Your customers ask for your SOC 2 Type II report. Your auditor asks for your vendors' SOC 2 reports. Among those vendors: every tool that touches customer data — including the PDF editor your team uses for contracts.
SOC 2 in brief
SOC 2 is an attestation report by an independent auditor confirming a service organisation's controls over Security, Availability, Confidentiality, Processing Integrity and Privacy (the five Trust Services Criteria).
Type I is a snapshot. Type II covers a period (usually 6-12 months) with continuous monitoring. Type II is what customers usually want.
When PDF tools are in scope
If your PDF tool processes customer data on your behalf, it's in scope for vendor review under your SOC 2. You should:
- Review their SOC 2 report (if they have one). - Verify the report covers controls relevant to your use case. - Document the review in your vendor management process. - Note any Complementary User Entity Controls (CUECs) you need to implement on your side.
For SOC 2-certified vendors, this is straightforward. For uncertified vendors, alternative due diligence (questionnaires, references) is needed.
What to look for in a vendor's SOC 2
- Scope: does it cover the services you actually use? - Trust criteria: Security is mandatory; Confidentiality is critical for PDF tools. - Audit period: recent (within last year) and continuous. - Exceptions: any control failures noted? Material ones are a flag. - Subservice organisations: are AWS/GCP/Azure used and how are they handled?
Reputable vendors share SOC 2 reports under NDA. They're not usually public — request through procurement.
Browser-side tools and SOC 2
If a PDF tool processes in your browser without uploading, the vendor isn't handling customer data — your browser is. The SOC 2 picture is lighter.
Flint is browser-based. The data your customers' PDFs contain doesn't reach Flint's servers. Vendor review still applies (Flint is a software supplier) but the data-handling controls are minimal.
FAQ
Is Flint SOC 2 certified?
Check Flint's current trust documentation for the latest certification status. Browser-based architecture reduces the data Flint handles regardless of certification posture.
Do I need to review every vendor's SOC 2 every year?
Annually for in-scope vendors is good practice. New SOC 2 reports each year is standard for established vendors.
What if a vendor doesn't have SOC 2?
Use alternative due diligence — a vendor questionnaire, ISO 27001 certification, references, contractual commitments. Document the basis for using the vendor.
What are CUECs?
Complementary User Entity Controls — controls the vendor expects *you* to implement. Examples: enforcing strong passwords on user accounts, configuring the tool securely. SOC 2 reports list these explicitly.
Vendor review for SOC 2 includes PDF tools. Choose ones with clear control posture and document the review.