Compliance & Legal

How to collect soc 2 audit evidence as Small Legal and Compliance Teams

Compliance & LegalFor Small Legal and Compliance Teams3 apps12 steps~24 min to set up

Your two-person legal team is the unofficial owner of SOC 2 audit prep, even though no one in legal has 'compliance engineer' in their title. Every August (or whenever the auditor shows up), you spend two to three weeks manually pulling access logs from Google Drive, chasing the IT team for vendor lists in a spreadsheet that lives in three different versions, re-exporting policy attestation records from Notion, and forwarding evidence folders over Gmail because your shared Drive folder structure was last organized when you had 60 employees. Vanta or Drata tracks control status but doesn't help you actually collect the underlying documents. You're the one who has to go find them.

Build this on Starch → See the apps used

Compliance & LegalFor Small Legal and Compliance Teams3 apps12 steps~24 min to set up

Outcome

What you'll set up

A live evidence-collection dashboard that pulls from Gmail, Google Drive, Notion, and your HR system so you can see exactly which controls have supporting documents and which are still open — without exporting anything manually.

An automated weekly chaser that identifies missing or stale evidence items and sends a Slack or email reminder to the right owner (IT, HR, Engineering) with a direct link to what's needed.

A task tracker for audit prep that maps every SOC 2 control to a responsible person, a due date, and the current evidence status — updated automatically as documents land.

The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used

Task Manager Knowledge Management Email Agent

Data sources & config

Starch syncs your Gmail data on a schedule (messages, labels, thread history) and syncs your Notion databases on a schedule (pages, users, last-edited timestamps). Google Drive and Slack are connected from Starch's integration catalog and queried live when the evidence tracker or chaser automation runs. HR headcount data (for access review evidence) is pulled from Rippling or BambooHR via Starch's integration catalog. Any vendor portal or compliance questionnaire tool that doesn't have a formal API — such as a customer's self-hosted trust portal — Starch automates through your browser, no API needed.

Prompts to copy

Build me a SOC 2 evidence tracker. Pull my open tasks from Gmail threads tagged 'audit' and from our Notion compliance database. Create one row per control with columns for: control ID, control description, evidence type needed, assigned owner, due date, and status (missing / draft / complete). Flag anything overdue in red.

Every Monday at 8 a.m., check which SOC 2 evidence items still have status 'missing' or 'draft'. For each one, draft a Slack message to the assigned owner with the control name, what document is needed, and the audit deadline. Send it to the #compliance channel and also email a summary to me.

Build me a knowledge base of our SOC 2 policy documents synced from Notion. Any time a document's last-edited date is more than 11 months ago, flag it as 'needs re-attestation' and add a task for the policy owner with a 2-week deadline.

Run these in Starch → or paste them into your favorite agent

Walkthrough

Step-by-step

1 Connect Gmail via scheduled sync in Starch. Starch will index threads, labels, and attachments. Apply a Gmail label called 'SOC2-Evidence' to any thread where someone sent you a document relevant to an audit control — Starch will pick it up automatically.

2 Connect your Notion compliance workspace via scheduled sync. If you track control status in a Notion database (even a rough one), Starch maps each row: control ID, owner, policy doc link, last attestation date.

3 Connect Google Drive and Slack from Starch's integration catalog. The agent will query Drive live to verify whether a linked evidence document exists and is not empty, and will post chaser messages to Slack when evidence is missing.

4 Connect your HR system — Rippling, BambooHR, or Gusto — from Starch's integration catalog. This lets Starch pull current employee headcount and role lists for access review evidence, which auditors always ask for.

5 Describe your evidence tracker in plain language: 'Build me a dashboard with one row per SOC 2 control. Columns: control ID, evidence type, assigned owner, due date, status. Pre-populate from our Notion database. Let me update status manually or mark complete when I upload a doc.' Starch builds the app.

6 Add a weekly automation: every Monday morning, Starch checks which controls still show 'missing' or 'draft', looks up the assigned owner's email and Slack handle, and sends a personalized reminder with the exact document type needed. No CC-all emails to the whole company.

7 Use the Knowledge Management app to store your finalized policy documents in one indexed place. When your auditor asks for your Incident Response Policy or your Access Control Policy, you search once and paste a direct link — no Drive folder archaeology.

8 For any vendor that sends a security questionnaire back to you as a PDF in email, use the Email Agent: 'Summarize this vendor questionnaire. List every question they're asking and whether our existing SOC 2 policies already answer it.' This takes a 45-minute read-through down to 5 minutes.

9 For audit evidence that lives on a third-party portal — like a subprocessor's trust page or a carrier's compliance certificate site — Starch automates the download through your browser. No API needed. You describe the workflow once; Starch runs it on a schedule.

10 Build a second lightweight app for the 'evidence handoff': when a control is marked complete, Starch automatically moves the linked document to a shared Google Drive folder named by control ID, and logs the completion event with a timestamp. Your auditor gets a clean, organized folder instead of a zip file.

11 Two weeks before audit kickoff, run a final gap report: 'List every control where status is not complete, sorted by risk level. For each, show the assigned owner and the number of days overdue.' Review it in your weekly legal sync and assign the remaining items.

