SOC 2 Backup Evidence: Prove Your Restores Are Intact

Introduction

If your team runs backups every night but only thinks about SOC 2 backup evidence the week the auditor arrives, you already know the scramble: hunting through ticket queues for the last restore test, screenshotting a backup console, and hoping a Slack thread counts as proof that recovered data was actually intact. It rarely lands cleanly. Auditors do not want assurances that backups exist; they want artifacts that show the restore worked and the data came back unaltered. This article walks GRC and IT teams through what auditors look for, which artifacts demonstrate it, and how you can produce that evidence continuously — offline — with e-Dex (formerly Hash Calculator), the free Digital Evidence Integrity Suite.

What Auditors Actually Look For

Under the SOC 2 framework, backup and restore activity sits squarely against the availability Trust Services Criteria — that the system is available for operation and use, including the ability to recover from disruption. The moment you restore data, a second concern appears: is the recovered data complete and unaltered? That question maps to the processing-integrity criteria, which deal with data being complete, valid and accurate. An auditor examining a Type II report is not testing whether you own a backup tool. They are testing whether the control operated across the period: that restore tests happened on a defined cadence, that someone confirmed the restored data was good, and that there is a dated, attributable record of each check. Which criteria are in scope is something you confirm with your auditor — treat this as the generic shape, not a substitute for the current Trust Services Criteria.

Which Artifacts Demonstrate It

Three kinds of artifact carry most of the weight. First, restore tests: evidence that you periodically recovered data from backup into a usable state, not just that a backup job reported success. Second, integrity proof: confirmation that the restored data matches the original source byte-for-byte, so you can rule out silent corruption, truncation or partial recovery. Third, signed certificates: a tamper-evident document that captures the result, the date, and who stands behind it, so the evidence is attributable and cannot be quietly edited after the fact. A backup console screenshot satisfies none of these well — it shows a job ran, not that the data came back whole. Hashing plus a signed certificate is what turns "we tested restores" into something an auditor can independently re-verify.

Producing That Evidence Continuously with Hashing + Certificates

The mechanism is simple and repeatable. A cryptographic hash is a fixed-length fingerprint of a file's contents; change a single byte and the hash changes entirely. So you record the hash of your source data, run your restore, hash the recovered data, and compare. If the two hashes are identical, the restore is intact and e-Dex prints a MATCH; if they differ, it prints a MISMATCH that flags exactly where recovery fell short. e-Dex computes several algorithms per file — MD5, SHA-1, SHA-256, SHA-512 and BLAKE3 — and records the comparison on a certificate. Because the process is fast and scriptable around your existing restore-test schedule, you accumulate dated integrity evidence continuously across the audit period rather than reconstructing it under pressure at the end. For a primer on the algorithms, see our guide to the best hash generators to verify file integrity in seconds.

Mapping Integrity Certificates to Your Audit

Each signed certificate becomes a discrete piece of control evidence you can drop into your audit package. The certificate states the files checked, their hashes, the MATCH / MISMATCH verdict and an overall result, the date it was produced, and — where you apply one — a PAdES digital signature from a Digital Signature Certificate (DSC) and an RFC-3161 trusted timestamp sealing exactly when it was generated. That gives you the attributability and dating auditors expect from operating-effectiveness evidence. A practical pattern is one certificate per scheduled restore test, filed against the relevant availability and processing-integrity controls, so the sample the auditor pulls is already complete. The same artifact doubles as a broader audit evidence certificate, and it pairs naturally with a compliance verification certificate for other controls that hinge on data integrity.

A Note on Scope: e-Dex Supports the Evidence

Be clear with stakeholders about what the tool does and does not do. e-Dex supports your SOC 2 evidence — it produces the hash-backed, signed integrity artifacts that demonstrate your restored data is intact. It does not issue a SOC 2 report, and it is not an auditor. A SOC 2 report is produced only by a licensed CPA firm after examining your controls. e-Dex is one input to that examination: it gives your auditor defensible, re-verifiable proof of restore integrity, while the attestation itself remains the auditor's work. Used this way, it removes a recurring source of last-minute friction without overstating its role.

Frequently Asked Questions

What counts as SOC 2 backup evidence?
SOC 2 backup evidence is the documentation that shows your backup and restore controls operated as described over the audit period. It typically includes records of restore tests, proof that the restored data matches the source bit-for-bit, dated logs of when the tests ran, and sign-off that someone reviewed the result. Cryptographic hashes and signed integrity certificates are a strong way to evidence the integrity portion, because they turn an after-the-fact claim into a verifiable fact.

Which SOC 2 Trust Services Criteria do backup and restore tests support?
Backup and restore activity most directly supports the availability criteria, which concern the system being available for operation and use, including recovery from disruption. Verifying that restored data is complete and unaltered also supports the processing-integrity criteria, which concern data being complete, valid and accurate. The exact mapping depends on which criteria are in scope for your report, so confirm the boundary with your auditor and the current Trust Services Criteria.

Does e-Dex issue a SOC 2 report or certify SOC 2 compliance?
No. e-Dex does not issue a SOC 2 report and is not an auditor. A SOC 2 report is produced only by a licensed CPA firm after examining your controls. e-Dex is an offline tool that helps you generate the underlying integrity evidence — hashes and signed certificates proving a restored file matches its source — that you then hand to your auditor as part of your control documentation.

How do hashes prove a restore is intact?
A cryptographic hash is a fixed-length fingerprint of a file's contents. After a restore, you hash the recovered file and compare it against the hash recorded for the source. If the values are identical the restore is byte-for-byte intact, shown as a MATCH; if even one byte differs the result is a MISMATCH, flagging corruption or data loss. e-Dex records this comparison on a signed certificate so the restore-integrity result is dated, attributable and re-verifiable later.

Can I produce SOC 2 restore-integrity evidence offline?
Yes. e-Dex runs fully offline on your own Windows machine, so hashing the source and restored data, comparing the values and generating the signed integrity certificate all happen locally without your data leaving your environment. An internet connection is only needed if you choose to apply an RFC-3161 trusted timestamp from a Time-Stamping Authority to seal exactly when the evidence was produced.

Conclusion

Restore tests only count as SOC 2 evidence when you can show the recovered data was genuinely intact — and a screenshot of a backup console will not carry that weight. Hashing every restore and capturing the result on a dated, signed integrity certificate turns the audit scramble into a routine that quietly accumulates defensible proof all year. See how the artifacts map to availability and processing-integrity controls on our file integrity compliance page, then produce your first restore-integrity certificate offline with e-Dex — the Digital Evidence Integrity Suite. Download it free.