Compliance / SOC 2

SOC 2 for MSPs

The audit framework a lot of your clients' own customers require them to answer for — and that requirement flows straight down to you as their MSP.

Why this reaches an MSP, not just the client

If a client answers to SOC 2 (increasingly common the moment their own customers are enterprise or handle sensitive data), their auditor will ask about vendor security — which means your access to their systems, your credential handling, and your own security posture become part of their audit evidence, whether or not you signed up for that directly.

What the Nexus compliance module tracks

  • A three-state posture per control — implemented, partial, planned — not a binary checkbox that can't represent partial progress
  • Evidence attached directly to the control it satisfies — a config export, a screenshot, a policy doc — not filed in a separate binder
  • Trust Services Criteria coverage (security, availability, confidentiality) mapped to the controls you actually run
  • A QBR rollup that turns posture into a client-readable summary instead of a spreadsheet only your team understands

This describes what the module tracks against SOC 2 — not a claim that Nexus or any client on it is certified or audited against it. See the compliance & QBR module for the full picture, or read the blog for more on how we think about compliance tooling.

Ready to see SOC 2 posture tracked for real?

Join the design-partner cohort and we'll walk through the control mapping for your own clients.