SOC 2 Controls Matrix
Last updated: April 2026
This document maps SOC 2 Trust Service Criteria to technical controls. A formal SOC 2 Type II audit is on our roadmap.
CC6 — Logical and Physical Access
| Criteria | Control | Implementation |
|---|---|---|
| CC6.1 | Logical access | JWT authentication, API key authentication |
| CC6.2 | Access provisioning | RBAC (owner/admin/developer/viewer), SSO/SCIM |
| CC6.3 | Access removal | Team member removal, API key revocation |
| CC6.5 | Authentication | MFA (TOTP), SSO (SAML/OIDC), password policies |
| CC6.6 | Access controls | IP allowlisting, rate limiting |
| CC6.7 | Information protection | TLS 1.3, AES-256 at rest, bcrypt passwords |
CC7 — System Operations
| Criteria | Control | Implementation |
|---|---|---|
| CC7.1 | Monitoring | Structured logging, metrics, health checks |
| CC7.3 | Security events | Audit log with IP/user agent, integrity hashing |
| CC7.4 | Incident response | Incident response plan, on-call procedures |
| CC7.5 | Recovery | Backup procedures, disaster recovery runbook |
CC8 — Change Management
| Criteria | Control | Implementation |
|---|---|---|
| CC8.1 | Change management | Git-based workflow, PR reviews, CI/CD |
| CC8.2 | Change testing | Automated test suite (80%+ coverage), staging environment |