If we only hire contractors that are conducting QA but are not building or running our systems, would we need to include them in our SOC 2 audit?
