I design and write the compliance documentation your next critical review depends on.
I create tailored SOC 2, CMMC, HIPAA, ISO 27001, and MoCRA documentation for SaaS companies, defense contractors, and cosmetics brands—without agency layers or generic template dumps.
English + Spanish · Direct founder access · Typical project timeline: 4–6 weeks, depending on scope
IT systems and technical documentation
Native bilingual support
SaaS, defense, and cosmetics
One point of contact from scope to delivery
Documentation gaps become business delays.
Compliance work often stalls because the requirements are understood in fragments but never translated into a coherent, environment-specific documentation package. The result is more internal rework, slower reviews, and greater dependence on already-busy technical teams.
SaaS
Enterprise prospects ask for policies, risk documentation, control narratives, and evidence before the internal documentation is ready.
Defense
The SSP, POA&M, control narratives, and evidence do not consistently reflect the contractor's actual environment.
Cosmetics
Registration, product documentation, safety substantiation, labeling, and English/Spanish requirements are spread across different people and vendors.
I turn requirements and real operations into documentation that is clear, structured, and prepared for external review.
Focused documentation for three regulated environments.
Each market has different reviewers, terminology, evidence expectations, and operational risks. The documentation should reflect those differences.
SOC 2 Documentation Services for SaaS
- Policies and procedures
- Control implementation narratives
- Risk assessment and treatment documentation
- System Description support
- Evidence-index structure
- Review-question response support
From engineer-written drafts to review-ready in five weeks.
Problem: A Series A SaaS company with 40 employees had an enterprise deal blocked on SOC 2. Their engineering team had written policies internally — the documents were inconsistent, didn't map to their AWS infrastructure, and wouldn't survive a reviewer's scrutiny.
Intervention: I conducted a three-day gap assessment, then built a 14-policy suite mapped directly to their AWS services and control environment. Each policy included control implementation narratives and a structured evidence binder with artifact references keyed to every Trust Services Criterion.
Outcome: The package was review-ready in five weeks. The enterprise contract closed.
Best for you if…
- You're a Series A–C SaaS company preparing for your first SOC 2, HIPAA, or ISO 27001 review.
- Your engineers shouldn't be the ones writing policies — you need someone who understands both the frameworks and how cloud infrastructure actually works.
- You need documentation fast because an enterprise deal, security questionnaire, or customer audit is waiting on it.
- You want a single person who handles discovery, drafting, revisions, and delivery — not an agency relay.
Not a fit if…
- You're seeking a guaranteed certification outcome. (I prepare the documentation; your auditor decides.)
- You want ongoing managed compliance services or a virtual CISO.
- You need a GRC platform implementation. (I work with the tools you already use, but I don't configure them.)
CMMC Level 2 SSP & POA&M Documentation
- System Security Plan
- Plan of Action and Milestones
- Control implementation narratives
- Control and evidence mapping
- Documentation gap identification
- Assessment-preparation support
Rebuilding an SSP from the ground up after a previous provider left gaps.
Problem: A 25-person defense subcontractor faced a CMMC Level 2 certification deadline. Their previous Registered Practitioner Organization had left them with an incomplete System Security Plan that didn't match their actual environment — critical controls were documented for systems that didn't exist, while real CUI-handling processes were entirely unaddressed.
Intervention: I conducted on-site discovery across their Azure GovCloud enclave and on-premises network, then rebuilt the SSP from scratch. The final package covered all 110 NIST 800-171 controls with environment-specific implementation narratives. I also produced a realistic POA&M with phased remediation timelines their team could actually execute.
Outcome: The assessment passed with three minor clarifications — all resolved within 48 hours.
Best for you if…
- You're a defense subcontractor with 10–200 employees who needs a CMMC Level 2 SSP and POA&M that actually reflects your environment.
- A previous provider left you with documentation that doesn't match your systems, scope, or CUI flows.
- You need someone who will walk your facility, understand your enclave, and write documentation grounded in what you actually operate.
- Your assessor or prime contractor is asking for documentation you don't have — and soon.
Not a fit if…
- You're looking for a C3PAO assessment. (I prepare documentation and readiness; I don't conduct CMMC assessments.)
- You need managed security services or ongoing CUI monitoring.
- You're a prime contractor with a 1,000+-person enterprise environment spanning multiple classification levels.
