How do I get SOC 2 for a Next.js app deployed on Vercel?

SOC 2 for the Next.js + Vercel Stack

If you're building a B2B SaaS product with Next.js on Vercel, you're in a good position for SOC 2. Vercel handles many infrastructure-level security controls by default — TLS, DDoS protection, edge networking, and deployment isolation. Your job is to document these inherited controls and prove your application-level controls work.

What Vercel Gives You

SOC 2 Requirement	Vercel Coverage
Encryption in transit	TLS 1.3 enforced on all deployments
DDoS protection	Built into Vercel's edge network
Deployment controls	Git-based deploys from GitHub (auditable)
Environment isolation	Preview vs. production environments
Access controls	Team roles (Owner, Member, Viewer)
Audit logging	Deployment history with timestamps

What You Need to Prove

Control Area	Your Responsibility
Change management	GitHub branch protection, PR reviews, CI checks
Access controls	Vercel team roles, GitHub org permissions, database access
Authentication	How your app authenticates users (NextAuth, Clerk, Auth0)
Data protection	Database encryption, API route authorization, data handling in server components
Monitoring	Error tracking (Sentry), uptime monitoring, alerting
Incident response	Your plan for handling security incidents

Key Evidence to Collect

1. Vercel: Team member list, Git integration settings, deployment history, environment variable management
2. GitHub: Branch protection on main, PR review requirements, Actions workflows, org member list
3. Database: Encryption at rest settings, connection security (SSL), access restrictions
4. Application: Auth configuration, RBAC implementation, API route protection

The Vercel SOC 2 Report

Vercel itself has a SOC 2 Type II report. You can reference this in your system description — it means the infrastructure layer is already audited. Your audit focuses on what you build on top of it.