← Back to reference

Soc2 Controls

This is the operational/evidence catalog that supports the mapping in docs/compliance-mapping.md. It enumerates each control and the specific evidence Denpex collects during operations.

CC1 — Control Environment

  • CC1.1 Code of Conduct. Evidence: HR signed acknowledgment on file for every employee (off-platform). Public version at https://denpex.ai/legal/code-of-conduct.
  • CC1.4 Background checks. Evidence: HR signed acknowledgment for compliance training and SOC2 access training.

CC2 — Communication

  • CC2.1 Quarterly all-hands includes a security and compliance briefing.
  • CC2.2 Quarterly external customer advisory board.

CC5 — Risk Assessment

  • CC5.2 Risk register maintained quarterly with named owners.
  • CC5.3 Risk assessment signed by CTO.

CC6 — Logical & Physical Access

  • CC6.1 Logical access control: docs/rbac-guide.md.
  • CC6.2 New user provisioning: manual today; SCIM 2.0 planned (roadmap Q1 2027).
  • CC6.3 Role change logged in audit.
  • CC6.6 Vulnerability management: weekly scans, SBOM in every release.
  • CC6.7 Encryption: docs/encryption-guide.md.
  • CC6.8 Third-party penetration test planned; no completed report yet.

CC7 — System Operations

  • CC7.1 Operational procedures: docs/operations/.
  • CC7.2 Audit log: docs/audit-logging-guide.md.
  • CC7.3 Incident response: docs/DR-runbook.md.
  • CC7.4 DR plan: docs/DR-runbook.md#disaster-recovery.
  • CC7.5 Recovery time objective verified by quarterly game days.

A1 — Availability

  • A1.1 Capacity planning model: docs/capacity-cost-model.md.

C1 — Confidentiality

  • C1.1 Per-tenant data partitioning.
  • C1.2 Right-to-erasure covered in docs/privacy-model.md.

P1 / P4 / P5 — Privacy

  • Privacy policy, collection matrix, and data minimization rules in docs/privacy-model.md and docs/data-collection-matrix.md.