MoCRA Bilingual Cosmetics Compliance Documentation
- Facility and product-listing documentation support
- Safety-substantiation file organization
- Serious adverse-event procedures
- English/Spanish labeling documentation
- Compliance-document checklists
- Documentation maintenance guidance
From no FDA registration to first-submission acceptance and Mexico retail.
Problem: A Latina-owned indie beauty brand with 12 SKUs was preparing to expand into Mexico retail. They had no FDA facility registration, no safety substantiation records, and their labels were English-only — non-compliant for both FDA and COFEPRIS requirements.
Intervention: I handled their FDA facility registration and product listings, organized safety substantiation dossiers for each SKU, and produced bilingual EN/ES labeling documentation compliant with both FDA 21 CFR 701 and COFEPRIS NOM-141-SSA1/SCFI-2012 requirements.
Outcome: The submission was accepted on first review. Mexico distribution was secured.
Best for you if…
- You're an indie beauty or personal care brand with 5–50 SKUs.
- You need FDA facility registration, product listing, and safety substantiation documentation — and you've never done it before.
- You sell (or plan to sell) in both US and Latin American markets and need bilingual EN/ES labeling documentation.
- You want someone who handles the paperwork so you can focus on formulation, branding, and growth.
Not a fit if…
- You need full regulatory affairs management across 30+ international markets.
- You're looking for cosmetic formulation, safety testing, or lab services. (I document; I don't test.)
- You need ongoing FDA liaison representation or legal representation in enforcement matters.
You are hiring me to produce the documents—not merely recommend them.
Every engagement is scoped around defined documents, review stages, formats, and acceptance criteria. The exact package depends on the framework and the condition of your current documentation.
Evaluate the thinking before you hire the writer.
This is a new practice. Rather than publishing invented social proof, I make the approach visible through detailed guidance, transparent scope, and demonstration work.
Practical Guides
SOC 2 Documentation Checklist
For SaaS teams preparing for their first SOC 2 review — 27 items your reviewer will expect, organized by Trust Services Category, with evidence-gathering guidance for each.
Read the guide →CMMC Level 2 Documentation Guide
For defense contractors navigating CMMC Level 2 — SSP structure, POA&M format, evidence organization, and the control-to-narrative mapping that assessors look for.
Read the guide →MoCRA Compliance Notes
For cosmetics brands under FDA MoCRA — facility registration steps, product listing requirements, safety substantiation documentation, and what changed from pre-MoCRA rules.
Read the guide →Example Document Structures
Example structure — final scope varies by engagement.
- Scope and system description
- Common criteria policies (security, availability, confidentiality)
- Control implementation narratives mapped to Trust Services Criteria
- Risk assessment and treatment documentation
- Evidence index organized by control
- Vendor management and change management procedures
- System Security Plan (SSP) reflecting the actual environment
- Plan of Action and Milestones (POA&M)
- Control narratives aligned to NIST 800-171 requirements
- Evidence mapping and artifact references
- Gap identification and remediation documentation
- Assessment preparation and response support
- Facility and product-listing documentation support
- Safety-substantiation file organization
- Serious adverse-event reporting procedures
- English/Spanish labeling documentation
- Compliance-document checklists
- Documentation maintenance guidance
Representative Demonstration Structures
Demonstration sample — created to show GoGoSoto's documentation method. It is not client work.
Control: CC6.1 — Logical and Physical Access Controls
System Component: AWS IAM + Okta SSO
Control Owner: VP of Engineering
Last Reviewed: [Date]
Narrative:
The company enforces logical access through AWS IAM role-based policies integrated with Okta SSO for workforce identity federation. All user access is granted via group-based role assignment following least-privilege principles. Access reviews are conducted quarterly by engineering managers using AWS IAM Access Analyzer reports. MFA is enforced for all human users via Okta Verify push notifications. Emergency access procedures are documented in the Incident Response Plan (§4.2) and use AWS IAM break-glass roles with auto-expiration of 2 hours.