12 After the audit closes, use the Task Manager to capture any 'management response' commitments you made to the auditor. Each commitment becomes a task with an owner and a 90-day due date, so next year's audit doesn't find the same gaps.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →

Worked example

August 2026 SOC 2 Type I Prep — 6 Weeks Out

Sample numbers from a real run

Total controls in scope	42
Controls with complete evidence on day 1	11
Controls auto-flagged as missing by Starch on week 1	19
Controls with stale policy docs (>11 months old)	7
Vendor questionnaire PDFs processed via Email Agent	14
Hours saved on manual evidence chasing (estimated)	28

Six weeks before your Type I audit window opens, you connect Gmail, Notion, and Google Drive to Starch. Starch ingests your existing Notion controls tracker — 42 rows, each with a control ID and an owner's name — and builds an evidence dashboard in about 90 seconds. Of the 42 controls, 11 already have linked documents in Drive that Starch can verify exist. The remaining 31 are flagged. Starch's first Monday chaser goes out automatically: 19 separate Slack messages, each to the right owner (IT gets the access log requests, HR gets the background check records, Engineering gets the penetration test report). By week 3, you're at 34 of 42 complete without a single all-hands email from you. The 7 policy documents flagged as stale (last attested more than 11 months ago) are routed to policy owners as Task Manager items with a 10-day deadline. Your 14 inbound vendor questionnaires — which arrived as PDF attachments across three email threads — are summarized by the Email Agent in a single session: you learn that 9 of them are answered by your existing policies, 4 need a one-paragraph custom response, and 1 is asking for a control you don't have yet, which you now know before the audit does.

Measurement

How you'll know it's working

Evidence completion rate: % of in-scope controls with verified, complete supporting documents at T-minus 2 weeks before audit

Days to close open evidence items: average calendar days from chaser sent to document received, by department

Policy staleness rate: number of policies flagged as overdue for re-attestation at any point in the year

Auditor request turnaround: hours from auditor PBC (provided-by-client) request to document delivered

Repeat findings rate: % of prior-year audit findings that resurface in the current audit cycle

Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Vanta or Drata alone

These tools track control status and automate some evidence collection from cloud infrastructure, but they don't help you chase humans, summarize inbound questionnaires, or build the custom evidence-handoff workflows your legal team runs manually — Starch fills that operational layer on top.

Ironclad or Evisort

Purpose-built for contract lifecycle management, not audit evidence collection; both assume a dedicated legal-ops operator to configure and run them, and neither connects to your HR system or Notion tracker the way Starch does out of the box.

Shared Google Drive folder + Gmail + manual spreadsheet

This is what most 2-person legal teams actually use today; it costs nothing but 25–40 hours of your time every audit cycle and produces a folder structure that's outdated before the auditor opens it.

OneTrust

Comprehensive compliance and privacy platform, but priced for dedicated compliance teams with six-figure budgets; the configuration overhead alone requires weeks that a 2-person legal team doesn't have.

On Starch RECOMMENDED

One platform — task manager, knowledge management, email agent all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →

FAQ

Frequently asked questions

We already use Vanta to track our controls. Does Starch replace it?

No, and it shouldn't. Vanta does the continuous monitoring work — it watches your AWS configs, checks whether MFA is on, keeps the control log. Starch handles the human-in-the-loop layer that Vanta doesn't: chasing your IT director for an access log, summarizing 14 vendor questionnaire PDFs, building the evidence handoff folder, and surfacing what's still missing two weeks before your auditor arrives.

Our evidence lives across Gmail, Notion, Google Drive, and a Confluence wiki. Can Starch pull from all of those?

Yes. Starch syncs Gmail and Notion on a schedule, and connects Google Drive and Confluence from its integration catalog, querying them live when your evidence tracker or automation runs. You don't have to consolidate everything into one system first — Starch reads across all of them.

We're not SOC 2 certified yet ourselves. Does Starch have SOC 2 Type II certification?

Not yet — Starch is not SOC 2 Type II certified today. That's worth knowing if your own auditor asks about the tools in your environment. It's on the roadmap.

Can Starch pull our employee access list from Okta or our HR system for access review evidence?

If your HR system is Rippling, BambooHR, Gusto, ADP, or Paylocity, yes — connect it from Starch's integration catalog and the agent queries it live. For Okta specifically: if Okta is reachable through your browser (it is), Starch can automate the access log export through browser automation — no Okta API key required.

What about evidence that only exists as a PDF attachment someone emailed us?

The Email Agent reads your Gmail threads on a schedule. You can tell Starch: 'Any email labeled SOC2-Evidence with a PDF attachment — extract the attachment, log the sender, date, and document name, and add a row to the evidence tracker.' It handles the extraction; you don't open the attachments one by one.

We have a vendor who only has a trust portal on their website — no API, no email export. Can Starch get their compliance certificate?

Yes. Starch automates browser sessions — it can navigate to a vendor's trust portal, log in with credentials you provide, download the current SOC 2 report or certificate, and save it to your evidence folder. No API needed. You describe the workflow once; Starch runs it on whatever schedule you set.

The Task Manager app says it's currently in development. Can I use it for audit prep now?

The Task Manager is available in beta — you can request access through Starch. If you'd rather not wait, you can describe a similar task-tracking surface to Starch and it will build a custom version for your specific audit-prep workflow using your existing Notion or Airtable data as the backing store.