every gap you find and fix before the observation period begins is one less piece of back-and-forth during it.

Build a relationship with your auditors from day one. They're not adversaries. The more aligned you are on expectations, the smoother the whole process goes.

Plan for the first audit to take longer than you think. Budget time for the back-and-forth at the end. It's normal, and it won't be as intense the second time around.

Getting SOC 2 certified is worth it, not just because enterprise customers require it, but because the process of building toward it forces you to take data protection seriously in ways that matter. We're glad we did it early and didn't cut corners.

What This Means for Sandstone's Customers

The reason we pursued SOC 2 wasn't only to unblock enterprise deals — it was to be worthy of handling the data our customers trust us with. In-house legal teams and legal operations leaders work with some of the most sensitive information in any organization: contract terms, negotiation positions, M&A communications, regulatory exposure. That data deserves rigorous protection.

A few commitments worth stating directly: Sandstone never uses customer data to train AI models. We maintain zero data retention agreements with our underlying AI providers, meaning your data isn't persisted or shared beyond what's required to deliver the product. All data is encrypted in transit and at rest. And our SOC 2 Type II certification means an independent third party has verified that these controls aren't just stated — they're operating.

Data privacy for in-house legal teams isn't a checkbox. It's a core part of sound information governance — and the baseline for earning a seat in the work. We took it seriously from day one because that's what this category demands.