What is a system description for SOC 2?
March 6, 20262 min readSOC 2 Policies and Documentation
What Is a System Description?
The system description is Section 3 of your SOC 2 report. It's a narrative document that explains what your company does, how your systems work, where data flows, and what controls are in place. Auditors read it to understand the boundaries of the audit — what's included and what's not.
It's written by your organization (not the auditor), though auditors review it for accuracy and may suggest edits.
What a System Description Covers
| Section | What to Describe |
|---|---|
| Company overview | What your company does, who your customers are |
| Services in scope | Which products or services the audit covers |
| System boundaries | Infrastructure, software, people, data included in scope |
| Infrastructure | Cloud providers, hosting, networking, deployment |
| Software | Application architecture, third-party services, integrations |
| People | Roles and responsibilities related to security |
| Data | Types of data processed, data flows, storage locations |
| Controls | Summary of key controls mapped to Trust Services Criteria |
Why It Matters
If your system description says you use AWS but you've recently migrated to Vercel, the auditor will test against what's written. Mismatches between the description and reality create findings. Accuracy is more important than length.
Tips for Startups
- Be specific about your stack. "Deployed on Vercel with PostgreSQL on Supabase" is better than "deployed on cloud infrastructure."
- Define what's out of scope. If your marketing site runs on a separate platform, say so explicitly.
- Include data flow diagrams. Even a simple diagram showing how customer data enters, is processed, and is stored helps auditors and speeds up the audit.
- Update it. If you change cloud providers or add new services between writing the description and starting the audit, update the document.