What Is a SOC 2 Bridge Letter?
A SOC 2 bridge letter covers the gap between your last report’s period end and today. What it includes, who writes it, and when customers ask for one.
A SOC 2 bridge letter (or “gap letter”) covers the time between the end date of your most recent SOC 2 report and today. A customer asks for one when your last report’s period ended a few months ago and they want assurance that nothing material has changed since.
What a bridge letter contains
- The period it covers (from your report’s end date to the present)
- A statement that no material changes to controls occurred during the gap
- Confirmation of any significant changes, if there were any
- Management’s signature
Who writes it — and its limits
Your own management writes and signs the bridge letter, not your auditor. The CPA firm that performed the SOC 2 examination does not attest to the bridge period, so the letter carries management’s assurance only. That’s why it’s a stopgap, not a substitute for a report.
How long can it cover?
Bridge letters are generally expected to span no more than about three months. For longer gaps, customers will want a fresh SOC 2 report covering the new period — which is one reason teams move to a continuous, always-ready evidence posture. See the SOC 2 evidence checklist and Type I vs Type II.
Ready to test your own systems? Request a security assessment or explore Security Assurance packages.
Frequently asked questions
- What is a SOC 2 bridge letter?
- A SOC 2 bridge letter (or gap letter) is a short document, written by the service organization’s management, that covers the period between the end date of its most recent SOC 2 report and the present. It affirms that no material changes to controls have occurred during that gap.
- Who writes the SOC 2 bridge letter?
- The service organization’s own management writes and signs the bridge letter — not the auditor. The CPA firm that performed the SOC 2 examination does not attest to the bridge period, which is why bridge letters are limited in assurance.
- How long can a bridge letter cover?
- Bridge letters are generally expected to cover no more than about three months. For longer gaps, customers will typically want a new SOC 2 report rather than relying on a bridge letter.
Prove your systems are ready.
Human-validated security assurance with an audit-ready evidence pack.
Request an assessmentRelated reading
- Penetration Test vs Vulnerability Scan: What’s the Difference?
Scans are automated and cheap; pen tests are human-validated and prove real risk. When to use each — and what auditors and customers actually expect.
- How Much Does a Penetration Test Cost?
What a pen test actually costs in 2026, the factors that move the price, and how to scope an assessment so you don’t overpay or under-test.
- Securing LLM and RAG Applications
LLM and RAG apps introduce risks traditional pen tests miss. The top AI-specific threats and a concrete checklist to test and mitigate them.