This website is currently in development and testing. Some content on here is still dummy and features may change or be unstable.
SOC 2 CheckerCheck Your Report

How the SOC 2 Quality Checker Works

Learn about the rubric, the technology, and the community behind this free tool.

The SOC 2 Quality Rubric

A community-developed standard for evaluating SOC 2 report quality

Origin: The SOC 2 Quality Guild

The rubric was developed by Henry Ward and the SOC 2 Quality Guild, a community of compliance practitioners frustrated with the variable quality of SOC 2 reports in the industry. After reviewing hundreds of reports, they identified common patterns that separate useful reports from boilerplate ones.

View the Original Rubric Document

What We Evaluate

View Full Rubric

Issue Weight Distribution

Each category contributes differently to your overall quality score. Control Specificity and Test-to-Control Alignment carry the most weight as they directly impact the usefulness of a SOC 2 report for vendor risk assessment.

Control Specificity: 25%
Test-to-Control Alignment: 20%
Evidence Quality: 20%
Scoping Clarity: 15%
Exception Handling: 10%
Narrative Quality: 10%

Control Specificity

25%

Are controls written with company-specific details, or do they use generic boilerplate language?

Test-to-Control Alignment

20%

Do the test procedures actually validate what the controls claim to do?

Evidence Quality

20%

Is evidence properly referenced and specific enough to verify testing results?

Scoping Clarity

15%

Is the scope clearly defined with appropriate boundaries and subservice organizations?

Exception Handling

10%

Are exceptions documented with root cause analysis and remediation plans?

Narrative Quality

10%

Does the system description provide useful context for understanding the environment?

How the Analysis Works

Two modes designed for different use cases

Private Mode
For NDA-protected reports
  • PDF is parsed entirely in your browser using PDF.js
  • Text extraction happens client-side with no server calls
  • Pattern matching against rubric criteria locally
  • No data ever leaves your device
  • Results are not stored or benchmarked
Full Analysis Mode
For public or authorized reports
  • PDF is securely transmitted to our analysis servers
  • Advanced AI models provide deeper insights
  • Natural language understanding for context analysis
  • Benchmarking against anonymized industry data
  • Reports are not stored after analysis completes

Privacy & NDA Considerations

We take data protection seriously

Understanding NDA Restrictions

Most SOC 2 reports are shared under Non-Disclosure Agreements (NDAs) that restrict how the report can be used and shared. Uploading an NDA-protected report to a third-party service may violate these agreements. That's why we built Private Mode.

When to Use Private Mode

  • Reports shared with you under NDA (the default for most SOC 2 reports)
  • Your company's own SOC 2 report before publication
  • Any report where you're unsure about sharing permissions

When Full Analysis is Appropriate

  • Publicly available SOC 2 reports
  • Reports where you have explicit authorization to share
  • Your company's report where you have authority to use external tools

Frequently Asked Questions

Common questions about the SOC 2 Quality Checker

View all FAQs

Ready to Check Your Report?

Upload your SOC 2 report and get quality insights in minutes.

Check Your Report