How to Use Changelogs to Satisfy the SOC 2 CC2 Communication Requirement

  • April 25, 2023

Derek Osgood

CEO at Ignition


Emily Bonnie

Senior Content Marketing Manager at Secureframe

This article is written and contributed by Derek Osgood, CEO at Ignition, a proud Secureframe partner.

Meeting all of the SOC 2 compliance requirements can be a daunting task, particularly for early-stage technology companies that are rapidly iterating with limited resources.

One often overlooked element of SOC 2 compliance is the requirements for external communication with customers. 

It can be easy to forget these critical components when working to ensure technical security procedures are up to snuff, but they are important to a successful SOC 2 audit. Luckily, satisfying the customer-facing component isn’t difficult — if you have the proper tools in place.

What customer communication practices are required for SOC 2 compliance?

The SOC 2 customer communication practices (CC2) include a number of requirements around communication standards for both internal and external audiences. As your primary external audience, customer communication practices are a critical component of meeting this requirement. 

Under SOC 2's CC2 guidelines, you must make your customers aware of changes to your product or service. This means that you need an established process for notifying them when things change, including:

  • Changes in functionality
  • New or removed features
  • Warnings about risks or other potential problems such as a service outage
  • Changes in service terms, pricing, or contracts

Maintaining a public changelog is one common way to meet this communication requirement. 

How can a public changelog help satisfy SOC 2 communication requirements?

A changelog is a document that records changes to a product. There is usually a version of this used internally by software and product teams to share updates throughout the organization, but they can also be powerful tools for communicating with customers and even prospects.

Conceptually, a public changelog (often also called "release notes") are basically the same thing as internal changelogs – just more polished for customer comms, and visible outside your organization.

They're typically hosted on your website or in your product itself, and they're written with end users in mind. They provide information about new features, bug fixes, and other updates that might affect how someone uses your app or website.

A public changelog is a great way to satisfy the SOC 2 communication requirement because they provide a transparent and easily discoverable record of updates. 

Customers can easily reference what's been updated recently, and auditors can see that your company already has a proactive process for keeping customers informed simply by visiting the link. Simply hosting a regularly-updated public changelog can immediately check the box for your SOC 2 CC2 customer communication requirement.

How public changelogs can improve the go-to-market process for new products and features

The benefits of public changelogs go beyond satisfying SOC 2 requirements. They also act as powerful levers for new product and feature go-to-market. They help keep customers happy by providing clear communication around product change, which can reduce churn and improve customer satisfaction.

Giving customers a clear source of truth for what's new with your product has some important benefits:

  • It reduces support requests, because users know where to go when they want more information about how their favorite features have changed over time (or if they're experiencing problems).
  • A clear communication channel helps reduce churn, because users will feel confident that the company is improving its products based on user feedback and needs.
  • Public changelogs make it easy for prospects and customers to reference past updates so they can see what's changed recently before deciding whether or not to buy your product or upgrade. Demonstrating product velocity can be a key driver in purchase decisions and help increase sales conversions.

Public changelog best practices

When you're using a public changelog, there are a few best practices to keep in mind:

  • Make it easy for customers to find. Host your changelog on your website under a "What's New?" section, or host it inside your product in a similarly discoverable location. Try using notification badges to draw attention to it as well.
  • Use a standard format. You can use any format you want internally, but when publishing your changelogs publicly, make sure they follow a common schema so that customers and prospects don't have trouble parsing them. It’s also a good idea to use conversational, jargon-free language that's easy for users to skim.
  • Don't build it from scratch. An off-the-shelf tool will help you to easily create a delightful, branded experience for customers, and also include more automation features and reporting which can be helpful as you scale. 
  • Include context. Link to other sources of information like help center docs that explain in-depth how to use the feature. Try to include images, gifs, or videos which help the reader understand the value of what's been released and how to use it.
  • Be consistent with updates. This will help ensure that users don't miss anything important and encourage them to come back regularly to check for new updates.

Other ways to fulfill SOC 2 customer communication requirements

While public changelogs are among the easiest and most effective ways to fulfill your SOC 2 customer communication requirement, there are a number of other options you can leverage as well:

  • Send a monthly customer newsletter
  • Send dedicated customer emails each time new features are released
  • Use in-product notifications and banners
  • Use in-product product tours or tooltips
  • Publish blog posts announcing your feature updates
  • Host a quarterly user conference
  • Publish webinars

Satisfy SOC 2 requirements with Ignition + Secureframe

While customer communication is just one aspect of SOC 2 CC2 compliance, it can be daunting from an effort perspective. The good news is that with an effective public changelog process in place, this effort can become much more manageable, while also improving your go-to-market effectiveness, customer engagement, and retention rates. 

With Ignition’s complete go-to-market platform, you can easily create branded changelogs to share updates with customers and gather actionable user insights. Public product voting boards make it easy to collect and prioritize product ideas using real customer feedback. 

Secureframe’s compliance automation platform helps companies achieve compliance with the full set of SOC 2 requirements in weeks, not months. 150+ integrations with popular business tools automatically collect audit evidence. Build your library of compliance policies with our library of auditor-approved templates, complete employee security training within the platform, and get help at every step with our team of in-house experts and former auditors. Learn more about SOC 2 compliance automation to see if it’s the right fit for your organization.