SOC 2 Bridge Letter Template (Free, Auditor-Reviewed)

By Editorial team · Published 2026-04-22 · Last updated 2026-06-13

A ready-to-use SOC 2 bridge letter template with each clause explained — plus when customers request them and how long they stay valid.

A SOC 2 bridge letter (also called a gap letter) is a formal written representation from a service organization that its controls have continued to operate effectively during the period after the most recent SOC 2 report ends and today. Enterprise procurement teams request them when your report is more than a few months old and a new report isn't yet issued. The letter doesn't replace a SOC 2 — it supplements it for a defined period, typically no more than 90 days.

When customers ask for a bridge letter

A request usually arrives in one of three situations: your Type II report covers a period that ended more than 4–6 months ago, a new enterprise customer is onboarding mid-audit-cycle, or a prospect's security team has a policy requiring attestation currency within a rolling 90-day window. In all three cases, the bridge letter is the standard mechanism — not an ad hoc memo.

• Report more than 6 months old: Most common trigger. Annual SOC 2 cycles mean a 12-month gap between report end and new issuance; the bridge covers the gap.
• Mid-cycle enterprise onboarding: A new customer signs in month 8 of your audit cycle. The bridge covers months 8–12 until the new report is issued.
• Contractual compliance clause: Enterprise MSAs sometimes require continuous attestation. A bridge letter satisfies this between cycle closings.
• M&A or investment due diligence: Acquirers and lead investors often want current attestation evidence, not a year-old report.

Bridge letter template — annotated

The following template is structured around the four elements auditors and enterprise security teams expect to see. Replace bracketed placeholders with your actual information.

1. [Company Legal Name] ('the Company') previously engaged [Auditor Firm Name] to perform a SOC 2 Type II examination of our [Security / Availability / Confidentiality / Privacy] Trust Services Criteria. The examination covered the period [Start Date] through [End Date] ('the Covered Period'). The resulting report was issued on [Report Issuance Date].
2. As of [Bridge Letter Date] ('the Bridge Date'), which is [N] days after the end of the Covered Period, the Company represents that the controls described in the SOC 2 report continue to be in place and operating effectively. This representation covers the period from [End Date of Covered Period] through [Bridge Letter Date] ('the Bridge Period').
3. The Company further represents that no material changes have been made to the systems, controls, or processes described in the SOC 2 report during the Bridge Period, except as follows: [NONE — or describe any material changes here with a brief explanation of their control impact].
4. This letter is provided solely for the benefit of [Recipient Name or 'the requesting party'] and may not be relied upon by any other party. It does not constitute an audit opinion, attestation, or any form of assurance engagement under AICPA standards.
5. Signed: [Name, Title], [Company Legal Name], [Date].

Clause-by-clause explanation

Clause 1 establishes the foundation: it ties the bridge letter to a specific, issued SOC 2 report. Never issue a bridge letter without an underlying completed report — it has no legal or evidential basis otherwise.

Clause 2 is the core representation. The bridge date must be no more than 90 days after the end of the covered period, or the representation becomes too stale to be useful. Many enterprise security teams will not accept bridge letters covering more than 90 days. Auditors from firms like Schellman, A-LIGN, and Prescient Assurance advise keeping this window to 60–90 days for first-time bridge letters.

Clause 3 is the material changes declaration — the most important clause for the recipient. 'No material changes' is a legal representation. If you made significant infrastructure changes, added a new cloud provider, experienced a security incident, or restructured access controls during the bridge period, disclose it here. Recipients scrutinize this clause. Leaving it blank when there were changes creates liability.

Clause 4 limits reliance to the named party. Don't omit this. A bridge letter circulating to unintended parties creates unanticipated representations.

Bridge letter validity and re-issuance

A bridge letter is valid for the period it covers, not for a rolling window. If a customer requests an updated letter three months after the first one, you issue a new bridge letter covering the additional period — with a new material changes declaration. Companies in active enterprise sales sometimes issue two or three bridge letters in a single audit cycle.

The right permanent fix is a shorter audit cycle. If your customer base regularly requests bridge letters, that's a signal to either accelerate your annual re-audit schedule or move from a 12-month to a 6-month observation window on future engagements. BARR Advisory, Insight Assurance, and Johanson Group all offer 6-month Type II engagements for clients in this situation.

What a bridge letter is not

It is not a SOC 2 report extension, an audit opinion, or an AICPA-defined attestation under SSAE 18. It is a management representation letter — analogous to the representation letter management provides to auditors during a financial audit under AU-C 580. Sophisticated buyers know this; they accept bridge letters as reasonable interim assurance, not as a substitute for the underlying report. If a customer insists on treating a bridge letter as equivalent to a completed SOC 2, that's a procurement misunderstanding worth clarifying.

Bridge letters in the context of M&A and investment

During acquisition due diligence or a funding round, a bridge letter is often the first security documentation a target company provides to the acquirer's security or legal team. In this context, the material changes declaration (Clause 3 in the template above) receives significant attention. Acquirers look for undisclosed incidents, infrastructure migrations, or control changes that aren't reflected in the issued SOC 2 report. If your company experienced a data incident, completed a major cloud migration, or significantly restructured engineering access controls during the bridge period, disclose it in the letter — not disclosing it and having it surface in technical due diligence is far worse.

For companies being acquired, the bridge letter also provides cover for the period between the last SOC 2 report and closing. Acquirers' representations and warranties insurance underwriters may require a bridge letter as part of the policy application if the underlying report is more than 6 months old. Your legal counsel will flag this requirement; prepare the bridge letter in coordination with them and your auditor, not independently.