Compliance & Auditing Documentation
Documentation for SOC2 auditors, ISO assessors, and security reviewers.
Overview
This section provides comprehensive compliance documentation demonstrating how AuditSwarm meets SOC2 Type II, ISO 27001/27017/27018, and GDPR requirements.
Audience: External auditors, security assessors, compliance officers
Available Documentation
SOC2 Trust Service Criteria Mapping
Complete mapping of AuditSwarm controls to SOC2 Trust Service Criteria (CC, A, PI, C, P).
Covers:
- CC6.1 - Logical & Physical Access Controls
- CC6.2 - System Operations
- CC6.3 - Change Management
- A1.1 - System Availability
- PI1.1 - Processing Integrity
- C1.1 - Confidentiality
- P1.1 - Privacy
ISO 27001 Controls Mapping
Mapping to ISO 27001:2013 Annex A controls (114 controls across 14 domains).
Covers:
- Information Security Policies
- Organization of Information Security
- Human Resource Security
- Asset Management
- Access Control
- Cryptography
- Physical & Environmental Security
- Operations Security
- Communications Security
- System Acquisition, Development & Maintenance
- Supplier Relationships
- Information Security Incident Management
- Business Continuity
- Compliance
Audit Evidence Guide
How to collect evidence from AuditSwarm for compliance audits.
Includes:
- Audit log exports
- User access reports
- Change history
- Approval workflows
- System configurations
Penetration Testing Guide
Scope, methodology, and test accounts for security assessments.
Includes:
- In-scope systems
- Out-of-scope systems
- Test account credentials
- Expected security controls
- Responsible disclosure policy
Quick Reference
Compliance Certifications Supported
| Certification | Status | Documentation |
|---|---|---|
| SOC2 Type II | Ready | SOC2 Trust Criteria |
| ISO 27001 | Ready | ISO 27001 Controls |
| ISO 27017 (Cloud) | Ready | ISO 27001 Controls |
| ISO 27018 (PII) | Ready | ISO 27001 Controls |
| GDPR | Compliant | GDPR Implementation |
Key Compliance Features
Audit Trail
- AuditLog table - Immutable audit trail of all system operations
- Retention: Configurable (default 7 years)
- Export: JSON, CSV, PDF formats
- Query: GraphQL API for compliance reporting
Access Control
- OAuth2 authentication (Google, GitHub, OIDC)
- RBAC - Role-based access control
- MFA support - Through OAuth providers
- Session management - Automatic expiry
Data Protection
- Encryption at rest - Database-level encryption
- Encryption in transit - TLS 1.2+
- Field-level encryption - Sensitive data
- Key management - GCP Secret Manager
Change Management
- AI suggestions - Require explicit approval
- Version control - All schema changes tracked
- Deployment pipeline - CI/CD with approval gates
- Rollback capability - Database migrations
Incident Response
- SystemNotification - Automated alerts
- Workflow - Incident response playbooks
- Escalation - Configurable escalation paths
For Auditors
Evidence Collection
Pre-Audit Checklist:
- Request demo account with viewer permissions
- Review Audit Evidence Guide
- Schedule walkthrough session
- Provide list of required evidence
- Schedule follow-up Q&A
Evidence Available:
- User access logs (AuditLog table)
- Change history (version fields)
- Approval workflows (WorkflowApproval)
- System configurations (exported as JSON)
- Security controls inventory
- Incident response records
- Backup/recovery procedures
Common Audit Questions
Q: How do you ensure data integrity? A: See Audit Trail Design
Q: Who can approve AI suggestions? A: See Suggestions Pattern
Q: How are secrets managed? A: See Secrets Management
Q: What is your incident response process? A: See Incident Response
Contact
For compliance inquiries:
- Email: compliance@auditswarm.com
- Schedule audit: [Calendly link]
For security issues:
- Email: security@auditswarm.com
- See: Vulnerability Disclosure