SOC 2 Controls Matrix
Last updated: April 2026
This matrix maps SOC 2 Trust Service Criteria — security, availability, and confidentiality — to the specific features, processes, and technical controls implemented in FeatureSignals. A formal SOC 2 Type II audit is on our roadmap.
Status: Controls Implemented — Audit Planned
All controls listed below are implemented and operational. The formal SOC 2 Type II audit engagement is on the product roadmap. This matrix serves as readiness documentation for the audit process.
Common Criteria — Security (CC1–CC9)
CC6 — Logical and Physical Access Controls
| Criteria | Control Objective | FeatureSignals Implementation |
|---|---|---|
| CC6.1 | Logical access security | JWT authentication (1h TTL), API key auth (SHA-256 hashed), TLS 1.3 |
| CC6.2 | User access provisioning | RBAC with four roles (owner/admin/developer/viewer), SSO/SCIM provisioning |
| CC6.3 | Access removal | Immediate member removal, API key revocation, session invalidation |
| CC6.4 | Physical access | Cloud provider physical security (Hetzner ISO 27001 data centers) |
| CC6.5 | Authentication mechanisms | MFA (TOTP), SSO (SAML/OIDC), bcrypt password hashing (cost 12) |
| CC6.6 | External access points | IP allowlisting (Enterprise), rate limiting, WAF rules |
| CC6.7 | Information transmission | TLS 1.3 in transit, AES-256 at rest, HSTS enforcement |
| CC6.8 | Malicious software | Containerized deployment, read-only filesystem, vulnerability scanning |
CC7 — System Operations
| Criteria | Control Objective | FeatureSignals Implementation |
|---|---|---|
| CC7.1 | Detection & monitoring | Structured JSON logging (slog), SigNoz observability, health checks, metrics |
| CC7.2 | Security monitoring | Audit log with actor/IP/timestamp, SHA-256 integrity chain hashing |
| CC7.3 | Security incident evaluation | Incident response plan, on-call rotation, 15-min P0 acknowledgment |
| CC7.4 | Incident response | Defined severity levels (P0–P4), runbooks, post-mortem process |
| CC7.5 | Recovery plans | Automated backups, disaster recovery runbook, RPO <24h, RTO <30min |
Availability Criteria (A1)
| Criteria | Control Objective | FeatureSignals Implementation |
|---|---|---|
| A1.1 | Capacity management | Connection pool tuning (20–50 conns), horizontal scaling, load testing |
| A1.2 | Environmental protections | Hetzner data center redundancy, UPS, generator backup, fire suppression |
| A1.3 | Recovery testing | Quarterly DR testing, backup verification, restore procedure validation |
Confidentiality Criteria (C1)
| Criteria | Control Objective | FeatureSignals Implementation |
|---|---|---|
| C1.1 | Confidential information identification | Data classification: PII, PHI, secrets, credentials — all encrypted at rest |
| C1.2 | Confidential information disposal | GDPR-compliant erasure, 30-day grace period, permanent purge on day 31 |
CC8 — Change Management
| Criteria | Control Objective | FeatureSignals Implementation |
|---|---|---|
| CC8.1 | Change management process | Git-based workflow, mandatory PR reviews, branch protection rules, CI/CD pipeline |
| CC8.2 | Authorized changes | Code owners, required approvers, signed commits, immutable release tags |
| CC8.3 | Change testing | 80%+ test coverage, table-driven tests, staging environment, canary deployments |
CC3 — Risk Assessment
| Criteria | Control Objective | FeatureSignals Implementation |
|---|---|---|
| CC3.1 | Risk identification | Threat modeling, dependency scanning (govulncheck, npm audit), security review process |
| CC3.2 | Risk mitigation | Defense-in-depth architecture, least privilege, deny-by-default security posture |
| CC3.3 | Vendor risk management | Sub-processor assessment, vendor security review, data processing agreements |
CC4 — Monitoring Activities
| Criteria | Control Objective | FeatureSignals Implementation |
|---|---|---|
| CC4.1 | Ongoing monitoring | SigNoz dashboards, Prometheus metrics, alerting on anomaly detection |
| CC4.2 | Control evaluation | Automated control testing, quarterly access review, configuration drift detection |