You can choose to use AI to summarize your SOC 2 reports or Questionnaire Responses. These AI-powered summaries are not intended to replace your analysis of these items but designed to help you understand the information more efficiently.
To learn how to send or upload vendor security questionnaires and SOC 2 reports, go to Vendor Security Questionnaire.
Before diving in
AI summarization for vendor questionnaire responses and SOC 2 reports is only available for TPRM users.
You can use AI summarization for vendor questionnaires that either:
Have been sent through Drata, or
Have been uploaded into Drata.
You can also use AI summarization for SOC 2 reports that have been uploaded into Drata.
Only Admins can enable AI summaries. If you are not an admin, you cannot enable or disable AI in Drata. If an admin did not enable AI, you will not have AI enabled in Drata.
Enable or disable AI
Admins can enable AI summarization through the Company settings page.
Go to your Settings page. Under Company Settings, select AI Settings.
Select the AI option and save your choice.
To disable AI, de-select Enable AI option and save your choice. If you disable AI, your AI summaries will be hidden and no additional AI summaries will be generated.
SOC 2 Reports AI Summary
The AI summary can take up to a few minutes to generate and provides the following information:
Overview: Includes the company name, audit firm name, the scope of the audit, the audit period, the trust service criteria covered, and the sub-services for the organization.
Exceptions: Include information noted by an auditor about an exception related to a control criteria.
Management’s response: Include how the organization responded to the exceptions noted by the auditor.
Key Considerations
Note: Given the density and volume of information, the AI may fail to extract certain information. We have thoroughly tested this to minimize the chance of this happening as much as possible, but please make sure to always review AI outputs when making security and compliance decisions.
SOC 2 reports might not be able to summarize for the following reasons:
The report is not identified as a SOC 2 report or does not have any relevant SOC 2 information.
The SOC report is longer than 200K characters.
View SOC 2 summary in the Security Review
Go to a Vendor, select the desired vendor, and navigate to the Security reviews tab.
Select New Review and a dropdown menu will appear. Then, select Security Review.
After you upload a SOC 2 report, Drata automatically determines whether the upload document is a SOC 2 report. If confirmed, select the View button.
On the right-side panel, next to the Observations tab, under the Summary tab will appear, you can view the AI summary.
View SOC 2 summary in the Report Review
Go to a Vendor, select the desired vendor, and navigate to the Security reviews tab.
Select New Review and a dropdown menu will appear. Then, select SOC Report Review.
You can either pull in a report from your Reports and Docs or upload the report directly.
Once you upload a SOC report, in the right-side panel, under the Summary tab, you can view the AI summary.
Questionnaire Responses AI Summary
The AI summary can take up to a few minutes to generate and provides the following information:
Overview: Can include general company details, compliance frameworks mentioned, and a high-level breakdown of the security practices and tools the vendor uses.
Callouts: Can include questions that were unanswered, incidents or security breaches, and tools or practices the vendor is missing.
Attachments: Can include files that were attached to answer a question.
Note: The questionnaire does not summarize the content within the attachments and file.
Key Considerations
Note: Given the density and volume of information, the AI may fail to extract certain information. We have thoroughly tested this to minimize the chance of this happening as much as possible, but please make sure to always review AI outputs when making security and compliance decisions.
Questionnaires might not be able to summarize for the following reasons:
The questionnaires (including both questions and responses) are less than 450 words or greater than 5,000 words.
The questionnaire does not have relevant security and compliance information.
The questionnaire is not in a question and answer format.
AI summarization for your Questionnaire Responses
Note: Ensure that your admin has enabled AI in Drata.
You can view your AI summarizations within the Security reviews tab or Reports and Documents tab.
Security reviews tab:
Go to a Vendor page, select the desired vendor, and navigate to the Security reviews tab.
The questionnaires that have been sent through Drata or uploaded will be listed on this page. Select View for the questionnaire you would like to view the AI summarization.
If you do not have any questionnaires, you can select the Questionnaire button to upload or send through Drata.
In the right-side panel, under the Summary tab, you can view your AI summarization.
Ensure the side panel is expanded if it is closed.
Reports and Documents tab:
Go to a Vendor page, select the desired vendor, and navigate to the Reports and Documents tab, then scroll down to the Security Questionnaires section. Select a questionnaire you would like to view.
In the right-side panel, under the Summary tab, you can view the AI summarization.
Ensure the side panel is expanded if it is closed.