May 27, 2026 ·Guides

Complete a SOC 2 questionnaire online — auto-fill from your Type II report

Complete SOC 2 compliance questionnaires online in minutes. Upload your Type II report and the buyer's questionnaire — get source-cited answers mapped to trust service criteria.

You spent $50K and 6 months getting SOC 2 Type II certified. The 80-page report covers everything — encryption, access control, monitoring, incident response, availability. But your prospect just sent a 120-question spreadsheet asking about... encryption, access control, monitoring, incident response, and availability.

The answers are in your SOC 2 report. Extracting them manually takes 4–8 hours. Here's how to do it in 20 minutes.

Why buyers send SOC 2 questionnaires

You might wonder: "I have the report — why don't they just read it?"

Three reasons:

Format — Buyers need answers in their spreadsheet, not your 80-page PDF. Their procurement system expects a completed questionnaire as a formal artifact.
Scope — Your SOC 2 covers trust service criteria. Their questionnaire may include product-specific questions, business continuity details, or privacy requirements not in your report.
Accessibility — The security reviewer processing your questionnaire is evaluating 15 vendors this quarter. They need structured, scannable answers — not a PDF to read cover-to-cover.

The SOC 2 report is your evidence. The questionnaire is the format they need it in.

What SOC 2 questionnaires cover

SOC 2 questionnaires map to the AICPA Trust Service Criteria:

Criterion	Code	What buyers ask about
Security	CC1–CC9	Access control, encryption, network security, monitoring
Availability	A1	Uptime, DR, BCP, redundancy, SLAs
Processing Integrity	PI1	Data accuracy, processing validation, error handling
Confidentiality	C1	Data classification, encryption, access restrictions
Privacy	P1–P8	Collection, use, retention, disclosure, consent

Security (CC criteria) is included in every SOC 2 and covers the majority of questionnaire questions. Availability, Processing Integrity, Confidentiality, and Privacy are optional criteria — your report may not include all of them.

The SOC 2 questionnaire overlap advantage

SOC 2 questionnaires have the highest auto-fill rate of any questionnaire type because:

Questions map directly to defined trust service criteria (CC6.1, CC7.2, etc.)
Your SOC 2 report already contains detailed control descriptions
The report includes management's description of controls AND the auditor's test results
Control numbering is standardized — there's no ambiguity about what's being asked

FillBase achieves ~92% auto-fill on SOC 2 questionnaires — compared to ~88% for generic DDQs and ~85% for custom formats.

Common SOC 2 questionnaire questions

Security (CC criteria):

"Describe your logical access controls (CC6.1)"
"How are changes to infrastructure and software managed? (CC8.1)"
"Describe your system monitoring and anomaly detection (CC7.2)"
"How are security incidents identified and responded to? (CC7.3)"
"Describe your risk assessment process (CC3.2)"

Availability (A criteria):

"What are your RTO and RPO targets? (A1.2)"
"Describe your disaster recovery plan and last test date (A1.2)"
"What is your uptime SLA? (A1.1)"

Confidentiality (C criteria):

"How is confidential data identified and classified? (C1.1)"
"Describe access restrictions to confidential information (C1.2)"

Questions NOT in your SOC 2 (~8%):

"List your sub-processors and their locations"
"Describe your product architecture and data flow"
"What cyber insurance coverage do you carry?"
"Describe your GDPR compliance program"

These non-SOC 2 questions are why you need more than just the report — and why FillBase pulls from your policies, architecture docs, and prior responses too.

How to complete a SOC 2 questionnaire with FillBase

Upload your SOC 2 Type II report — FillBase parses the report structure, identifies trust service criteria, and extracts control descriptions and auditor findings.
Upload supplementary documents — Policies, architecture docs, sub-processor list, prior questionnaires. These cover the ~8% of questions outside SOC 2 scope.
Submit the buyer's questionnaire — Any format (Excel, Word, PDF). FillBase maps each question to the relevant trust service criterion and your control description.
Review and export — ~92% auto-filled with citations like "CC6.1: Role-based access via Okta, MFA enforced for all users... Ref: SOC 2 Report §CC6.1, p.34." Review the ~8% flagged questions and export in the buyer's format.

SOC 2 Type I vs Type II

	Type I	Type II
Scope	Control design at a point in time	Control design + operating effectiveness over a period
DDQ accuracy	Good (~85%)	Best (~92%)
Buyer preference	Acceptable for initial evaluations	Preferred for enterprise deals
What FillBase uses	Control descriptions	Control descriptions + operating effectiveness + auditor observations

If you have a Type II, upload it. If you only have Type I, it still works — just with slightly lower coverage because operating effectiveness details are missing.

The quarterly update cycle

SOC 2 reports cover a specific audit period (typically 12 months). Keep your knowledge base current:

When your new SOC 2 report arrives: Upload it to FillBase. It replaces the prior period's evidence.
When policies change: Upload the updated policy. FillBase uses the most recent version.
When sub-processors change: Update your sub-processor list.
When certifications renew: Upload new certificates.

FillBase always uses the most recent version of each document. Stale answers are the biggest risk in DDQ completion — keeping your knowledge base current eliminates it.

Try it free

Upload a SOC 2 questionnaire and your Type II report at fillbase.app. FillBase fills up to 50 questions free with source citations mapped to trust service criteria. No account required.

Use the SOC 2 questionnaire tool to get started, or browse all questionnaire types including ISO 27001, vendor risk assessments, and DDQ.