A bridge letter is a document that covers the gap between your last SOC 2 report and your customer’s calendar or fiscal year-end.

Let’s say your SOC 2 report covers the period between Oct. 1, 2024 and Sept. 30, 2025. Your customer’s calendar year-end runs from Jan. 1, 2025 through Dec. 31, 2025. Your SOC 2 report only covers nine of the 12 calendar months, which leaves a three-month coverage gap. As a service organization, how do you account for that interim period?

This is where SOC 2 bridge letters come in. A bridge letter provides assurance to your customer that you’re maintaining internal controls and provides context about any changes that may have occurred after your last reporting period ended. Below, we cover what to include within a bridge letter, who issues the bridge letter, plus a template you can use to create your own.

A bridge letter (also known as a gap letter) is a document that covers the gap between your last SOC 2 report and your customer’s calendar or fiscal year-end. Since SOC reports typically last for six to 12 months, your report timeframe may not perfectly overlap with your customer’s calendar or fiscal year. The letters are meant to cover a short duration—typically no more than three months.

While bridge letters don’t replace a SOC 2 report, they can help prove your security posture to customers as you await your next audit process.

No matter how dialed-in your security program is, an annual audit and resulting SOC 2 report only capture a specific time frame. Once that period closes, a window opens between your last confirmed compliance state and the next scheduled audit.

This reporting gap leaves customers and business partners uncertain about your ongoing security controls. Without current documentation, they may question whether your internal safeguards remain as effective as they were during the assessment.

SOC 2 bridge letters address this uncertainty. They confirm that there have been no material changes to your organization’s controls since your last SOC 2 report or, if there have been, explain why they took place.

While not a regulatory requirement, these letters are often considered a best practice and a show of good faith to your customers. Providing these letters reassures stakeholders that you continue to take data security seriously and fosters confidence in your ongoing compliance efforts—even before the ink dries on your next official SOC 2 report.

What you include in your SOC 2 bridge letter will vary depending on whether or not significant changes have been made to your internal controls.

A few elements that are considered standard in a bridge letter include:

Your organization provides the bridge letter. The CPA firm that performed your SOC examination will not create or provide a bridge letter on your behalf because they’re unaware of the operating effectiveness of your controls beyond the SOC 2 reporting period. They’re also not aware of any changes that may have been made to your internal controls.

To ensure you check all the boxes of what to include within your bridge letter, we’ve created two editable templates—one if you have no material changes to your internal controls and another if you have material changes to convey to your customer.

Download SOC 2 Bridge Letter Templates

*The information, content, and templates provided by Drata are not, nor intended to, constitute legal advice; instead, all information, content, and templates made available by Drata are for general informational purposes only. Drata customers should consult with their own legal counsel to obtain advice with respect to any particular legal matter.

Compliance isn’t a yearly item in your organization’s “to-do” list, and it certainly shouldn’t be top of mind only when the auditor is about to knock on your door. Rather, it’s an ongoing responsibility that keeps your operations secure and builds trust with customers and business partners year-round.

What does treating compliance as an ongoing effort look like? In a nutshell, it involves: