Soc2 Controls
This is the operational/evidence catalog that supports the mapping in docs/compliance-mapping.md. It enumerates each control and the specific evidence Denpex collects during operations.
CC1 — Control Environment
- CC1.1 Code of Conduct. Evidence: HR signed acknowledgment on file for every employee (off-platform). Public version at
https://denpex.ai/legal/code-of-conduct. - CC1.4 Background checks. Evidence: HR signed acknowledgment for compliance training and SOC2 access training.
CC2 — Communication
- CC2.1 Quarterly all-hands includes a security and compliance briefing.
- CC2.2 Quarterly external customer advisory board.
CC5 — Risk Assessment
- CC5.2 Risk register maintained quarterly with named owners.
- CC5.3 Risk assessment signed by CTO.
CC6 — Logical & Physical Access
- CC6.1 Logical access control:
docs/rbac-guide.md. - CC6.2 New user provisioning: manual today; SCIM 2.0 planned (roadmap Q1 2027).
- CC6.3 Role change logged in audit.
- CC6.6 Vulnerability management: weekly scans, SBOM in every release.
- CC6.7 Encryption:
docs/encryption-guide.md. - CC6.8 Third-party penetration test planned; no completed report yet.
CC7 — System Operations
- CC7.1 Operational procedures:
docs/operations/. - CC7.2 Audit log:
docs/audit-logging-guide.md. - CC7.3 Incident response:
docs/DR-runbook.md. - CC7.4 DR plan:
docs/DR-runbook.md#disaster-recovery. - CC7.5 Recovery time objective verified by quarterly game days.
A1 — Availability
- A1.1 Capacity planning model:
docs/capacity-cost-model.md.
C1 — Confidentiality
- C1.1 Per-tenant data partitioning.
- C1.2 Right-to-erasure covered in
docs/privacy-model.md.
P1 / P4 / P5 — Privacy
- Privacy policy, collection matrix, and data minimization rules in
docs/privacy-model.mdanddocs/data-collection-matrix.md.