SOC 2 Type II
The attestation US enterprise buyers ask for before they sign a contract. Type II is not a snapshot of your controls today. It is proof they ran correctly every day across 6 to 12 months. IntentGate makes that proof automatic: every gateway decision is a signed audit event, so there are no gaps for the auditor to ask about. The table below maps each Trust Services Criterion to the gateway output.
Obligation to evidence
| Obligation | IntentGate output |
|---|---|
| CC6.1 — logical access controls implemented and operated | Per-call capability and policy enforcement evidence with timestamp |
| CC6.3 — authorization for access changes | Operator console with JIT elevation; every elevation in the audit chain |
| CC7.2 — system monitoring | Prometheus metrics and webhook events on configurable triggers |
| CC7.3 — incident response | The audit chain is the IR data; chronology already chronological |
| CC8.1 — change management | Policy version pinned per decision; pull-request and reviewer recorded |
| Continuous evidence — operating effectiveness over the period | The audit chain writes by design, not by operator action; samples available for any date |
A control that produces evidence only when somebody remembers to take a screenshot does not pass a Type II review. The gateway emits evidence continuously, so the auditor's sample on any date in the period returns the actual record.
Want the mapping for your specific audit?
Each organisation has a different combination of regulations and a different audit cycle. We can walk through your specific obligations in a 30-minute call.
Start the conversation