Scoutinternal

Requesting BitGo SOC Reports and Bridge Letters

Requesting BitGo SOC Reports and Bridge Letters

Problem

Clients and their external auditors frequently contact BitGo Support to obtain SOC 1 Type II and/or SOC 2 Type II audit reports, as well as bridge letters that cover the gap period between the end date of the most recent SOC report and the client's audit period-end. These requests are part of standard annual audit procedures to evaluate BitGo's internal control environment. Requestors may ask for reports covering BitGo Inc., BitGo Trust, or both entities, and may also request SOC reports for subservice organizations referenced in BitGo's SOC 1 report.

Diagnostics

  • Identify the requesting party: Determine whether the request comes from a BitGo client directly, or from the client's external auditor acting on their behalf. If from an auditor, confirm they have identified the client enterprise name and/or enterprise ID.
  • Verify the client's enterprise in Salesforce: Look up the enterprise in Salesforce to confirm active client status and identify any assigned CSM. Check for tier classification (e.g., T3 clients may not have an assigned CSM).
  • Determine the specific reports requested: Clarify whether the client needs SOC 1 Type II, SOC 2 Type II, or both; whether they need reports for BitGo Inc., BitGo Trust, or both; and whether bridge letters are also needed.
  • Check NDA status: Confirm whether an active NDA is in place with the client. BitGo requires an active NDA before sharing SOC reports. If the NDA has expired or is pending renewal, the reports cannot be sent until the NDA is resolved.
  • Check for subservice organization report requests: If the auditor requests SOC reports for subservice organizations listed in BitGo's SOC 1 (e.g., Amazon Web Services, Equinix, Digital Realty, LightEdge, NetSuite/Oracle, Snowflake), note that availability of these reports may vary and some may be pending.
  • Check report availability: SOC reports cover a specific audit period (typically ending around September/October). If the client needs coverage through year-end (e.g., Q4), a bridge letter is required. Confirm with the internal team whether the current-year report and/or bridge letter are available yet.

Resolution

Scenario: soc-report-bridge-reports#standard-soc-report-request

Trigger: Client or their auditor requests BitGo's SOC 1 Type II, SOC 2 Type II reports, and/or bridge letters for audit purposes.

Signals: SOC 1, SOC 2, Type II, Type 2, audit report, bridge letter, auditors, annual audit, controls report

Steps:

  1. Acknowledge the request and confirm which specific reports are needed (SOC 1, SOC 2, or both; BitGo Inc., BitGo Trust, or both; bridge letters).
  2. Verify the client's enterprise in Salesforce. If a CSM is assigned, loop them in. If no CSM is assigned (e.g., T3 client), proceed through Support.
  3. Post the request to the internal Slack channel (e.g., #soc-reports or the relevant operations channel) and/or submit a Security Operations Request in Salesforce to the Product Ops / SE team.
  4. Once the internal team provides the documents, attach the SOC report(s) and bridge letter(s) to the reply and send to the client or their auditor.
  5. If the requested report or bridge letter is not yet available, inform the client of the anticipated timing so they can communicate it to their auditors.

Notes: SOC reports are typically sent as email attachments in a separate thread or directly in the support ticket reply. The internal Product Ops team (or SE team) is responsible for providing the actual documents. Bridge letters cover the gap period between the SOC report's audit period end date and the client's fiscal year-end (e.g., covering Q4 through December 31).

"Attached are the SOC 2 reports and the recent bridge letter, Please let us know if you need anything apart from this" (ticket #261364)

"Kindly find the attached documents as requested." (ticket #320478)

Scenario: soc-report-bridge-reports#nda-required-or-expired

Trigger: The client's NDA with BitGo is expired, pending renewal, or not yet in place, blocking delivery of SOC reports.

Signals: NDA, expired, revised NDA, legal review, cannot supply, NDA required

Steps:

  1. Check the NDA status for the requesting client in Salesforce or with the legal team.
  2. If the NDA is expired or under revision, inform the client that BitGo requires an active NDA before SOC reports can be shared.
  3. Coordinate with the BitGo legal team and the client's counterpart to finalize the NDA.
  4. Once the NDA is signed, proceed to deliver the requested SOC reports and bridge letters.

Notes: Do not send SOC reports until the NDA is fully executed. This applies even if the client has received reports in prior years — the NDA must be current.

"We can definitely send these over for your audit requirements. Though, we need an active NDA with our clients to do that. It is possible that [the client's] may have expired recently or getting close to expiry." (ticket #314556)

"We can't supply the new SOC reports until we have a newly signed NDA." (ticket #314556)

Scenario: soc-report-bridge-reports#wrong-report-type-delivered

Trigger: The client or auditor received a SOC 1 report when they requested a SOC 2 report (or vice versa), and follows up to clarify.

Signals: SOC 1 instead of SOC 2, wrong report, replaced, incorrect report type

Steps:

  1. Acknowledge the error and confirm which report type the client actually needs.
  2. Re-submit the request to the internal team specifying the correct report type (SOC 1 vs. SOC 2).
  3. Deliver the correct report once received from the internal team.
  4. If a bridge letter is also needed for the correct report type, request that as well.

Notes: BitGo issues separate SOC 1 and SOC 2 reports, and they may also be issued separately for BitGo Inc. and BitGo Trust. Double-check the exact entity and report type before sending.

"While we have successfully received the SOC 1 Type II report, it appears that the document provided in response to the earlier request for the SOC 2 Type II report may have been replaced with the SOC 1 report instead." (ticket #261364)

Scenario: soc-report-bridge-reports#subservice-organization-reports

Trigger: An auditor requests SOC reports for subservice organizations referenced in BitGo's SOC 1 Type II report.

Signals: subservice organizations, AWS, Equinix, Digital Realty, LightEdge, NetSuite, Snowflake, subservice SOC

Steps:

  1. Direct the auditor to contact balanceconfirmations@bitgo.com for audit-related inquiries, or escalate internally.
  2. Submit the request to the Product Ops team, specifying which subservice organization reports are needed.
  3. Deliver whatever subservice SOC reports are currently available.
  4. If any subservice reports or bridge letters are not yet available (e.g., Digital Realty report or NetSuite bridge letter), inform the auditor and provide an update when they become available.

Notes: BitGo's SOC 1 Type II report identifies the following subservice organizations: BitGo, Inc., Amazon Web Services (AWS), Equinix, Digital Realty, LightEdge, NetSuite (by Oracle Corporation), and Snowflake. Not all subservice organization reports may be available at the time of the request.

"I am attaching all the relevant SOC 1 Type 2 reports, Unfortunately we are still awaiting Digital Realty report and Netsuite Bridge letter to cover the last quarter." (ticket #320278)

"Please reach out to our team at: balanceconfirmations@bitgo.com for assistance with the request." (ticket #320278)

Scenario: soc-report-bridge-reports#audit-inquiry-redirect

Trigger: The request is an audit-related inquiry (balance confirmations, audit letters, or SOC report requests from external auditors) that should be routed to a specific BitGo team.

Signals: audit inquiry, balance confirmation, external auditor, audit procedures, balanceconfirmations

Steps:

  1. If the request is specifically about audit confirmations or comes from an external auditor needing formal audit documentation, direct them to balanceconfirmations@bitgo.com.
  2. If the request is a straightforward SOC report request from a known client or their auditor, handle via the standard SOC report request process (see scenario above).

Notes: The balanceconfirmations@bitgo.com address is the designated contact for audit-related inquiries beyond standard SOC report distribution.

Related