Our resource center for all things Compliance

Frequently Asked Questions

The most common questions we get.

6 answers

A Type-1 audit is conducted at a point in time. Type-1 shows what’s in place to get compliant. A Type-2 audit is a much broader and comprehensive audit which inspects the effectiveness of control operations across a period of time (usually 6-12 months). Type-2 shows how you’re staying compliant over time. We provide evidence collection, monitoring, and real-time auditor feedback over that entire span of time.

Unlike PCI, only a CPA firm can provide a signed SOC-2 report. We help you Control the SOC 2 Compliance process, prepare and facilitate the audit, and act as an internal audit team to help you pass without the pain. But we cannot grant a SOC-2 report. We're happy to connect you with one of our audit partners to get it done quickly!

There are currently five Trust Services Criteria: Security, Availability, Confidentiality, Privacy and Processing Integrity. Most organizations start their compliance journey focused on Security, then build a compliance roadmap across other criteria over time.

Control is the Very Good Security’s Compliance Platform. Many compliance frameworks have common criteria. This means that, for example, adherence to a PCI Control, can also apply to a HIPAA control. We cover multiple compliance frameworks, including ISO 270001, PCI, HIPAA, GDPR, CCPA and more.

SOC 2 applies to a much broader range of organizations, and focus on the security, availability, confidentiality, processing integrity, and/or privacy of customer data. PCI on the other hand, has a narrower focus, specific to organizations that accept, store, process, or transmit cardholder data.

No. There’s obvious benefits that you should seriously consider; like immediate compliance across dozens of data related control criteria. But it’s not a requirement. We see many customers starting with Control and adding the VGS Vault as they grow their security posture.

We fully support your security journey on Control in two different ways. The first is through a dedicated account manager, security engineer and compliance expert who will always respond in under 48 hours to your questions or concerns. The second is through an optional shared Slack channel upgrade, where you get immediate access to that same team of experts.

is a major differentiator for us because many companies in this area have zero employees with infosec backgrounds or security engineering. When you partner with VGS you get access to industry veterans like our CISO who was the former head of security at Gitlab, appsec engineers, and compliance veterans.

customers regularly come to us for help remediating ongoing cybersecurity attacks, something they would not trust with compliance checkbox vendors.

The short answer? No. Endpoint agents are a confusing option for achieving SOC 2, especially when companies intentionally create confusion and security theater to sell their product. Let’s take a moment to think about endpoint agents from a security standpoint, instead of a compliance one.

there are two kinds of agents: monitors and enforcers. Endpoint monitors are the definition of security theater when it comes to endpoints: they’re a lagging indicator that makes alert fatigue worse. Imagine someone's laptop gets stolen, an attacker decrypts the drive and steals the information. Monitor agents are totally useless in this situation: the agent alerts you it's been decrypted only if it’s been connected to the internet for some reason, and at this point it doesn’t matter that it’s been decrypted. Imagine an antivirus tool that let you know all your files had been encrypted instead of stopping the virus. Real security teams hate unactionable alerts more than anything because they stop them from responding to actual threats. Monitoring agents do no enforcement, which is why they’re useless.

Control’s approach to endpoint agents is to encourage you to use meaningful enforcement when the time is right for your business. This is why we integrate with tools like Jamf, Microsoft Intune, Google Workspace device management and Jumpcloud: all of these agents enforce security controls instead of perpetuating security theater and harming your security posture from day one.

For smaller companies just trying to check the compliance box we recommend an onboarding process. During an audit for small businesses, this does mean taking around 3 screenshots, but it also means you didn’t deploy an extra piece of adware to your entire device and server fleet. Use this process to check the box, and then scale into a real device manager over time.

Our aim with Control is to both check the box for you in the easiest way possible, and then to scale into meaningful security with you in the long run. A monitor only endpoint agent perpetuates security teams worst nightmares: security theater and alert fatigue.

We run our monitors once a month by default but can run them as frequently as you would like for your team. Because an auditor is looking for improvement over time from an evidencing standpoint, the monthly cadence is best from their standpoint. We are also concerned about avoiding alert fatigue, so we'd suggest a cadence that makes alerts feel meaningful to your team.

We love getting this question because it shows that you’re thinking correctly about security as a whole, and means you’re probably in a great state as a business to go through an audit. By default we create a role with read only access into the entire account, and that’s our general philosophy with all the integrations. We’re confident you can trust our access because we store your credentials in the same Vault that holds consumer card information for large financial institutions that we guarantee the safety of. That being said, we understand any concerns and have designed the integrations in such a way that if access is denied, that piece of evidence is just dropped from the platform without any hiccups. Basically, more visibility = more automation and monitoring, but less visibility will not impact your ability to use the platform. So feel free to customize the policies in cloud platforms however you’d like, it just means potential manual evidence for the audit.


Issues related to payments or invoicing.

3 answers

VGS Control is an annually renewed platform in order to provide value over time in renewing your audits. The annual fee can be paid all once, or in monthly installments.

Contact your account representative, or email us at

While we don't offer referral codes, please let your account manager know anything that may be determining your budget. We're happy to work with you on pricing!


Issues related to logging in, out, or about multiple devices.

4 answers

Our accounts automatically timeout your login after 24 hours, if you're losing access faster than that, check that your cookies and cache are not being automatically cleared. Try turning off any browser extensions on our page. If you continue to have any issues, please contact your account representative.

Please contact your account representative directly or email us at

We should connect to determine which compliance frameworks you're pursuing, if we can help by providing an auditor or pentester, and to walk you through some of our cool paid features.

We support SSO via Google login, as well as regular email based accounts. MFA is coming soon! We also support RBAC for user accounts invited to the platform.

Related Help Center Categories

If you didn’t find what you needed, these could help!


Tips for achieving your compliance tasks

Read article


Integration steps and access policies

Read Article

Stay Compliant

Configuration explanations and best practices

Read Article
Get it done

Sign up for a free account today

Sign up today to receive the Security Foundations Controls Collection and begin your compliance journey now.

Start for free

Request a demo

Do you need more information? Schedule a demo to learn more about how we can help you take Control.

Thanks, we'll be in contact soon!