<img height="1" width="1" style="display: none" alt="" src="https://px.ads.linkedin.com/collect/?pid=1098858&amp;fmt=gif">
SOC 2 evidence pack

Secure the vendor continuity proof your SOC 2 report rides on.

For a SOC 2 Type II report, your auditor tests how you manage the vendors your service runs on — a contract clause won’t cut it. Codekeeper’s SOC 2 evidence pack gives you a signed, verified continuity record for every critical dependency.

Tested vendor continuity — not a contract clause.
Your enterprise deals depend on a clean SOC 2 report, and a vendor exit plan you've never tested won't clear the CC9 requirements. You need tested evidence of vendor continuity. Codekeeper’s SOC 2 evidence pack builds on verified escrow with build tests. Not a customer yet? Bundle it with an escrow plan.
badge-soc2 SOC 2
badge-iso-27001-v2 ISO 27001
solutions_badge_dora DORA
badge-nis2 NIS2
solutions-ffiec FFIEC
One continuity record your buyers recognize across the frameworks they care about.
The old way

No amount of exit plan fine-tuning will satisfy CC9.

When the audit reaches your subservice organizations, the auditor wants to see whether your service survives one of them failing. Most teams point to a vendor exit plan that names the critical vendor and describes how they'd move off it. But without putting it to the test, you have no real proof it will help you recover when a vendor fails.

CC9.1 wants a tested plan for surviving a vendor failure, and CC9.2 wants the risk of each critical vendor assessed and managed. A filed exit plan meets neither.

THE EXIT PLAN ON FILE
Vendor exit plan PDF
Signed · 14 Mar 2024
Not tested
A documented intention — never tested against a real failure event.
photo-soc2-origin
Why we built it

Built for the control that trips up SOC 2 audits.

CC9 asks you to manage the risk each critical vendor brings, and to plan for when they fail. Proving you could rebuild their software is the strongest continuity evidence you can offer to satisfy the audit. We built the SOC 2 evidence pack so you can hand over that proof without any effort on your end.
10+
securing mission-critical and regulated software
3 500+
companies protected
ISO 27001
certified
24 hrs
to go live

What the pack proves that a contract commitment can’t.

Each capability closes a gap the contract-and-PDF approach leaves open. Together, they build the strongest continuity evidence you can bring to CC9.

A subservice-organization continuity record

We map every critical software dependency to a continuity control your auditor can read.

Verified recovery

Recovery testing confirms the deposit rebuilds, so the evidence holds up under scrutiny.

A human-signed verdict

A named analyst signs the continuity assessment, so the evidence is attributable the way auditors expect.

Type II-ready evidence

Your records stay current across the observation period instead of going stale after a single capture.

Carve-out coverage

The pack fits the carve-out method auditors default to for hosting and software subservice organizations.

CC9 mapping, point by point

Each record cites the criterion it satisfies, so nothing is left for the auditor to infer.

How it works

Get your report evidence sorted in three easy steps.

In review
AC
Acme Corp Depositor
BL
Beneficiary Ltd Beneficiary
AgreementTripartite escrow
Last deposit2 days ago
Active
NV
Northwind Depositor
FB
FinBank Beneficiary
AgreementSaaS escrow
Last depositToday

1. You connect the software dependencies in scope.

Point Codekeeper at the critical vendors and code your service runs on, so we can access the materials we need to test in the rebuild.

Deposits
3 active · last verified today
Software Resilience Certificate
Software Resilience
Certificate
Passed

2. Codekeeper verifies and records continuity.

Daily syncs keep deposits current, recovery testing confirms they rebuild, and each one gets a signed continuity record.

Certified tier seal
Codekeeper Software Resilience Certificate
ProviderAcme Cloud Ltd
TierCertified
Recovery testPassed · 14 Jun 2026
Valid to14 Jun 2027
Authorized · Codekeeper
Verified

3. You hand the pack to your auditor.

When CC9 comes up, the evidence is already assembled, current, and signed, so the control clears without a scramble.

Set up in a day. From there, the pack stays current on its own.

Book a demo

Teams that cleared CC9 without a mid-audit panic.

