Another issue I have here is that I want to be a little bit cagey about what our specific controls are, not because they're sensitive to us, but because there's a limit to how much we're supposed to talk publicly about the specific results of the audit (it's a Type I, people who know SOC2 know that means there are no unhappy surprises in it) --- the audit results are confidential, as a term of our engagement with the auditor.

(This is why there's a SOC3.)

Long story short: it's not complicated, and if you're currently doing a SOC2, like right now (or in the future) and you have reached the point where you're trying to get out of background checking everyone, shoot me a line and I'll tell you what we did and what we said (I may performatively NDA you in the process, because I like our auditors and don't want to irritate them).