What is Bridge Letter?

A bridge letter (or gap letter) is a document issued by a service organization's management to cover the period between the end date of its SOC 2 report and the customer's current reporting date. It states that no significant control changes occurred, but provides no auditor assurance and does not extend the report.

SOC 2 reports cover a fixed period that always ends in the past, so a customer reviewing a vendor mid-year often faces a gap between the report's end date and today. A bridge letter (also called a gap letter) fills that gap: the service organization's management affirms that the controls described in the report remained in place and that no material changes or significant incidents occurred during the interim period.

The critical point is who writes it. A bridge letter comes from the service organization's management, not the CPA firm, and it carries no audit testing or assurance. It is a self-attestation, typically covering no more than about three months. For example, if a SOC 2 Type II report ends December 31 and a prospect asks for current coverage in February, the vendor can issue a bridge letter for January and February rather than commissioning a new examination.

Bridge letters are a normal part of vendor risk management, but they are a stopgap, not a substitute for a current report — a long or repeated gap is a signal to request the next SOC 2. Documentation and a clean control program make a bridge letter easy to support, yet only the next CPA examination renews actual third-party assurance.

Related terms: SOC 2 Type I vs Type II · Service Organization · Vendor Risk Management · Audit Evidence

Frequently asked questions

Who issues a SOC 2 bridge letter?
The service organization's own management issues it, not the CPA firm that performed the examination. Auditors generally decline to provide assurance over a period they did not test, so the bridge letter is a management self-attestation.
How long can a bridge letter cover?
Usually no more than about three months between the report's end date and the current date. A longer gap signals that you should request the vendor's next SOC 2 report rather than relying on a bridge letter.
Does a bridge letter extend my SOC 2 report?
No. It does not extend the report or add auditor assurance. It simply states that management is not aware of significant control changes during the gap period; the report's coverage still ends on its original date.

Toolkits that cover Bridge Letter

SOC 2 Trust Services Criteria

SOC 2 Policy Pack — Core

15 editable SOC 2 policies mapped to the Trust Services Criteria — the document set your auditor asks for first.

$5930% off with codeView toolkit
SOC 2 Trust Services Criteria

SOC 2 Complete Toolkit

22 policies plus the risk register, full Trust Services Criteria mapping and audit evidence checklist — built for startups facing their first SOC 2.

$9930% off with codeView toolkit
SOC 2 + AI Governance

Startup Trust Pack — SOC 2 + AI Governance

25 editable documents bundling the SOC 2 Core policy set with the full AI Governance pack — answer enterprise security questionnaires AND the new AI-policy questions in one purchase.

$8930% off with codeView toolkit

Learn more in our SOC 2 guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.