← Back to reference

Compliance Mapping

SOC2 Type II (TSC 2017, with 2022 amendments)

TSCControlImplementation
CC2.1CommunicationQuarterly access reviews; quarterly risk assessments
CC5.2Risk assessmentFormal RA process; documented in risk-register/
CC6.1Logical accessMFA enforcement, RBAC + ABAC (SAML/OIDC SSO planned — roadmap Q4 2026)
CC6.2New user provisioningManual provisioning; SCIM 2.0 planned (roadmap Q1 2027)
CC6.3Role changesAudit-logged role changes (RBAC + ABAC)
CC6.6Vulnerability managementDependabot + SBOM + Trivy + Grype
CC6.7EncryptionTLS 1.3 + KMS envelope encryption
CC6.8Penetration testingThird-party penetration test planned (not yet completed)
CC7.1OperationsRunbooks, on-call rotations
CC7.2MonitoringAudit log + Prometheus + log aggregation
CC7.3Incident responsePlan in docs/DR-runbook.md
CC7.4Disaster recoverySingle-region primary (WNAM) + D1 point-in-time recovery; multi-region available for on-prem/self-hosted
CC7.5RecoveryD1 point-in-time recovery; recovery objectives documented for on-prem deployment sizes (not bound to SaaS tiers)
A1.1Capacitycapacity-cost-model.md tracks
A1.2EnvironmentalBare-metal with audited vendors
C1.1ConfidentialityPer-tenant data partitioning
C1.2Confidentiality (data disposal)30d erasure + 90d backup erasure
PI1.1Processing integrityDeterministic rules + integration tests
P1.1Privacydocs/privacy-model.md
P4.1Privacy (data quality)Per-layer metrics roundtrip tests
P5.1Privacy (use, retention, disposal)See privacy-model.md

ISO 27001 / 27002 (2022)

  • A.5.1 — Information security policies.
  • A.5.7 — Threat intelligence (CVE feed + deps audit).
  • A.5.10 — Acceptable use of information.
  • A.5.15 — Access control.
  • A.5.16 — Identity management.
  • A.5.17 — Authentication factors.
  • A.5.18 — Access rights.
  • A.6.3 — Information security awareness.
  • A.8.1 — User endpoint devices.
  • A.8.5 — Secure authentication.
  • A.8.7 — Protection against malware.
  • A.8.9 — Configuration management.
  • A.8.12 — Data leakage prevention.
  • A.8.16 — Monitoring activities.
  • A.8.20 — Networks security.
  • A.8.21 — Security of network services.
  • A.8.22 — Segregation of networks.
  • A.8.23 — Web filtering.
  • A.8.24 — Use of cryptography.
  • A.8.28 — Secure coding.
  • A.8.30 — Outsourced development.

HIPAA

  • 164.308(a)(1) — Security management process.
  • 164.308(a)(3) — Workforce security.
  • 164.308(a)(4) — Information access management.
  • 164.308(a)(5) — Security awareness and training.
  • 164.308(a)(6) — Security incident procedures.
  • 164.312(a)(1) — Access control.
  • 164.312(a)(2) — Unique user identification.
  • 164.312(b) — Audit controls.
  • 164.312(c)(1) — Integrity controls.
  • 164.312(d) — Person or entity authentication.
  • 164.312(e)(1) — Transmission security.

FedRAMP (Moderate)

See docs/fedramp-roadmap.md for the full control mapping and authorization timeline.