Evidence Sources:
• AWS IAM credential report (quarterly)
• Okta admin console — MFA enrollment report
• Access review meeting minutes
• Break-glass role invocation logs (CloudTrail)
System Boundary Definition
CMMC Level 2 Assessment Scope: Enclave Model
IN-SCOPE ASSETS:
• 12 Windows Server 2022 VMs (Azure GovCloud — US East)
• 3 Cisco Catalyst 9300 switches (Building A, C, D)
• 45 Windows 11 Enterprise workstations (engineering + admin staff)
• GitLab Ultimate self-hosted (CUI repository)
• Azure Active Directory / Entra ID tenant
OUT-OF-SCOPE (excluded via VLAN segmentation):
• Guest WiFi network (VLAN 99)
• VoIP phone system (VLAN 50)
• Building automation / IoT devices
• Marketing department workstations (VLAN 20)
External Connections:
• DoD SAFE (CUI file transfer) — one-way outbound
• Contractor Performance Assessment Reporting System (CPARS)
• Azure GovCloud ExpressRoute to on-premises
CUI Flow: CUI is received via DoD SAFE → downloaded to encrypted Azure GovCloud VM → processed in GitLab Ultimate → exported via DoD SAFE. CUI never touches unclassified workstations or guest networks.
Product: [Product Name] — Batch #[Batch ID]
FDA Facility Registration: #[Registration Number]
| Requirement (EN) | Requisito (ES) | Status |
|---|---|---|
| Product identity statement | Declaración de identidad | ✓ |
| Net quantity of contents | Cantidad neta del contenido | ✓ |
| Ingredient list (descending) | Lista de ingredientes | ✓ |
| Name/Location of business | Nombre/Dirección del negocio | ✓ |
| Country of origin | País de origen | ✓ |
| Warning/Caution statements | Advertencias/Precauciones | ✓ |
| Safe use instructions | Instrucciones de uso seguro | ✓ |
| Adverse event reporting | Informe de eventos adversos | ✓ |
FDA MoCRA Compliance Notes:
• Facility registration renewed: [Date]
• Responsible Person designated: [Name/Title]
• Safety substantiation dossier: Reference #[Dossier ID]
• Fragrance allergen disclosure: Per 21 CFR 701.3 — completed
• Label reviewed by: [Reviewer Name/Title]
• Label version date: [Date]
This is what makes the documentation accurate and review-ready.
Honest, straightforward collaboration produces documentation prepared for serious scrutiny. Here's what I'll need from your side:
Truthful operational details
Accurate information about your systems, controls, and workflows. The documentation must reflect your actual environment—not an idealized version.
Source material
Existing policies, system diagrams, prior audit reports, and any relevant documentation you already have. I'll review and build on what's usable.
Access to subject matter experts
A few focused validation calls with the people who know your systems and processes firsthand ensure the documentation is technically precise.
Draft review and sign-off
Timely review of deliverables and formal approval within the agreed project timeline keep the engagement on track.
Evidence artifacts
Screenshots, configuration exports, logs, and other supporting materials for the evidence binder. I'll tell you exactly what's needed and in what format.
From documentation gap to finished package.
Discovery
We identify the framework, review deadline, operating environment, existing material, stakeholders, and immediate documentation risks.
30-minute initial callReview and scope
I examine the available material, identify gaps, define deliverables, and provide a written fixed-price proposal.
Typically completed during the first project weekInformation capture
I collect the technical and operational details needed to make the documentation reflect the organization's actual environment.
Drafting
I write the agreed policies, procedures, narratives, mappings, and supporting documentation.
Review and revision
Your subject-matter experts review the drafts for operational accuracy. Two revision rounds are included unless the proposal states otherwise.
Delivery and support
You receive the finalized package in the agreed format, along with the defined support period and any maintenance recommendations.
Typical engagements take 4–6 weeks, but scope, stakeholder availability, and document complexity can change the timeline.
Senior documentation work without the agency relay.
Direct founder access
The person scoping the engagement is also the person writing and revising the documentation.
Environment-specific writing
Documents reflect the organization's real systems, processes, responsibilities, and evidence—not merely framework language.
Bilingual continuity
English and Spanish work is handled as one documentation process rather than passed to a separate translation vendor.
Defined scope
Deliverables, review rounds, formats, responsibilities, and payment terms are established before the project begins.
I use proven document structures, but the operating details, control narratives, responsibilities, and evidence expectations are tailored to your environment.
Why bilingual documentation matters.
If your business crosses the US–Latin America line, your compliance documentation should too. Here's why:
Regulators expect it.
