✅ Feature availability: Available for accounts pursuing SOC 2 or ISO 27001. Refer to Vanta Plans and Pricing for details.
The engagement letter is a Vanta-generated PDF that confirms your company's active compliance program to prospects and stakeholders before your audit is complete. It includes your subscription confirmation, audit engagement details, and a link to your Trust Center, giving external parties a verified snapshot of your compliance work in progress.
⚙️ User permissions: Admins, Editors, or Audit Limited Editors can access the engagement letter, in addition to users with Trust Center permissions. Learn more: User Permissions by Product Area
Eligibility
Vanta automatically generates an engagement letter for your account when all of the following are true:
Your Trust Center is set up
You're pursuing SOC 2 Type 1, SOC 2 Type 2, or ISO 27001:2022 frameworks
One of those frameworks is either a goal in your Roadmap or SOC2 guide, or has a scheduled, not-yet-completed audit
If your audit is already marked as completed, Vanta won't generate a letter for that audit. The engagement letter is forward-looking—it's designed to demonstrate active compliance work in progress, not completed audits.
Accessing the engagement letter
Vanta provides one engagement letter regardless of how many frameworks you’re working on. How you access the engagement letter depends on where you are in your compliance journey:
Your situation | How to access |
You see Roadmap (also called Compliance Roadmap) or SOC 2 guide in your sidebar | Locate the Access letter step |
You see Home or My Program in your sidebar | Locate the letter from Customer trust > Knowledge base > Resources |
You don't have access to the above pages, but you do have Trust Center access | Locate the letter from Customer trust > Knowledge base > Resources |
You have no platform access | View it on the public-facing Trust Center (if letter visibility is set to Public) |
💡 Tip: You can share your engagement letter externally in your Trust Center resources. Within your knowledge base, set the letter's visibility to Public or Request access. Learn more: Managing Your Knowledge Base
Engagement letter breakdown
The engagement letter confirms your company's active Vanta subscription and outlines your audit engagement details. Vanta generates it automatically as a PDF when your account meets the eligibility requirements.
We automatically update the letter if you update those fields in your account. You’ll find the last updated date in your knowledge base and can open the resource to access the version history as needed.
Field | Where the info comes from |
Subscription confirmation | Confirms your company has an active Vanta subscription that includes continuous control monitoring. |
Company name | Pulled from Settings > Business information > Display name. If that field is blank, the letter defaults to your account name, which is typically your domain URL. The letter doesn't include your company's physical address. |
Audit firm | Pulled from the auditor linked to your audit on the Audits page. If you have multiple eligible audits, each appears in the letter with its own audit firm. If an audit firm doesn't appear, the letter will state that your company has committed to produce the report instead. |
Audit type | Pulled from your audit on the Audits page. Shows SOC 2 Type 1, SOC 2 Type 2, or ISO 27001:2022. If you have multiple eligible audits, each appears in the letter with its own audit type. Audit type can't be edited after an audit is created. To correct it, delete the audit and recreate it with the correct type, or contact support. |
Audit start date | Pulled from your audit details on the Audits page. Shows having started on if the date is in the past, or projected to start on if in the future. If you have multiple eligible audits, each appears in the letter with its own start date. |
Trust Center link | Pulled from your Trust Center settings. |
Troubleshooting
If you meet all eligibility requirements above and still don't have a letter, contact support.
If your letter isn't reflecting recent changes, wait a few minutes for the letter to refresh. If it still hasn't updated, contact support instead of deleting it—deleted letters can't be restored without contacting support.
If the audit type on your letter is wrong, contact support—audit type can't be edited after an audit is created.
If your audit firm isn't appearing on the letter, make sure your audit is linked to an audit firm and is still active or upcoming. Learn more: Adding and Managing Auditors
If your letter is showing your Roadmap or SOC 2 guide target date instead of your audit start date, make sure your audit is set up in Vanta and linked to your audit firm. Otherwise, the letter may keep using your target date. Learn more: Audits Page