Back to Blog
SOC 2 6 min read

SOC 2 Subservice Carve-Out vs Inclusive Method

When you use third-party cloud providers, SOC 2 requires a decision: carve-out or inclusive method. Understand the difference and how to present it in your report.

Key Takeaways
  • Most SaaS companies use the carve-out method for cloud providers like AWS — their controls are excluded from scope.
  • The carve-out method requires you to reference the subservice provider's own SOC 2 report as complementary controls.
  • The inclusive method means your auditor tests the subservice provider's controls — rarely used for large cloud providers.
  • Carve-out is appropriate when the subservice provider has their own SOC 2 Type II report that your customers can request.
  • Your system description must clearly identify which controls are carved out and reference the subservice provider's report.

In this guide

  1. What Are Subservice Organisations?
  2. The Carve-Out Method
  3. The Inclusive Method
  4. Which Method to Use
  5. System Description Requirements
  6. Complementary User Entity Controls

What Are Subservice Organisations?

A subservice organisation is a service provider that your company uses in providing your service to customers, and whose services are part of your system. For most SaaS companies, the primary subservice organisations are cloud infrastructure providers (AWS, GCP, Azure).

Because these providers control physical infrastructure, network, and virtualisation layers that your application depends on, the controls at the subservice organisation affect your system's Trust Services Criteria. Your SOC 2 report must address how these external controls are handled.

The Carve-Out Method

Under the carve-out method, your SOC 2 report excludes the subservice organisation's controls from scope. Your auditor tests your controls (the application layer and above), and the subservice provider's SOC 2 report covers the infrastructure controls.

The carve-out method is the standard approach for SaaS companies using AWS, GCP, or Azure. These providers maintain their own comprehensive SOC 2 Type II reports that are available to their customers. AWS's SOC 2 report is available via AWS Artifact; Google Cloud's is available on their Compliance Reports Manager.

Your system description must: identify AWS as a subservice organisation, describe which controls are carved out (physical access, hardware maintenance, network infrastructure), and note that users of your report can obtain AWS's SOC 2 report for additional assurance over those carved-out controls.

The Inclusive Method

Under the inclusive method, your auditor tests the subservice provider's controls as part of your engagement. This is extremely rare for large cloud providers — AWS cannot allow individual customer auditors to independently test their data centres.

The inclusive method is occasionally used when the subservice provider is a smaller, more accessible provider who agrees to be included in the audit scope, and when the provider's controls are highly specific to your service. For most SaaS companies, the inclusive method is not applicable.

Which Method to Use

Use carve-out if: your subservice provider has their own SOC 2 Type II report that customers can access (virtually all major cloud providers), or your subservice provider maintains another recognised compliance certification that addresses the relevant controls.

Use inclusive if: your subservice provider is a smaller company without their own SOC 2 report, the provider agrees to be included in your audit scope, and including their controls adds material assurance for report users.

For the vast majority of B2B SaaS companies using AWS as their primary infrastructure: carve-out method, reference AWS SOC 2 Type II from AWS Artifact.

System Description Requirements

Your system description (Section III of the SOC 2 report) must include a clear statement of which subservice organisations are used and the method (carve-out or inclusive) applied.

Sample carve-out language: "[Company] uses Amazon Web Services (AWS) as a subservice organisation for hosting the [Product Name] infrastructure. AWS is responsible for physical security of data centre facilities, hardware maintenance, and network infrastructure. The company applies the carve-out method with respect to AWS's controls. Users of this report may request AWS's SOC 2 report from AWS Artifact at aws.amazon.com/compliance/soc-faqs."

Complementary User Entity Controls

When you use the carve-out method, the subservice provider's SOC 2 report typically includes Complementary User Entity Controls (CUECs) — controls that users of the report (your company) must implement to achieve the security objectives. You are responsible for implementing these CUECs.

AWS CUECs typically include: configuring IAM roles and policies appropriately, enabling CloudTrail and CloudWatch, encrypting data at rest and in transit, and configuring security groups and network ACLs. Your own SOC 2 report's control descriptions should address how you have implemented the applicable CUECs from your subservice providers.

Frequently Asked Questions

Do I need to include all cloud providers as subservice organisations?
Yes, if your service relies on them for controls relevant to the Trust Services Criteria in scope. For a company hosted entirely on AWS, AWS is the relevant subservice organisation. If you use multiple providers (AWS for compute, Cloudflare for CDN, Stripe for payments), evaluate whether each is a subservice organisation based on whether their controls are material to your SOC 2 scope.
Can I carve out Okta and GitHub as subservice organisations?
Okta and GitHub are SaaS tools that support your internal operations, not subservice organisations in the traditional sense. They are typically treated as vendors (addressed in CC9.2) rather than subservice organisations. However, if their services are so integral that their failure would directly affect the service you provide to customers, discuss with your auditor whether subservice organisation treatment is appropriate.
Does the carve-out method reduce my SOC 2 scope?
Yes, meaningfully. Physical security controls, data centre maintenance, and hardware controls are excluded from your audit scope. Your audit covers what you control: application security, access management, logging, change management, and processes. This is why carve-out is standard practice — it makes the audit scope manageable.
What if our customer's auditor wants to see AWS's controls?
Direct them to AWS Artifact (aws.amazon.com/artifact). AWS's SOC 2 Type II report is available to any AWS customer. For customers who have signed an AWS NDA, the full report is accessible. For those without, a SOC 3 summary is publicly available.
What are Complementary Subservice Organisation Controls (CSOCs)?
CSOCs are the flip side of CUECs — controls that the subservice organisation's report describes as necessary for you to implement. When your auditor reviews AWS's report, they identify the CSOCs and verify that your controls address them. This is part of what makes carve-out viable — your auditor reviews both the subservice report and your controls together.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

SOC 2

SOC 2 System Description: How to Write Section III

SOC 2

SOC 2 Control Mapping: How to Map Controls to TSC Criteria

How-To

How to Conduct a Vendor Security Review for SOC 2