What's Inside

A bridge letter is a document that covers the gap between your last SOC 2 report and your customer’s calendar or fiscal year-end. 

Let’s say your SOC 2 report covers the period between Oct. 1, 2024 and  Sept. 30, 2025. Your customer’s calendar year-end runs from Jan. 1, 2025 through Dec. 31, 2025. 

Your SOC 2 report only covers nine of the 12 calendar months, which leaves a three-month coverage gap. As a service organization, how do you account for that interim period? 

This is where SOC 2 bridge letters come in. A bridge letter provides assurance to your customer that you’re maintaining internal controls and provides context about any changes that may have occurred after your last reporting period ended. 

Below, we cover what to include within a bridge letter, who issues the bridge letter, plus a template you can use to create your own. 

What Is a Bridge Letter?

A bridge letter (also known as a gap letter) is a document that covers the gap between your last SOC 2 report and your customer’s calendar or fiscal year-end. Since SOC reports typically last for six to 12 months, your report timeframe may not perfectly overlap with your customer’s calendar or fiscal year. The letters are meant to cover a short duration—typically no more than three months.

While bridge letters don’t replace a SOC 2 report, they can help prove your security posture to customers as you await your next audit process. 

Why Do Organizations Need SOC 2 Bridge Letters?

No matter how dialed-in your security program is, an annual audit and resulting SOC 2 report only capture a specific time frame. Once that period closes, a window opens between your last confirmed compliance state and the next scheduled audit.

This reporting gap leaves customers and business partners uncertain about your ongoing security controls. Without current documentation, they may question whether your internal safeguards remain as effective as they were during the assessment.

SOC 2 bridge letters address this uncertainty. They confirm that there have been no material changes to your organization’s controls since your last SOC 2 report or, if there have been, explain why they took place.  

While not a regulatory requirement, these letters are often considered a best practice and a show of good faith to your customers. Providing these letters reassures stakeholders that you continue to take data security seriously and fosters confidence in your ongoing compliance efforts—even before the ink dries on your next official SOC 2 report.

What Is Required in a SOC 2 Bridge Letter?

What you include in your SOC 2 bridge letter will vary depending on whether or not significant changes have been made to your internal controls. 

A few elements that are considered standard in a bridge letter include: 

• The review period of your latest SOC report, including the start and end dates 

• Any material changes to your internal control environment and an explanation of those changes (if applicable) 

• A statement that you’re unaware of any material changes that might impact the opinion of the auditor who performed your SOC examination (if there are no material changes) 

• A note that the bridge letter is not a replacement for a SOC 2 report 

• A disclaimer that the letter was created only for the customer

Who Provides a Bridge Letter?

Your organization provides the bridge letter. The CPA firm that performed your SOC examination will not create or provide a bridge letter on your behalf because they’re unaware of the operating effectiveness of your controls beyond the SOC 2 reporting period. They’re also not aware of any changes that may have been made to your internal controls.

Bridge Letter Example + Template

To ensure you check all the boxes of what to include within your bridge letter, we’ve created two editable templates—one if you have no material changes to your internal controls and another if you have material changes to convey to your customer. 

Download SOC 2 Bridge Letter Templates

*The information, content, and templates provided by Drata are not, nor intended to, constitute legal advice; instead, all information, content, and templates made available by Drata are for general informational purposes only. Drata customers should consult with their own legal counsel to obtain advice with respect to any particular legal matter.

Can You Avoid the Need for SOC 2 Bridge Letters?

In most cases, shifting your audit timeline to perfectly align with each client’s fiscal calendar or urgent security reviews isn’t practical. If a customer requests reassurance today—while your SOC 2 report still reflects a past point in time—a bridge letter may be your only solution.

Still, it doesn’t have to feel like a scramble. Treating compliance as a year-round practice ensures that your controls are both effective and up-to-date. Even if you can’t dodge every bridge letter, you’ll feel confident when it’s time to provide one. 

Continuous Compliance as a Baseline

Compliance isn’t a yearly item in your organization’s “to-do” list, and it certainly shouldn’t be top of mind only when the auditor is about to knock on your door. Rather, it’s an ongoing responsibility that keeps your operations secure and builds trust with customers and business partners year-round.

What does treating compliance as an ongoing effort look like? In a nutshell, it involves:

• Monitoring security controls to make sure they’re always working properly. Compliance automation tools like Drata allow you to continuously monitor and test your controls to ensure you’re compliant before and after an audit.

• Documenting processes to standardize how your team handles tasks like onboarding vendors, protecting sensitive data, and responding to incidents.

• Conducting regular internal reviews to identify and resolve issues before audits or client demands arise.

• Automating compliance workflows to track, update, and organize evidence without relying on manual processes. With Drata, you can get started with 23+ framework templates pre-mapped with auditor-validated controls.

• Building a compliance-focused culture where everyone understands their role in keeping the organization secure. 

SOC 2 Bridge Letter FAQs 

Below, we answer a few common questions on bridge letters. 

What Is a SOC 2 Bridge Letter?

Since SOC 2 audit reports reflect a specific time period, there’s often a gap between when your last report ends and when your customer needs assurance of your compliance. A SOC 2 bridge letter is a document that covers the interim between your last SOC 2 report and your customer’s calendar or fiscal year-end. 

Why Is a SOC 2 Bridge Letter Important?

SOC 2 bridge letters help maintain trust and transparency with your customers. They provide reassurance that your organization is continuing to uphold security and compliance standards, even during periods not covered by your most recent SOC 2 report. 

For many organizations, providing a bridge letter is essential to meeting vendor requirements and ensuring customer relationships are not disrupted due to reporting gaps.

What Length of Time Does a Bridge Letter Cover? 

A SOC 2 bridge letter covers the gap between the end of a SOC 2 reporting period and a customer’s calendar or fiscal year-end. Bridge letters typically cover a period of up to three months. 

Do SOC 2 Reports Include Bridge Letters? 

No, SOC 2 reports do not include bridge letters. That’s because your auditor is only reporting on the operating effectiveness of your controls during the SOC report period. Since the bridge letter covers a time after the reporting period and before your next SOC examination, your organization will need to create and share the document with customers as needed. 

Are Bridge Letters Universally Accepted By Clients?

Not always. While many clients will accept a bridge letter as a temporary measure, some may require a full SOC 2 report regardless of timing. It often depends on the client’s internal policies and their risk tolerance. Understanding your clients’ expectations ahead of time can help you plan your audit schedule and manage requests more effectively.

Can a Bridge Letter Be Used in Place of a Full SOC 2 Report?

No, a bridge letter cannot replace a full SOC 2 report. While it provides assurance about your controls for a short period after your last audit, it doesn’t include the same level of detail or the external validation of a SOC 2 report. 

The letter is meant to supplement your SOC 2 reporting, not serve as a substitute. Customers requiring a deeper assessment of your controls will still expect a full report.

To help you stay on top of SOC 2 compliance, Drata enables you to maintain continuous gap-free monitoring that will give you a leg up when it comes to your next SOC audit.