SecurancePro
Talk to an expert
All field notesOperations

SOC 2 bridge letter: what it is and who signs

A SOC 2 bridge letter covers the gap between your last Type II report and today. Here is what it says, who signs it, and how long it can run.

5 min read

A procurement team asks for your SOC 2 report. You send it. They write back: "Your report covers October through September. It is now December. Do you have a bridge letter?"

This is the moment most founders learn the term.

What a bridge letter is

A bridge letter (sometimes called a gap letter) is a short statement from your management that no material changes have occurred to the controls described in your most recent SOC 2 Type II report between the report's period end and a stated later date. It is addressed to the customer or prospect asking for it, and it exists to cover the window between audit periods without triggering a new engagement.

It is not a new audit. It is not an auditor opinion. It is you, as management, telling your buyer that the report they are reading still reflects how you operate today. Bridge letters sit outside the attestation framework that governs SOC engagements under SSAE No. 18, which is one reason auditors will not sign them.

Why bridge letters exist

A SOC 2 Type II report has a fixed observation window. A typical one runs for 12 months, say October 1, 2025 through September 30, 2026. The independent auditor's opinion speaks to that window and nothing else (AICPA's SOC for Service Organizations overview is explicit that the report's coverage is tied to its stated period). The day after the window closes, procurement teams at your customers start doing math.

Here is the problem. The report is not issued on September 30. It is issued six to ten weeks later, after draft, management review, and quality review. By the time your buyer reads it, they are already two or three months past the period end, and every week that passes widens the gap. Your next Type II will not start until the new observation window ends a year from now. If you're weighing whether that next report should be Type I or Type II, we walk through the trade-offs in Type I vs Type II.

The bridge letter fills that gap. It is a cheap, boring, load-bearing artifact that keeps enterprise sales cycles moving while your auditor is observing the next twelve months.

What the letter actually says

A usable bridge letter is three paragraphs. The structure has settled into something close to industry convention:

  1. Identification of the report. The service organization name, the report type (SOC 2 Type II), the trust services criteria in scope, and the period the report covered.
  2. The assertion. Management states that, to the best of its knowledge, no material changes have occurred to the system description or the controls between the report's period end and the stated end date of the bridge. This is a cousin of the management representation letter management signs for the auditor during the original engagement — same voice, same signer, different audience. If changes have occurred, they are disclosed here and characterized.
  3. Scope and limitations. A sentence making clear that the letter is management's representation, that the auditor has not performed procedures during the bridge period, and that the letter does not replace the underlying report.

The letter is signed by management and dated. That is the whole document. One page, usually under 400 words. If a vendor hands you something longer and fancier, they are either overcomplicating it or selling you something you did not ask for.

A bridge letter is a promise from management, not a verdict from an auditor. Treat it that way when you write it and when you read one.

Who signs it (and who does not)

This is the part that trips people up.

Management signs the bridge letter. Usually the CEO, COO, or CISO, whichever officer signed the management assertion in Section 2 of the underlying report. The signer is asserting, personally, that nothing material has changed.

The auditor does not sign. The auditor has not performed procedures during the bridge period. Asking your CPA firm to sign a bridge letter is asking them to opine on a window they did not audit, which is a thing no licensed firm will do and no accredited firm should. If a "SOC 2 provider" offers to sign the letter for you, that is a flag worth examining before the next procurement cycle, not during it.

A legitimate auditor will happily provide a template, review your draft, and confirm the report facts (period, scope, opinion type) are stated correctly. That is where their role ends. For a fuller picture of what the auditor actually does during the examination — and where the bridge letter sits relative to those procedures — see our walk-through of the SOC 2 audit process.

How long a bridge letter can cover

The working rule in practice: up to about three months from the report's period end. Some customers accept four; a few hardliners want one re- issued every 30 days. Past three months, the letter's credibility erodes regardless of what it says, because a company can ship a lot of material change in a quarter.

Two constraints that are not negotiable:

  • The letter must have a stated end date. "Through March 31, 2027" is correct. "To present" or "ongoing" is not, because the assertion cannot extend past the date management signed.
  • The letter expires. Once the new Type II report is issued, the bridge letter stops being the document your buyers should be reading. Hand them the new report and retire the letter.

If your gap is longer than three months, the answer is not a longer bridge. The answer is either a short Type II for the intervening period or adjusting your observation window so the next report lands sooner. A bridge stretched to six months is a bridge nobody trusts.

Common mistakes

The four we see most often on our readiness engagements:

  • Asking the auditor to sign. Covered above. The auditor cannot and will not sign for a window they did not audit.
  • Issuing a bridge after a material change. An acquisition, a platform migration, a CISO departure, a new subservice organization. If any of these happened during the bridge window, the bridge does not apply, and a "no material changes" letter that claims otherwise is worse than no letter at all. Disclose the change, or do not issue the letter.
  • Stretching the window past three months. Buyers count. So do their security teams.
  • Treating the bridge as a substitute for the next Type II. The bridge exists to hold the line until the next report. If the next observation window has not started, that is the real problem, and it is worth a conversation during a readiness pass rather than an email to your auditor the day before a deal closes.

A bridge letter is five minutes of drafting for an outcome that keeps enterprise deals unblocked for months. Keep a current one on the shelf, dated the day you need it, and do not overthink the rest. Our engagement process is built so the letter is ready when you are, not when the customer asks.

If you are between Type II reports and a customer is waiting, get in touch and we will help you put a clean bridge letter in their hands this week.

§ Related notes
All field notes →