@calamari funny thing is I don’t think SOC2 can be termed regulation precisely. The norms of what you put in SOC2 reports are, unless working with government, an emergent phenomenon of private industry expectations.

The basic framework of SOC2 is “you say you do these things, audit firm proves it to some extent.”