What's Inside

A bridge letter is a document that covers the gap between your last SOC 2 report and your customer’s calendar or fiscal year-end. 

Let’s say your SOC 2 report covers the period between Oct. 1, 2022 and  Sept. 30, 2023. Your customer’s calendar year-end runs from Jan. 1, 2023 through Dec. 31, 2023. 

Your SOC 2 report only covers nine of the 12 calendar months, which leaves a three-month coverage gap. As a service organization, how do you account for that interim period? 

This is where SOC 2 bridge letters come in. A bridge letter provides assurance to your customer that you’re maintaining internal controls and provides context about any changes that may have occurred after your last reporting period ended. 

Below, we cover what to include within a bridge letter, who issues the bridge letter, plus a template you can use to create your own. 

What Is a Bridge Letter?

A bridge letter is a document that covers the gap between your last SOC 2 report and your customer’s calendar or fiscal year-end. Since SOC reports typically last for six to 12 months, your report timeframe may not perfectly overlap with your customer’s calendar or fiscal year. The letters are meant to cover a short duration—typically no more than three months. 

Also known as gap letters, a bridge letter is used to communicate to customers whether or not material changes were made to your internal controls during the period covered by the letter. While bridge letters don’t replace a SOC 2 report, they can help prove your security posture to customers as you await your next SOC audit process. 

How Bridge Letters Can Protect Your Business Relationships

Bridge letters are not required but are considered a best practice, serving as a show of good faith to your customers. These letters reassure customers and prospects that you’re maintaining security and compliance standards in the interim period before you receive a new SOC 2 report. 

What Is Required in a SOC 2 Bridge Letter? 

What you include in your SOC 2 bridge letter will vary depending on whether or not changes have been made to your internal controls. 

A few elements that are considered standard in a bridge letter include: 

• The review period of your latest SOC report, including the start and end dates

• Any material changes to your internal control environment and an explanation of those changes (if applicable)

• A statement that you’re unaware of any material changes that might impact the opinion of the auditor who performed your SOC examination (if there are no material changes) 

• A note that the bridge letter is not a replacement for a SOC 2 report

• A disclaimer that the letter was created only for the customer

Who Provides a Bridge Letter?

Your organization provides the bridge letter. The auditor who performed your SOC examination will not create or provide a bridge letter on your behalf because they’re unaware of the operating effectiveness of your controls beyond the SOC 2 reporting period. They’re also not aware of any changes that may have been made to your internal controls.  

Bridge Letter Example + Template

To ensure you check all the boxes of what to include within your bridge letter, we’ve created two editable templates—one if you have no material changes to your internal controls and another if you have material changes to convey to your customer.

Download SOC 2 Bridge Letter Templates

*The information, content, and templates provided by Drata are not, nor intended to, constitute legal advice; instead, all information, content, and templates made available by Drata are for general informational purposes only. Drata customers should consult with their own legal counsel to obtain advice with respect to any particular legal matter.

FAQ

Below, we answer a few common questions on bridge letters. 

What Length of Time Does a Bridge Letter Cover?

A SOC 2 bridge letter covers the gap between the end of a SOC 2 reporting period and a customer’s calendar or fiscal year-end. Bridge letters typically cover a period of up to three months. 

Do SOC 2 Reports Include Bridge Letters?

No, SOC 2 reports do not include bridge letters. That’s because your auditor is only reporting on the operating effectiveness of your controls during the SOC report period. Since the bridge letter covers a time after the reporting period and before your next SOC examination, your organization will need to create and share the document with customers as needed. 

Bridge letters bolster customer relationships by reassuring them of your organization’s security posture in the period after your last SOC report and before your next audit. 

To help you stay on top of SOC 2 compliance, Drata enables you to maintain continuous gap-free monitoring that will give you a leg up when it comes to your next SOC audit.