The FDA accepts documentation in both English and Spanish. COFEPRIS, Mexico's health authority, requires Spanish. When you expand into Latin American markets, monolingual documentation creates friction at every regulatory checkpoint.
Labels must match across markets.
A claim written in English on your US label can't accidentally become something different in Spanish. Translation errors between markets create mislabeling risk, conflicting claims, and non-compliant product representations — any of which can trigger a regulatory action or a retailer rejection.
Your stakeholders need the same precision.
When board members, investors, co-manufacturers, or distributors operate in Spanish, they deserve documentation that matches the English version in precision, not a rough translation that muddies technical terms.
Common risks of monolingual-only documentation:
- Mislabeling from inconsistent translations between US and LATAM product versions
- Conflicting safety or efficacy claims across markets
- Non-compliant Spanish translations that don't satisfy COFEPRIS or other LATAM regulator requirements
- Delayed market entry while Spanish documentation is retrofitted after the fact
I handle both languages as one documentation process. There's no handoff to a translation vendor who doesn't understand the regulatory context. English and Spanish versions are drafted together, reviewed together, and delivered together — consistent in terminology, compliant in both markets.
I'm Nestor Soto.
I'm a bilingual documentation specialist with 15 years across IT systems, technical documentation, security controls, and operational processes. I founded GoGoSoto to give smaller regulated teams direct access to senior-level documentation work without agency layers or junior handoffs. My role is to translate complex requirements and real operating practices into documents that technical teams can validate and outside reviewers can follow. When you hire me, you work directly with me—from discovery and scope through drafting, revision, and delivery.
Based in Cookeville, Tennessee. Available for remote engagements with US and international teams.
Defined scope. Fixed project price.
Every project begins with a written scope listing the documents, review rounds, responsibilities, delivery format, timeline, and price.
You keep your auditor and certifying body; I keep you ready with documentation aligned to your actual environment.
Foundation
Best for: A smaller, focused single-framework documentation need.
- Initial documentation review
- Defined document inventory
- Up to 10 agreed policies or procedures
- Evidence-index template
- Two revision rounds
- 30 days of post-delivery email support
Applicability depends on the framework and existing documentation.
Book a CallComprehensive
Best for: A broader documentation package with multiple interconnected deliverables.
- Everything in Foundation
- Expanded document suite
- Risk assessment and treatment documentation where applicable
- System or control narratives
- Control-mapping structure
- Expanded evidence index
- 60 days of post-delivery email support
Custom
Best for: CMMC SSP and POA&M packages, Complex MoCRA or bilingual projects, Multiple products or business units, Significant remediation or rewrite work, Accelerated deadlines, Ongoing maintenance.
Retainer: Ongoing documentation maintenance is available from $2,500 per month, depending on scope.
Payment: Standard projects: 50% to begin and 50% at final delivery, unless the written proposal states otherwise.
I provide documentation and readiness support. Audit, certification, regulatory, and legal services are not included unless expressly stated.
Frequently asked questions
No documentation provider can control an auditor, assessor, regulator, customer, or contracting party's final decision. I deliver documentation aligned to the agreed framework, project scope, and information your team provides, and I help address reasonable documentation questions during the included support period.
I use proven structures and controlled document frameworks, but the operating details, responsibilities, system descriptions, control narratives, and evidence expectations are tailored to your environment. You receive an organization-specific package, not a generic template dump.
I review what exists before recommending a rewrite. Reusable material is retained where practical, and the proposal focuses on actual gaps, inconsistencies, and missing deliverables.
No. I provide documentation and readiness support. I do not certify organizations, issue audit opinions, or act as a C3PAO.
No. I do not provide legal advice. Organizations should consult qualified legal or regulatory counsel when legal interpretation is required.
A typical focused engagement takes approximately 4–6 weeks. The actual timeline depends on scope, document volume, stakeholder availability, existing material, and review speed.
Yes. I handle everything — discovery, scope, drafting, revisions, and delivery.
Only information reasonably needed for the agreed work should be shared. Confidentiality terms, access methods, storage expectations, and deletion or retention requirements can be documented in the engagement agreement.
Yes, where the requested work concerns the supported US frameworks or US market requirements. Any local legal or regulatory interpretation outside that scope should be handled by qualified local counsel.
Each project includes a defined post-delivery support period. Ongoing maintenance, updates, and additional documentation can be handled through a new project or monthly retainer.