Important distinction
Trustfill is not a SOC 2 auditor and does not issue reports. If you have a SOC 2 report or security overview in your vault, drafts can cite it. If you don’t, those rows stay UNVERIFIED until you add evidence — we won’t invent a Type II claim.
Good vault inputs
- Security whitepaper or overview you’re allowed to share
- Access control, encryption, and IR policies
- Past vendor questionnaire answers (sanitized)
- Subprocessor / architecture summaries you already publish