SOC 2 Bridge Letter: What It Is, Why You Need It, and How to Create One

SOC 2 reports are point-in-time assessments. They’re valid for a year, but don’t automatically account for what happens after the reporting period ends. That gap between the expiration of your last SOC 2 report and the issuance of the next creates a window of uncertainty for customers, auditors, and procurement teams.

How do you assure stakeholders that your controls are still operating effectively during that gap?

That’s where the SOC 2 bridge letter (also known as a gap letter) steps in. It’s a formal, self-attested document that reaffirms your commitment to security and signals that nothing material has changed since the last audit.

In this guide, we’ll break down everything you need to know about SOC 2 bridge letters, what they are, why they matter, when to issue one, what to include, and how to create one quickly (with templates you can use).

What Is a SOC 2 Bridge Letter?

A SOC 2 bridge letter, also known as a gap letter, is a self-attested document issued by your organization to cover the period between your previous SOC 2 report and your upcoming one.

For example, if your SOC 2 Type 2 report covers the period from November 1, 2024, to October 31, 2025, but your customer’s fiscal year runs from January to December, there will be a gap from October to December. The bridge letter addresses this gap, providing assurance that there have been no material changes in your control environment during that time.

While a bridge letter does not replace a SOC 2 report or offer auditor-backed validation, it helps maintain trust by offering up-to-date compliance assurance. Typically valid for up to three months, the letter is issued by the service organization, not the auditor. CPA firms that issue SOC 2 reports cannot provide bridge letters because they are not in a position to verify the effectiveness of controls beyond the reporting period.

When Do You Need a SOC 2 Bridge Letter?

You will need SOC 2 bridge letters when there is a gap between your last SOC 2 report and the current one, especially if a customer or partner requests proof of security during that period. Some of the common situations where bridge letters are needed include:

• Your SOC 2 Type 2 report has expired, and the next one is still being audited.
• During annual vendor reviews or security due diligence, customers want the most up-to-date assurance.
• Right before closing a new deal, the buyer’s procurement team asks for current compliance evidence.
• When using a SOC 2 Type 1 report that’s no longer fresh or valid for your customer’s risk review process.

Because SOC 2 audits take time, many organizations begin their renewal process at the six-month mark to avoid issuing a bridge letter altogether. However, if your audits are conducted annually or if there are delays in starting the next audit, a SOC 2 bridge letter can save the day for you and keep your customers informed about your security controls. 

Read how Happay achieved SOC 2 Type 2 audit readiness in about 5 weeks with Sprinto.

💡Note: A bridge letter (or gap letter) is different from an attestation letter. Bridge letters are self-issued by your organization, while attestation letters are provided by your CPA firm and cover the actual audit period. The two are not interchangeable.

What Should a SOC 2 Bridge Letter Include?

A well-written SOC 2 bridge letter builds trust and avoids scrutiny. It should include details that give customers confidence in your continued compliance. Here’s what you should include:

• Reference to the most recent SOC 2 report: Clearly state the period covered by your last SOC 2 report, including start and end dates.
• Statement of continued compliance: Confirm that your organization’s security controls are still in place and operating as described in the last report.
• Disclosure of Significant Changes or Incidents: If there have been any major updates to your systems, teams, or infrastructure or security incidents, they must be disclosed. If nothing has changed, state this explicitly.
• Management attestation and signature: The letter should be signed by a senior executive (e.g., CISO, CTO, or Head of Security), who takes responsibility for the statements made.
• Scope of the letter: Clarify that this is a self-attested document and not a replacement for the SOC 2 report.

These are some of the must-haves in a SOC 2 bridge letter. To add credibility, you can include the following details(optional but auditor-recommended) as well in the letter:

• Summary of control environment: Briefly describe the systems, tools, and processes you use to maintain security and compliance.
• Date of the bridge letter: Add the issue date of the letter so recipients know when it was created.
• Contact information for follow-up: Include a point of contact (usually your security or compliance team) for any questions or clarifications.
• Statement on audit status: If your next audit is already in progress, mention it. This shows proactive compliance planning.

