SOC 2 Type II Compliance

SOC 2 evidence
that assembles itself.

Your auditor samples 25 code changes. For each one, someone manually screenshots the PR, exports the Jira ticket, copies CI logs, and pastes it into a spreadsheet. That is 30 to 90 minutes per sample. MergeWhy captures all of it automatically at merge time.

Manually assembled SOC 2 evidence has a 35% error rate. Cryptographic sealing eliminates human error entirely.

Install GitHub App — Free Talk to sales →

400+

hours saved per audit cycle

35%

manual error rate eliminated

compliance frameworks

< 2 min

setup time

The Problem

Manual evidence collection
is broken.

30-90 minutes per sample

Screenshot the PR, export the Jira ticket, copy CI logs, paste into a spreadsheet

Captured automatically at merge

35% manual evidence error rate

Wrong PR linked, outdated screenshots, missing approvals, inconsistent formatting

Cryptographic sealing eliminates errors

400+ hours per audit cycle

Multiply 25-60 samples by 30-90 minutes each, across multiple auditors and controls

Under 5 minutes for a complete bundle

Evidence scattered across 6 tools

GitHub, Jira, Slack, CI pipelines, deployment logs, spreadsheets — all in one record

Single source of truth per change

SOC 2 Controls

Automated evidence for
Trust Services Criteria.

CC6.1 — Change Management Evidence

Every pull request generates a Decision Evidence Record with the ticket link, description, code review, approval, and CI results. Your auditor gets a complete change authorization trail without anyone lifting a finger.

CC7.1 — Monitoring & Detection

Continuous monitoring of evidence quality across all repositories. Gap detection flags missing tickets, unsigned approvals, failed CI checks, and missing security scans in real time — before the auditor finds them.

CC8.1 — Change Control

Automated evaluation of every code change against SOC 2 Trust Services Criteria. Per-control pass/fail scoring, evidence linking, and gap remediation tracking. All sealed in a SHA-256 evidence vault at merge time.

Organizational Evidence Integration

Connect AWS, GCP, or Azure to automatically collect cloud infrastructure evidence — MFA enforcement, encryption at rest, network segmentation, audit logging. SOC 2 controls CC6.1 through CC7.2 evaluated from live cloud posture.

How It Works

Three steps to audit-ready evidence.

Install the GitHub App

Connect your repositories in under 2 minutes. MergeWhy begins capturing SOC 2 change evidence from your very first pull request.

Merge as usual

Developers change nothing about their workflow. Every merge generates a Decision Evidence Record with ticket, approval, review, tests, and deployment data.

Hand your auditor a ZIP

Generate audit bundles with one click. Per-control evidence mapping, executive summary, sealed vault hashes. Your auditor samples 25 changes and finds complete evidence for every one.

What Your Auditor Sees

One record per code change. Every field filled.

Ticket ReferenceACME-1472 (Jira)

Code Review2 reviewers, 1 approval

CI PipelineAll checks passed (tests, lint, security)

Change DescriptionWhy: PCI requirement for retry logic

AI Risk AssessmentLow risk, documentation quality: 92/100

Evidence Score87/100

Vault SealSHA-256: a3f8e2...c91d

Get Started

Your next SOC 2 audit
starts at merge time.

Free for your first repository. Evidence capture begins with your very first pull request. No configuration required.

Install GitHub App — Free Request a demo →

SOC 2 evidencethat assembles itself.

Manual evidence collectionis broken.

Automated evidence forTrust Services Criteria.