Back to dashboard
SOC 2 & ISO 27001 posture
Control-by-control surface for the auditor + buyer security review. Every row links to the evidence we'd cite.
| Framework | ID | Control | Status | Evidence |
|---|---|---|---|---|
| SOC2 | CC6.1 | Authorised access only — IdP-based authentication, deny by default. Logical access | Met | NextAuth v5 + Microsoft Entra / Google / GitHub / OIDC bridge; RBAC console; group→role mapping; bootstrap-admin documented in help. |
| SOC2 | CC6.2 | Role-based access enforced on sensitive operations. Logical access | Met | Server actions + API routes call auth() + role check; admin-only mutations gated. See /admin/users. |
| SOC2 | CC6.3 | Periodic access review. Logical access | Partial | User table + roles surfaced at /admin/users; CSV export + quarterly review process planned (Commit 7 docs). |
| SOC2 | CC6.6 | Encryption in transit. Logical access | Met | HSTS preload; all ingress is HTTPS via Container Apps; no plain-http origin. CSP forbids mixed content. |
| SOC2 | CC6.7 | Encryption at rest for sensitive data. Logical access | Partial | Pilot uses a single platform-managed AES-256-GCM key envelope (32-byte data key resolved per request). Per-tenant Customer Managed Keys (BYOK) are scaffolded but not yet wired — track in the roadmap. Postgres + Neo4j volumes are Azure-platform-encrypted-at-rest underneath. See architecture doc. |
| SOC2 | CC7.1 | Monitoring of system components. System operations | Met | L7 liveness at /health, deep readiness at /api/health, public /status page. |
| SOC2 | CC7.2 | Detection of anomalies & policy violations; audit log. System operations | Met | Every security-relevant action lands in AuditEvent with actor + timestamp + IP hash. AnomalyEvent table flags z-score outliers nightly. |
| SOC2 | CC7.3 | Incident management process. System operations | Partial | On-call routing via PagerDuty integration; runbook documented in help. Customer-facing incident comms via /status; subscription channel planned. |
| SOC2 | CC8.1 | Authorised changes only. Change management | Met | All deploys via Azure DevOps pipeline; main branch protected. CI guard no-write-sdk-check.sh blocks any merge that introduces mutating cloud SDK calls. |
| SOC2 | CC9.1 | Risk register & periodic review. Risk mitigation | Planned | Quarterly review schedule + risk register template — Commit 7. |
| ISO27001 | A.5.15 | Access rights provisioning + de-provisioning. Access control | Met | SCIM 2.0 endpoints provision/deprovision automatically; see SCIM help. |
| ISO27001 | A.8.16 | Monitoring activities. Operations | Met | Same audit log + /status + anomaly detection as SOC 2 CC7.1 / CC7.2. |
| ISO27001 | A.5.7 | Threat intelligence (CVE feed + MITRE mapping). Information security | Partial | MITRE ATT&CK mapping live on Posture page; daily CVE feed sync planned. |
| ISO27001 | A.8.7 | Image vulnerability scanning + SBOM. Protection from malware | Planned | Trivy on the Container Apps image + cosign signing — Commit 8. |
Honesty principle: met = code-enforced; partial = manual process or scaffold; planned = on the public roadmap.