Drop a SOC 2 PDF; the platform extracts auditor, period, scope, every Trust Services Criterion, every Complementary User Entity Control, every exception, every subservice org. Maps to NIST CSF. Auto-creates findings for failed CUECs.
The extractor handles SOC 2 reports from any major auditor — Deloitte, EY, KPMG, PwC, BDO, Crowe, Grant Thornton, A-LIGN, Schellman, and the long tail of regional firms. Trust Services Criteria coverage and exceptions parsed by section. Subservice organizations and their carve-out scopes captured. Every CUEC tagged with its target user-entity action.
Each extracted CUEC matches against your tenant's control catalogue. The "we depend on this CUEC" determination becomes a structured record, not a Word table. When the CUEC fails to map cleanly, the platform creates a finding asking the right control owner to confirm the dependency.
If the source SOC 2 report identifies an exception against a TSC that maps to a CUEC you depend on, the platform auto-opens a finding in the risk register. The auditor's exception language carries through to your finding description; the source document is attached as evidence.
Every extraction captured in the AI Generation Log with the source PDF hash, model version, prompt version, and the structured output. Reviewer overrides on extracted CUECs captured in the Decision Audit. When an auditor asks where a CUEC dependency was determined, the answer reconstructs from the source PDF.
SOC Compliance Analytics is included in Enterprise.