A subservice-organization continuity record
We map every critical software dependency to a continuity control your auditor can read.
For a SOC 2 Type II report, your auditor tests how you manage the vendors your service runs on — a contract clause won’t cut it. Codekeeper’s SOC 2 evidence pack gives you a signed, verified continuity record for every critical dependency.
CC9.1 wants a tested plan for surviving a vendor failure, and CC9.2 wants the risk of each critical vendor assessed and managed. A filed exit plan meets neither.
We map every critical software dependency to a continuity control your auditor can read.
Recovery testing confirms the deposit rebuilds, so the evidence holds up under scrutiny.
A named analyst signs the continuity assessment, so the evidence is attributable the way auditors expect.
Your records stay current across the observation period instead of going stale after a single capture.
The pack fits the carve-out method auditors default to for hosting and software subservice organizations.
Each record cites the criterion it satisfies, so nothing is left for the auditor to infer.
Point Codekeeper at the critical vendors and code your service runs on, so we can access the materials we need to test in the rebuild.
Daily syncs keep deposits current, recovery testing confirms they rebuild, and each one gets a signed continuity record.
When CC9 comes up, the evidence is already assembled, current, and signed, so the control clears without a scramble.
Set up in a day. From there, the pack stays current on its own.
Book a demoJordan Adler
Ross Kilshaw
Thiago Mendes
We’ll email your redacted sample — a continuity record and CC9 mapping sheet.