Compliance Mapping
SOC2 Type II (TSC 2017, with 2022 amendments)
| TSC | Control | Implementation |
|---|---|---|
| CC2.1 | Communication | Quarterly access reviews; quarterly risk assessments |
| CC5.2 | Risk assessment | Formal RA process; documented in risk-register/ |
| CC6.1 | Logical access | MFA enforcement, RBAC + ABAC (SAML/OIDC SSO planned — roadmap Q4 2026) |
| CC6.2 | New user provisioning | Manual provisioning; SCIM 2.0 planned (roadmap Q1 2027) |
| CC6.3 | Role changes | Audit-logged role changes (RBAC + ABAC) |
| CC6.6 | Vulnerability management | Dependabot + SBOM + Trivy + Grype |
| CC6.7 | Encryption | TLS 1.3 + KMS envelope encryption |
| CC6.8 | Penetration testing | Third-party penetration test planned (not yet completed) |
| CC7.1 | Operations | Runbooks, on-call rotations |
| CC7.2 | Monitoring | Audit log + Prometheus + log aggregation |
| CC7.3 | Incident response | Plan in docs/DR-runbook.md |
| CC7.4 | Disaster recovery | Single-region primary (WNAM) + D1 point-in-time recovery; multi-region available for on-prem/self-hosted |
| CC7.5 | Recovery | D1 point-in-time recovery; recovery objectives documented for on-prem deployment sizes (not bound to SaaS tiers) |
| A1.1 | Capacity | capacity-cost-model.md tracks |
| A1.2 | Environmental | Bare-metal with audited vendors |
| C1.1 | Confidentiality | Per-tenant data partitioning |
| C1.2 | Confidentiality (data disposal) | 30d erasure + 90d backup erasure |
| PI1.1 | Processing integrity | Deterministic rules + integration tests |
| P1.1 | Privacy | docs/privacy-model.md |
| P4.1 | Privacy (data quality) | Per-layer metrics roundtrip tests |
| P5.1 | Privacy (use, retention, disposal) | See privacy-model.md |
ISO 27001 / 27002 (2022)
- A.5.1 — Information security policies.
- A.5.7 — Threat intelligence (CVE feed + deps audit).
- A.5.10 — Acceptable use of information.
- A.5.15 — Access control.
- A.5.16 — Identity management.
- A.5.17 — Authentication factors.
- A.5.18 — Access rights.
- A.6.3 — Information security awareness.
- A.8.1 — User endpoint devices.
- A.8.5 — Secure authentication.
- A.8.7 — Protection against malware.
- A.8.9 — Configuration management.
- A.8.12 — Data leakage prevention.
- A.8.16 — Monitoring activities.
- A.8.20 — Networks security.
- A.8.21 — Security of network services.
- A.8.22 — Segregation of networks.
- A.8.23 — Web filtering.
- A.8.24 — Use of cryptography.
- A.8.28 — Secure coding.
- A.8.30 — Outsourced development.
HIPAA
- 164.308(a)(1) — Security management process.
- 164.308(a)(3) — Workforce security.
- 164.308(a)(4) — Information access management.
- 164.308(a)(5) — Security awareness and training.
- 164.308(a)(6) — Security incident procedures.
- 164.312(a)(1) — Access control.
- 164.312(a)(2) — Unique user identification.
- 164.312(b) — Audit controls.
- 164.312(c)(1) — Integrity controls.
- 164.312(d) — Person or entity authentication.
- 164.312(e)(1) — Transmission security.
FedRAMP (Moderate)
See docs/fedramp-roadmap.md for the full control mapping and authorization timeline.