SOC 2 subservice organizations: carve-out vs inclusive method
When your service runs on AWS or another vendor whose controls affect your customers, that vendor is a subservice organization, and your SOC 2 report has to account for it. Here is the difference between the carve-out and inclusive methods, and what most SaaS companies actually do.
What a subservice organization is
A subservice organization is a vendor whose own controls are necessary, in combination with yours, to meet the service commitments you make to customers. The classic example is your cloud provider: if you run on AWS, Google Cloud, or Azure, the physical security of their data centers and the resilience of their infrastructure directly affect whether you meet your availability and security commitments. Not every vendor qualifies; a tool that touches your operations but is not essential to your service commitments is generally treated as a regular vendor, not a subservice organization. The distinction matters because subservice organizations have to be addressed explicitly in your SOC 2 report, using one of two recognized methods.
The carve-out method
Under the carve-out method, you exclude the subservice organization's controls from the scope of your audit. Your report still names the subservice organization and describes the services it provides and the types of controls you expect it to perform, but your auditor does not test those controls directly. Instead, you and your auditor rely on the subservice organization's own SOC 2 report as evidence that they are operating effectively. This is by far the most common choice, because it keeps your audit scope and cost manageable and works cleanly when your provider already publishes a strong SOC 2 report, which the major clouds do. The tradeoff is that responsibility does not disappear: you still have to understand and monitor that vendor's controls, which is why vendor risk reviews matter.
The inclusive method
Under the inclusive method, the subservice organization's controls are pulled into your audit scope: described in your system description and tested by your auditor, with the results appearing in your report. This produces a single, comprehensive report covering both organizations, which a customer may find reassuring because there is no second report to chase. In practice it is uncommon, because it requires the subservice organization's active cooperation, including providing its own written assertion, making personnel available for testing, and granting your auditor access. Hyperscalers like AWS will not participate in another company's inclusive audit, so the method is realistic only with a smaller, closely aligned partner. It also expands scope, cost, and timeline meaningfully.
CSOCs and CUECs
Two related concepts appear in nearly every report that uses the carve-out method. Complementary subservice organization controls, or CSOCs, are the controls you are assuming your subservice organization performs, such as restricting physical access to data centers, which are necessary alongside your own controls to achieve your commitments. Complementary user entity controls, or CUECs, point the other direction: they are the controls your own customers must implement on their side, such as managing their user accounts or configuring access correctly, for the overall system to work as intended. Your auditor lists both in the report so readers understand the shared-responsibility boundaries. Reviewers of your report are expected to read the CUECs carefully and confirm they have those controls in place.
What most SaaS companies do, and how to handle vendor SOC 2 review
The overwhelmingly common pattern for SaaS companies is the carve-out method for cloud infrastructure providers, paired with a disciplined vendor review program. Practically, that means obtaining each subservice organization's current SOC 2 Type II report annually, confirming the report period and scope cover the services you actually use, and reading the auditor's opinion and any noted exceptions. You should also check the CUECs in their report, because those are obligations they are pushing onto you, and verify those controls are operating on your side. For vendors that cannot or will not produce a SOC 2 report, document a compensating review such as a security questionnaire or contractual commitments so your auditor can see the risk is managed. Done well, carve-out plus rigorous vendor monitoring gives you a clean, defensible report without the overhead of an inclusive audit.