How to Submit Level 2 Attestations to the STAR Registry
This guide is intended for STAR registry users who are submitting their Attestations on behalf of their Organization.
Please be aware that the Attestation process should be completed by the user inside the organization and not by the Auditor performing the audit.
In this document we will give you the following information:
- Preparation for submitting the Level 2 Attestations
- Instructions for submitting the Level 2 Attestations
- More information about the form field information
Preparation for submitting a Level 2 Attestation
Note: You must have completed a Level 1 Self-Assessment submission prior to submitting a STAR Attestation.
All STAR Submissions, including Self-Assessments, Certifications, Attestations, and others can be submitted through our STAR Submission form here. No sign-in is required to submit to the registry but you will be required to confirm your submission via a link that will be sent to the primary email address that you use before it can be processed and posted to the STAR Registry.
Pro Tip: The Intake form is the same for all documents submitted to STAR, but the process for using the form may differ depending on the type of submission being submitted. You can view our other documentation on Level 2 Certifications by clicking on the link provided here. You can view the documentation for submitting Level 1 Submissions here.
You will want to ensure that you have the correct information collected before you start the submission process. The following fields are required when using the STAR Submission form to submit your Attestation and you will want to ensure that you have everything ready to enter into the Submission form before you start.
STAR Attestation Checklist:
- A primary email address that uses your company's domain.
- A backup email address and Backup name.
- Your Organization’s Phone Number.
- The version of the CCM that was used to audit against.
- The Number of Employees in the Scope of the audit
- The Scope of the audit.
- The Attestation date range (from-to) from the SOC 2 report provided to you by your Auditor.
- The company name of your CSA authorized Auditor
In addition to these, you will need to know the name of your Organization and Cloud Service that is to be listed on your STAR Registry listing, the URL of the Organization and Cloud Service and the Description of the Organization and Cloud Service.
Having this information in a list before you start can help prevent delay and issues with your submission. Please read the information pertaining to those fields at the bottom of this page to make sure you have the correct information when submitting your Level 2 Attestation to the STAR Registry.
Note: You must have already completed a Level 1 Self-Assessment submission prior to submitting a STAR Attestation.
Instructions for submitting your Level 2 Attestations
Step 1. Fill out the STAR Submission form
Fill out the STAR Submission form with your information. Select “Attestation” from the Type of Registry Entry drop-down menu. Fill out all of the required information. Make sure to fill in the correct start and end date of your SOC 2 audit period. Submit the Attestation submission.
Pro Tip: While no documents are required as primary or backup documents to submit your Attestation, any SOC reports will be removed, for privacy reasons, prior to submission. Other submitted documents added will be included as the primary or secondary documents for your final Attestation listing in the STAR Registry.
Step 2. Find the confirmation email
A confirmation notice will come from the email firstname.lastname@example.org. Check your email for the confirmation notice and follow the link to confirm your submission. If your confirmation email doesn’t arrive within 30 minutes and you are unable to find it in your spam folder, then reach out to us at email@example.com (or click the Support button on the below right of this page) and our support team will assist you with the confirmation step.
Step 3. Select your Organization
On the confirmation page you will find your existing Organization listed on the Dropdown menu of available organizations. If this is the first time submitting this Organization, then it won’t be listed in the dropdown menu. In that case you can create it with the “Create New Organization” button.
If your organization already exists in the registry you will select it from the dropdown menu. Otherwise you will click the orange “Create New Organization” button.
Pro Tip: You will want to make sure to check for your Organization carefully from the dropdown list so that you don’t duplicate your listing. New organizations will be listed exactly as they are submitted by you here, so be careful to select your existing Organization from the menu so as not to duplicate your listing by adding a new one with a different spelling or format. If you need to make changes to your organization information, contact firstname.lastname@example.org.
Step 4. Select your Cloud Service
After you have created or selected your Organization, you will be presented with another page to select or create your Cloud Service. Your Cloud Service listing should be exactly as your user-end Cloud Service is given to the consumers of your service. The listing here should be selected from the dropdown menu. If your cloud service doesn’t exist in the STAR Registry yet, click the Create New Cloud Service button to add your Cloud Service information. This should be your cloud service and not the service provider that you use to host your service on.
Pro Tip: You will want to make sure to check for your Cloud Service carefully from the dropdown list so that you don’t duplicate your listing. New Cloud Services will be listed exactly as they are submitted by you here, so be careful to select your existing Cloud Service from the menu so as not to duplicate your listing by adding a new one with a different spelling or formatting. If you need to make changes to your Cloud Service information, contact email@example.com.
Step 5. Await your Listing to be posted to the STAR Registry
Your STAR Registry entry will often be posted within one business day, however in some cases it can take up to 5 business days for our team to manually review a listing and get it posted for you. If you have any questions about this process please feel free to contact us by the support link or to drop an email to firstname.lastname@example.org for more information.
More information about the required fields on the Submission Form
Name: You will need to enter your name. This is the internal Organization’s user’s name and not the name of the company being audited.
Email: The email address of the submitter.
- This should be your company email that includes the domain name for verification and account security purposes.
- This user’s name and email should be a legitimate email address so that it can receive email at that address.
- The domain of your email and the domain of the company you are submitting for have to match.
Note: Your STAR account will be created within Cloud Security Alliance’s STAR submission platform. If you already have an account under the provided name and email, you should use this email address so that your preexisting account will be associated with your submission. Using the same email address as for a previous submission will not create a new account.
Type of Registry Entry: Select the type of submission you are making (Attestation).
Specification: Select the specification for your type of registry entry (CCM).
CCM Version Used: This should be the version of the CCM that was used to produce the SOC2 report.
Number of Employees in the Scope of the Audit: The number of employees in the scope of the audit is required for invoicing purposes. Select the appropriate range for the auditee organization.
Document Upload: No primary or supporting documentation is required for Attestation submissions. SOC reports should not be uploaded to the STAR registry and will be removed from the submission prior to posting to the STAR Registry.
Scope and Applicable Trust Service Principles and Criteria:
Number of Employees in the Scope of the Audit: This is the number of employees who manage the Cloud Service being audited.
From date: This is the date where the SOC 2 audit period began.
To date: This is the end date of the SOC 2 audit period. The date range should span a one year range.
The posting of the Level 2 Attestation to the STAR Registry will result in billing being sent to the organization representative listed as the point of contact in the organization. As the organization contact, your Assessment Firm should have informed you of this prior to the engagement.
Pricing for STAR Level 2 can be found on our STAR Submission page.
If you need to reach out to us for support, please either use the support button to the right of this page or reach out to us at email@example.com for assistance.