SOC 2 Bridge Letter Sample: Free Downloadable Template

Here’s a SOC 2 Bridge Letter example for your reference:

SOC 2 Bridge Letter vs SOC 2 Report: Key Differences

While both serve to assure customers of your security posture, a SOC 2 bridge letter is not a substitute for a SOC 2 report. Here’s how they differ:

Aspect	SOC 2 Bridge Letter	SOC 2 Report
Type of assurance	Self-attested by the organization	Independently validated by a CPA
Who issues it	Your internal team (usually signed by CISO or leadership)	External auditor / CPA firm
Purpose	Covers the gap between actual SOC 2 reports	Validates controls over a defined period
Validity	3 months	6-12 months
Risk of rejection	Higher; depends on customer policies	Low; it follows a standard format

While a bridge letter helps maintain momentum during audit gaps, it’s important to recognize its limits. It cannot replace a SOC 2 report; it doesn’t carry the same level of assurance, nor does it involve third-party validation.

That’s why some customers may accept a bridge letter, especially if your last SOC 2 report was recent and clean. But others may reject it if the gap is too long, the letter lacks detail, or their risk policies require an up-to-date auditor-issued report.

How Long is a SOC 2 Bridge Letter Valid

SOC 2 bridge letters are supposed to be short-term, stopgap assurances; not a substitute for the auditing report. The validity of such letters stands as follows:

• Up to three months: The standard industry practice is for a bridge letter to cover a period of no more than 90 days. This keeps the assurance timely and relevant.
• Until the next SOC 2 report is issued: The letter becomes obsolete the moment your next official SOC 2 report is completed and shared with clients.

There may be cases where customers request a bridge letter every quarter, due to their strict security policies aimed at ensuring continued control effectiveness. 

A few factors that affect the validity of the SOC 2 bridge letter include:

• Time since the last audit: Longer gaps reduce the credibility of the bridge letter.
• Audit progress: If your next audit is already underway, customers may accept a bridge letter more readily.
• Customer risk posture: Conservative or regulated organizations may only accept bridge letters for 30–60 days, or not at all.
• Your compliance history: A clean audit history can increase trust in your self-attestation.

What Happens if You Don’t Provide a Bridge Letter

While a bridge letter is not a legally required document, it maintains the continuity of your compliance narrative. If you do not provide a bridge letter, here’s what can happen:

• Loss of trust: Clients may begin to question your commitment to security and compliance, which can erode trust. 
• Longer sales cycles: Potential customers may hesitate to move forward and buy your product because they can’t verify your security posture.
• Contractual violations: Some customer contracts specifically require interim assurance. Failing to provide one may breach those terms, exposing you to legal or financial consequences.

Where Do SOC 2 Bridge Letters Fall Short?

A SOC 2 bridge letter helps cover short gaps between audits, but it does have limits. It’s not reviewed by an outside auditor, so some customers may not fully trust it. Typically, bridge letters are only valid for three months and cannot replace a real SOC 2 report. If you rely on it too often, people might think your company isn’t staying on top of its security and compliance work.

Expedite SOC 2 Compliance with Sprinto

A SOC 2 bridge letter can help maintain trust during audit gaps, but it’s only a temporary fix. The real goal is to reduce or even eliminate those gaps altogether. That’s where Sprinto makes a real difference.

With automated control monitoring, real-time alerts, and audit-ready evidence, Sprinto ensures you’re always in a state of compliance. No scrambling for proof. No manual guesswork. And with Sprinto AI, you get intelligent recommendations, automated policy updates, and personalized compliance signals that help you stay ahead, not just stay compliant.

If you want to stop relying on bridge letters and start running a truly continuous compliance program, Sprinto has your back.

Get continuous compliance with Sprinto. Book a demo

Frequently Asked Questions