They made the decision. They built their resilience. They have peace of mind. You can too.
icon-google
icon-g2
“We’ve had a great experience with CodeKeeper. The setup process was smooth, and the team made everything very straightforward. Knowing our critical software assets are securely protected gives us real peace of mind. Their support has been responsive and professional, and the overall service has been reliable and easy to work with. Highly recommended.”
testimonial-circle-j

Jordan Adler

“We worked with Codekeeper as our escrow provider for major enterprise deployments and found them to be extremely professional, responsive, and flexible throughout.
I'd highly recommend Codekeeper. They clearly understand the realities of working with growing tech businesses and enterprise customers alike.”
testimonial-circle-r

Ross Kilshaw

I found Codekeeper's solution excellent for what I need. I scheduled a demo to better understand the possibilities. Very easy! It was a clear and straightforward meeting, focused exactly on what I needed. Excellent service!
testimonial-circle-t

Thiago Mendes

Airbus partner logo in muted style
Bayer partner logo in muted style
EU Parliament partner logo in muted style
General Motors partner logo in muted style
Intuit partner logo in muted style
Nestle partner logo in muted style
Pepsico partner logo in muted style
Pfizer partner logo in muted style
Framework mapping

Prep your evidence once, reuse it across every framework.

If you build your SOC 2 CC9 evidence the right way, the same record also covers the vendor-continuity demands in the other frameworks you're subject to.
badge-soc2
SOC 2 — CC9 Vendor continuity evidence for the subservice organizations.
badge-iso-27001-v2
ISO 27001 — A.5.30 ICT readiness for business continuity.
solutions-dora
DORA — Art. 28 / Arts. 24–25 Tested exit strategy for critical ICT providers.
badge-nis2
NIS2 — Art. 21(2)(c) Backup, disaster recovery, and continuity for in-scope entities.
solutions-ffiec
FFIEC — NIST CSF 2.0 Evidence mapped to the Recover function.
What's at stake

Clear CC9 on the first look, or wait for the next audit cycle.

Without it

  • The auditor raises a CC9 finding, sending it into remediation and a re-test.
  • Additional audit fees as you're forced to run the control again.
  • The enterprise deals waiting on the SOC 2 report stall.
2–4 months added to your report timeline when a CC9 exception forces you into remediation

With the evidence pack

  • Your continuity evidence is signed, verified, and already in the packet.
  • CC9 clears on the first review — your report ships on schedule.
  • One record also covers your ISO 27001, DORA, FFIEC, and NIS2 vendor-risk requirements.
Sample pack

Check the evidence yourself before you sign up.

We’ll send a redacted sample of exactly what your auditor receives: a subservice-organization continuity record and a CC9 mapping sheet. The quickest way to judge whether the evidence holds up.
Recovery test · summary
Article 28 mapping
Certified tier seal
Codekeeper Software Resilience Certificate
ProviderAcme Cloud Ltd
TierCertified
Recovery testPassed · 14 Jun 2026
Valid to14 Jun 2027
Authorized · Codekeeper
Verified
Get your SOC 2 evidence pack

We’ll email your redacted sample — a continuity record and CC9 mapping sheet.

One unmanaged vendor shouldn’t cost you the deal.

Enterprise buyers won’t sign until your SOC 2 report is clean. CC9 is where an unproven vendor can hold that report up. Get your continuity evidence assembled and signed now, so the control clears and the deals waiting on your report can close.

Frequently asked questions

What is a SOC 2 subservice organization?
A subservice organization is a third party, like a hosting provider or critical software vendor, whose controls form part of the system your SOC 2 report covers.
How does software escrow support SOC 2 vendor management?
Software escrow supports SOC 2 vendor management by giving you a verified, recoverable copy of a critical vendor's software, so you can show continuity is tested rather than assumed when CC9 is examined.
How often does the SOC 2 recovery test need to be redone?
The recovery test needs redoing on a recurring schedule, because a SOC 2 Type II report covers an observation period, not a single day, and your audit comes round again each cycle. A test only proves continuity as of the day it ran, so one capture won't carry a whole period, and last year's result won't answer this year's audit. Codekeeper reruns the build-and-run test on a schedule that keeps the evidence current across your observation window and ready for the next report.
How is the SOC 2 evidence pack different from collecting a vendor's SOC 2 report?
The SOC 2 evidence pack differs because a vendor's report tells you they had controls, while the pack proves you can keep running if that vendor fails — the continuity their report doesn't cover.
Which regulations does the SOC 2 evidence pack cover?
The SOC 2 evidence pack covers SOC 2 (CC9) primarily. The same continuity record also maps to ISO 27001 A.5.30, DORA Article 28 and Articles 24–25, the NIS2 business-continuity measure (Article 21(2)(c)), and FFIEC recovery expectations under NIST CSF 2.0.
Does the SOC 2 evidence pack work for SOC 2 Type II?
Yes, the SOC 2 evidence pack works for Type II. A Type II report tests your controls over a period of months, not a single day, so your vendor-continuity evidence has to hold for the whole window. The pack keeps dated recovery records across that period, so the evidence stands for the full report.