Terms of Service

These Terms of Service (the "Terms") govern all SOC 2 attestation, readiness, and related advisory services (collectively, the "Services") provided by GreenHat Assurance, an AICPA-accredited CPA firm ("we", "us", or "our"). By signing an engagement letter, statement of work, or scheduling Services with us, the client organization ("Client" or "you") agrees to these Terms.

If there is a conflict between these Terms and an executed engagement letter, the engagement letter will control to the extent of the conflict. All other provisions of these Terms remain in effect.

We perform SOC 2 Type I, SOC 2 Type II, and related attestation services in accordance with the AICPA Code of Professional Conduct, attestation standards (AT-C sections 105 and 205), and other applicable professional standards.

Services include planning, risk assessment, control testing, evidence review, reporting, and quality control. Any additional advisory or readiness activities will be explicitly scoped in writing.

We may rely on third-party specialists or technology tools where appropriate. Their use does not relieve us of responsibility for the overall quality of our conclusions.

We maintain independence in fact and appearance in accordance with the AICPA Code of Professional Conduct.

We do not assume management responsibilities, make operational decisions, or implement controls on your behalf. Recommendations provided during readiness or remediation support are advisory only and must be evaluated and implemented by management.

Evidence provided through our secure collaboration platforms is handled in accordance with our documented information security program. Access is limited to engagement personnel with a legitimate business need.

We use encrypted storage, transmission, and auditing mechanisms for all workpapers. Evidence is retained for seven (7) years or longer if required by professional standards or legal obligations.

Client agrees not to transmit regulated data (e.g., PHI, PCI cardholder data, or classified information) unless explicitly authorized in writing. Sensitive evidence should be redacted or tokenized when feasible.

Upon completion of fieldwork and quality review, we will provide a SOC 2 report containing the Independent Service Auditor's Report, management's assertion, the system description, control matrix, and testing results.

Deliverables are dated as of the report issuance date. Draft reports are for review purposes only and may not be distributed to third parties.

Use of the report is restricted to the Client, its auditors, regulators, business partners, and other specified parties with a legitimate need to know.

Both parties will agree on a fieldwork window and issuance target. Delays in providing evidence, responding to requests, or remediating exceptions may impact the delivery timeline and fees.

If significant scope changes arise (e.g., new trust services criteria, additional locations, or material system changes), we will document the adjustments and associated fees in a change order.

Fees are based on the scope, complexity, and duration of the engagement. Estimates assume timely cooperation and access to requested materials.

Unless otherwise agreed, invoices are due within thirty (30) days of receipt. Overdue balances may incur finance charges of 1.5% per month or the maximum allowed by law.

We reserve the right to suspend Services or withhold deliverables for accounts that are more than thirty (30) days past due.

Both parties will protect confidential information received in connection with the Services and will use it solely for engagement purposes.

We may disclose information if required by law, regulation, peer review, or professional obligations. Where practicable, we will provide advance notice of such disclosures.

All methodologies, templates, workpapers, software, and other proprietary materials created or provided by us remain our intellectual property.

Client may use deliverables solely for internal purposes and for distribution to permitted parties identified in the SOC 2 report.

To the fullest extent permitted by law, our total liability arising out of or related to the Services is limited to the fees paid for the specific engagement giving rise to the claim.

In no event will either party be liable for consequential, incidental, indirect, special, or punitive damages, including lost profits or business interruption, even if advised of the possibility.

Client will indemnify and hold us harmless from third-party claims arising from inaccurate information provided by Client, unauthorized distribution of the report, or misuse of the Services, except to the extent caused by our gross negligence or willful misconduct.

Either party may terminate an engagement upon written notice if the other party materially breaches these Terms and fails to cure within fifteen (15) days of notice.

Upon termination, Client will pay for Services performed and expenses incurred through the termination date. Sections that by their nature should survive (including confidentiality, intellectual property, limitations of liability, and dispute resolution) will remain in effect.

These Terms are governed by the laws of the State of California, without regard to its conflict of laws principles.

The parties agree to attempt in good faith to resolve disputes through executive-level negotiation. If unresolved within thirty (30) days, disputes will be submitted to binding arbitration in San Francisco County, California, administered by the American Arbitration Association under its Commercial Arbitration Rules.

We may update these Terms from time to time. Material changes will be communicated to active clients via email or through our client portal. Continued use of the Services after the effective date of an update constitutes acceptance of the revised Terms.

For questions regarding these Terms or your engagement, please contact us at

legal@ghassurance.com or request a consultation.