SOC 2 Evidence Collection
Last updated: April 2026
SOC 2 audits require extensive evidence that controls are designed appropriately and operating effectively over time. FeatureSignals automates evidence collection wherever possible, reducing the burden of audit preparation while maintaining a continuously audit-ready posture.
Continuous Audit Readiness
Our goal is to be audit-ready every day, not just during audit season. Automated evidence collection runs continuously so that audit evidence is always current and complete.
Evidence Categories
SOC 2 evidence falls into four categories. FeatureSignals collects each systematically:
1. Design Evidence — “The control exists”
- Architecture diagrams and data flow documentation
- Security policy documents and standards
- RBAC role definitions and permission matrices
- Encryption standards and key management policies
- Network diagrams and firewall rule documentation
Source: Architecture wiki, CLAUDE.md, security documentation
2. Operating Evidence — “The control is running”
| Control Area | Automated Evidence | Collection Frequency |
|---|---|---|
| Access provisioning | Team member audit log (add/remove/role change) | Real-time |
| Authentication | Login success/failure logs, MFA enrollment status | Real-time |
| Change management | PR reviews, CI/CD pipeline logs, deployment records | Per change |
| Vulnerability scanning | govulncheck reports, npm audit output, dependency scan results | Daily (CI), weekly (full scan) |
| Backup verification | Backup completion logs, restore test results | Daily (backup), quarterly (restore test) |
| Availability monitoring | Uptime metrics, health check logs, incident records | Continuous |
3. Testing Evidence — “We verify the control works”
- Automated test suite results (80%+ coverage, CI-enforced)
- Penetration test reports (annual, third-party)
- Disaster recovery test results (quarterly)
- Access review attestations (quarterly)
- Tabletop exercise outcomes (semi-annual incident response drills)
4. Remediation Evidence — “We fix what breaks”
- Incident post-mortems with root cause analysis
- Vulnerability remediation timelines
- Configuration drift correction records
- Access removal confirmation timestamps
Audit Trail Architecture
The audit trail is the backbone of SOC 2 evidence collection. Every mutating operation in FeatureSignals produces an immutable audit record:
| Field | Description | Retention |
|---|---|---|
| Timestamp | UTC, RFC 3339 format | Permanent |
| Actor | User ID, email, role | Permanent |
| Action | Resource type, action name, resource ID | Permanent |
| Before/After | State diff for modifications | Permanent |
| Client | IP address, user agent | 1 year (GDPR-minimized) |
| Integrity Hash | SHA-256 chain-linked to previous entry | Permanent |
The chain-linked SHA-256 hashing ensures that any tampering with the audit trail is detectable — each entry's hash depends on the previous entry's hash, creating a cryptographic chain of custody.
Evidence Retention Policy
| Evidence Type | Retention Period | Storage |
|---|---|---|
| Audit logs | Minimum 1 year (SOC 2 requirement) | Database (active), encrypted backups (archive) |
| Access review records | 3 years | Database + export archive |
| Incident reports | 7 years | Secure document store |
| Vulnerability scans | 3 years | CI artifact storage |
| DR test results | 3 years | Secure document store |
| Change management records | Indefinite (git history) | Git repository |
Automated Controls Testing
To reduce the manual burden of evidence collection, FeatureSignals automates control testing where possible:
CI-Enforced Controls
Test coverage gates, dependency vulnerability scans, and code quality checks run on every PR — no merge without passing.
Scheduled Attestations
Quarterly access reviews, semi-annual DR tests, and annual pen tests are scheduled with automated reminders and evidence capture.
Automated Collection
Metrics, logs, and audit records are collected continuously. Evidence packages are auto-generated for each control period.
Evidence Packaging
Audit evidence is organized by TSC criteria and control period, ready for auditor review without manual assembly.
Auditor Access
During a SOC 2 audit engagement, auditors require access to evidence. FeatureSignals supports:
- Read-only auditor role: Time-limited access to audit logs, configuration, and evidence without ability to modify
- Evidence exports: Structured exports of audit logs, access reviews, and test results in auditor-preferred formats
- Interview support: Engineering team availability for auditor interviews and control walkthroughs
- Bridge letter: Available between audit periods to confirm continued control operation