Trust Center

Workforce

SOC 2 Type II

Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy

17
Total Controls
6
Implemented
9
Partial
37.5%
Coverage

Control Families

CC1 — Control Environment

Organization's commitment to integrity and ethical values
0.0%
3 controls
ID Title Status Evidence Sources Notes
CC1.1 COSO Principle 1 — Integrity and Ethical Values partial code_of_conduct security_policy BSL 1.1 license terms, CLAUDE.md accountability framework
CC1.2 COSO Principle 2 — Board Oversight not applicable Solo operator — no board. Design partner engagement serves as oversight.
CC1.3 COSO Principle 3 — Management Structure partial org_chart agent_roster Agent roster defines delegation hierarchy; approval queue enforces authority

CC2 — Communication and Information

Internal and external communication of policies
0.0%
1 controls
ID Title Status Evidence Sources Notes
CC2.1 COSO Principle 13 — Quality Information partial cloudwatch_logs xray_traces cost_tracker Structured logging via structlog, X-Ray tracing, cost tracking in DynamoDB

CC3 — Risk Assessment

Identification and analysis of risks
0.0%
2 controls
ID Title Status Evidence Sources Notes
CC3.1 COSO Principle 6 — Risk Objectives partial adr_001 threat_model ADR-001 defines positioning and security commitments
CC3.2 COSO Principle 7 — Risk Identification not started threat_model Formal threat model needed — Sprint 7

CC5 — Control Activities

Actions established to address risks
0.0%
1 controls
ID Title Status Evidence Sources Notes
CC5.1 COSO Principle 10 — Control Selection partial iam_policies scp_policies approval_queue SCPs on workloads OU, least-privilege IAM, approval queue for external outputs

CC6 — Logical and Physical Access Controls

Logical access security over assets
66.7%
6 controls
ID Title Status Evidence Sources Notes
CC6.1 Logical Access Security implemented iam_policies secrets_manager kms_keys AWS IAM, Secrets Manager for all credentials, KMS encryption at rest
CC6.2 User Registration and Authorization implemented iam_users oidc_provider github_deploy_role OIDC-based CI/CD, scoped deploy user, no shared credentials
CC6.3 Access Removal partial iam_policies Manual process — automate with SCIM in Sprint 9
CC6.6 System Boundary Protection implemented api_gateway security_groups scp_policies API Gateway with auth, no VPC (all services accessed via IAM), SCPs restrict account actions
CC6.7 Data Transmission Restriction implemented tls_enforcement approval_queue All AWS API calls over TLS, approval queue prevents unauthorized external transmission
CC6.8 Malicious Software Prevention partial guardduty dependabot GuardDuty enabled, GitHub Dependabot for dependency scanning

CC7 — System Operations

Monitoring and detection of anomalies
50.0%
2 controls
ID Title Status Evidence Sources Notes
CC7.1 Infrastructure Monitoring implemented cloudwatch_alarms guardduty xray_traces CloudWatch alarms, GuardDuty findings, X-Ray distributed tracing
CC7.2 Anomaly Detection partial guardduty cloudwatch_alarms GuardDuty for threat detection, CloudWatch for operational anomalies

CC8 — Change Management

Controls over system changes
100.0%
1 controls
ID Title Status Evidence Sources Notes
CC8.1 Change Authorization implemented github_pr_reviews ci_cd_pipeline branch_protection GitHub Flow, CI/CD via GitHub Actions, PR-based reviews

CC9 — Risk Mitigation

Risk mitigation activities
0.0%
1 controls
ID Title Status Evidence Sources Notes
CC9.1 Risk Mitigation partial adr_001 accountability_framework ADR-001 documents risk decisions, accountability framework prevents scope creep

Gaps Requiring Remediation (10)

Control Family Title Status Cross-Mappings Notes
CC1.1 Control Environment COSO Principle 1 — Integrity and Ethical Values partial nist_csf:GV.OC-01 BSL 1.1 license terms, CLAUDE.md accountability framework
CC1.3 Control Environment COSO Principle 3 — Management Structure partial Agent roster defines delegation hierarchy; approval queue enforces authority
CC2.1 Communication and Information COSO Principle 13 — Quality Information partial nist_csf:ID.RA-01 Structured logging via structlog, X-Ray tracing, cost tracking in DynamoDB
CC3.1 Risk Assessment COSO Principle 6 — Risk Objectives partial nist_csf:ID.RA-03 ADR-001 defines positioning and security commitments
CC3.2 Risk Assessment COSO Principle 7 — Risk Identification not started nist_csf:ID.RA-01, hipaa:164.308(a)(1)(ii)(A) Formal threat model needed — Sprint 7
CC5.1 Control Activities COSO Principle 10 — Control Selection partial nist_csf:PR.AC-01, cis_v8:6.1 SCPs on workloads OU, least-privilege IAM, approval queue for external outputs
CC6.3 Logical and Physical Access Controls Access Removal partial Manual process — automate with SCIM in Sprint 9
CC6.8 Logical and Physical Access Controls Malicious Software Prevention partial nist_csf:DE.CM-04 GuardDuty enabled, GitHub Dependabot for dependency scanning
CC7.2 System Operations Anomaly Detection partial nist_csf:DE.AE-02 GuardDuty for threat detection, CloudWatch for operational anomalies
CC9.1 Risk Mitigation Risk Mitigation partial ADR-001 documents risk decisions, accountability framework prevents scope creep
← Back to Overview