.png)
Book a Scoping Call
Book a Scoping Call
SaaS companies come to us when SOC 2 starts blocking deals.
For Teams Where Compliance Is a Condition of Doing Business
Most compliance consultants point you at a GRC platform, drop in templated policies, and call it done. The platform passes the audit but the program collapses on the first enterprise security questionnaire. We build the program first.
Pick the entry point that matches where you are. Most clients move between them as their program matures. GRC platform is optional in Operate and ABO.
A standalone gap assessment of your current state against the SOC 2 Trust Services Criteria. Roadmap, defensible scope statement, and an honest read on whether you are three months or nine months from audit-ready. Useful as a third-party opinion before committing to implementation.
The fixed-scope, fixed-price implementation. 8 to 12 weeks. Working security program, control matrix, custom policies, GRC platform configured if you want one, evidence walkthroughs, and a readiness report. By the end, your team can operate the program without us.
Continuous program management between audit cycles. Weekly cadence calls, evidence collection, vendor reviews, security training, internal audit, and external audit management. Operate is what gets you from Type I to Type II without the program decaying.
Assess + Build + Operate. Annual fixed price that bundles the Build, ongoing Operate work, audit management, and (where applicable) GRC platform license and pen test. One number on the budget line, one accountable team running the whole program.
Every Build follows the same proven process. Each phase produces concrete artifacts you can hand to an auditor, an enterprise customer, or your board.
SOC 2 Trust Services Criteria gap assessment scoped to your actual stack. Defensible scope statement, current control inventory, and a prioritized roadmap with timelines.
20+ custom policies written for your team and your stack. Control matrix mapping every Trust Services Criterion to a specific control, owner, and evidence source.
Certified implementation of Vanta, Drata, Scrut, Secureframe, or Sprinto. We can resell licenses or work with one you already own. Optional in Operate and ABO.
Operationalize controls in a way that fits your existing engineering cadence. Set up evidence collection so auditors see a real, running program.
We manage the pen test from scoping through remediation with a qualified Canadian or US firm. Vulnerability management running on a defined cadence.
We are the main point of contact between you and the auditor. We organize evidence, defend your scope, and walk the auditor through your control narrative. Most engagements come back from audit with no findings.
Before we talk, see exactly where your SOC 2 program stands. Our free scorecard maps your current state across 6 control domains, gives you a maturity score out of 100, and emails a detailed report with prioritized next steps. No sales pitch, just an honest read.
Take the SOC 2 ScorecardSOC 2 is a US framework, but Canadian companies face overlapping obligations the average US consultancy does not understand. We do.
If you have taken IRAP money, your SOC 2 work may be eligible for reimbursement. We help you document it correctly.
SOC 2 is not your only obligation. We design controls that cover Canadian privacy requirements at the same time.
Canadian customers ask about data residency in the same breath as SOC 2. Your scope and architecture should answer both.
If you operate in Quebec or support French-speaking customers, we can deliver policies in both languages.
We do not publish fixed prices because every engagement scopes differently. Here are the typical ranges from competent consultants in this market, so you can budget honestly before any conversation.
| Engagement Type | SMB Range | Enterprise Range |
|---|---|---|
| Assess (gap assessment) | A few thousand to $15,000+ | Custom |
| Build (8–12 wk implementation) | From $20,000 | $75,000+ |
| Operate (ongoing subscription) | Monthly, scoped to program | Custom |
| ABO (Assess + Build + Operate) | From $45,000 / year | Custom |
A GRC platform typically runs $5,000 to $25,000 per year for SMBs. The audit itself, from a reputable firm, runs $10,000 to $40,000 for Type I or Type II. Total first-year SOC 2 cost for most Canadian SMBs lands between $40,000 and $85,000.
Tell us about your stack and your timeline. We will respond within one business day with a fixed-price scoping call slot. No sales pitch, no obligation, no automated drip sequence.
Expect three cost buckets. Implementation consulting from competent providers typically runs from around $20,000 for an SMB single-framework engagement up to $75,000+ for enterprise scope. A GRC platform runs $5,000 to $25,000 per year for most SMBs. The audit itself, from a reputable firm, runs $10,000 to $40,000 for Type I or Type II. Total first-year cost for most Canadian SMBs lands between $40,000 and $85,000.
Type I is typically 3 to 6 months from kickoff to report. Type II requires an observation window, usually 3 to 12 months, after the Type I or after your controls are operating. A well-run 8 to 12 week engagement gets you audit-ready; the audit timeline depends on the firm and the type.
Yes. We act as the main point of contact between you and the auditor. We are the liaison through the entire engagement: we handle auditor communication, organize and submit evidence, defend your scope when it gets challenged, push back when an evidence request is overreaching, and walk the auditor through your control narrative. The audit firm is independent by design, but you are not on your own in the room. Most of our engagements come back from audit with no findings.
Yes, if your goal is a defensible program. The platform automates evidence collection; it does not design controls, define scope, or argue with auditors on your behalf. Companies that go platform-only often end up with a report that passes but does not hold up under enterprise procurement review.
We are based in Ottawa and most of our clients are Canadian, but we work across North America. US companies pick us for transparent pricing, no retainer lock-in, and on-prem and hybrid infrastructure experience that most US-only consultancies do not have.
You own the program. We hand off everything: policies, control matrix, runbooks, evidence walkthroughs, and auditor communication templates. Many clients run the program themselves from there. Others move into Operate so they have continuous program management between audit cycles, or step up to ABO for an annual fixed-price bundle.
Yes. We are certified GRC platform implementers for Vanta, Drata, Scrut, Secureframe, and Sprinto. We can resell licenses or work with one you already own. We will recommend the platform that fits your stack, not the one with the highest commission. GRC platform is also optional in our Operate and ABO subscriptions if you prefer to run the program on policies and runbooks.
Fixed price. Senior consultants. A clear path from where you are to a SOC 2 report your enterprise customers will accept. Working across Canada and the US.
Book a Scoping Call