“SOC 2 for US SaaS company with overseas development team — how did you structure the audit?” It’s one of the most-asked questions in founder communities, and it doesn’t have a one-size answer. There are three structures; the right one depends on whether the overseas team is yours or a vendor’s.
Why this question doesn’t have a one-size answer
The structure hinges on a single fact: is the overseas team part of your organization (a wholly-owned subsidiary, your employees, your contractors) or a genuinely independent third party? Wholly-owned teams belong in scope; independent vendors are subservice organizations. Most US SaaS overseas teams are the former.
Structure 1 — Inclusive scope (the default)
The overseas team’s controls are tested as part of your audited entity. The US legal entity is the named service organization; the offshore team is in scope under it. Roughly 85%+ of US SaaS with overseas teams should use inclusive scope. Buyer rejection rates are low because the report proves offshore controls were actually tested.
Structure 2 — Carve-out subservice (when and why)
Carve-out describes the offshore unit as a subservice organization and lists only the controls you maintain over it; its own controls are assured separately by the customer. This is appropriate for a true third-party vendor — not for a wholly-owned subsidiary, where it’s rarely appropriate. Buyer rejection rates are medium-to-high, because buyers read a carved-out subsidiary as a gap.
Structure 3 — Separate entity audit (rare, specific)
A separate audit of the overseas entity only works when that entity provides a genuinely independent service to distinct customers. For the standard US-HQ-with-offshore-engineering pattern it’s the wrong tool, and buyer rejection rates are high because the contracting entity isn’t the audited one.
What enterprise buyers will actually accept
Buyers want the audited entity to match the contracting entity and the offshore controls to have been tested. Ranked by acceptance: inclusive (low rejection), carve-out (medium-high), separate-entity (high). The structural deep dive for India teams specifically is in the SOC 2 cornerstone.
How to decide for your specific situation
Ask three questions: Who signs customer contracts? Who owns the code and data? Is the offshore team wholly owned? If the US entity contracts and owns IP and the offshore team is yours, choose inclusive scope and move on. The GCC compliance encyclopedia covers the operating model around it.
Where Attri Edge fits
The diagnostic confirms the right audit structure before you spend money on an engagement — the single most expensive decision to get wrong. $999, 48-hour deliverable.
Related reading: