SOC2 Trust Service Criteria Mapping
Complete mapping of AuditSwarm controls to SOC2 Type II Trust Service Criteria.
Trust Service Criteria Overview
| Category | Name | Status |
|---|---|---|
| CC | Security (Common Criteria) | Implemented |
| A | Availability | Implemented |
| PI | Processing Integrity | Implemented |
| C | Confidentiality | Implemented |
| P | Privacy | Implemented |
CC: Security (Common Criteria)
CC6.1 - Logical & Physical Access Controls
"The entity implements logical access security software, infrastructure, and architectures over protected information assets."
Implementation:
| Control | How AuditSwarm Implements |
|---|---|
| Authentication | OAuth2 authentication for all AI agents and users |
| RBAC | Role-based access control via Role and UserRole tables |
| Session Management | Automatic session expiry via NextAuth.js |
| MFA Support | MFA through configured OAuth providers (Google, Azure AD) |
Evidence:
prisma/schema.prisma- User, Role, UserRole modelsapps/web/src/lib/auth/- NextAuth.js configurationapps/mcp/src/- OAuth 2.1 token validation
CC6.2 - System Operations
"The entity implements system monitoring to detect and respond to security events."
Implementation:
| Control | How AuditSwarm Implements |
|---|---|
| Audit Logging | AuditLog table tracks all database operations |
| Performance Monitoring | Execution time tracking (executionTimeMs field) |
| Health Checks | Endpoints at /api/health and /mcp/health |
| Containerization | Docker for consistent deployments |
Evidence:
AuditLogPrisma model with comprehensive fields- Health check endpoints in both web and MCP apps
infra/docker/- Dockerfiles for all services
CC6.3 - Change Management
"The entity implements logical access security to protect against unauthorized changes."
Implementation:
| Control | How AuditSwarm Implements |
|---|---|
| Suggestions Pattern | All AI changes require explicit user approval |
| Data Isolation | Suggestions stored separately from production data |
| Version Control | version field on all auditable entities |
| Schema Migrations | Prisma migrations with version tracking |
Evidence:
AISuggestionmodel stores pending changes as JSONapps/web/src/lib/services/suggestion-approval.service.tspackages/database/prisma/migrations/directory
A: Availability
A1.1 - System Availability
"The entity maintains availability objectives."
Implementation:
| Control | How AuditSwarm Implements |
|---|---|
| High Availability | Cloud Run auto-scaling (0-10 instances) |
| Health Monitoring | Health check endpoints for load balancers |
| Caching | Next.js caching, Prisma connection pooling |
| Retry Logic | Automatic retry in API calls |
Evidence:
infra/cloudbuild/- Cloud Run deployment configs- Connection pooling in Prisma configuration
PI: Processing Integrity
PI1.1 - Processing Accuracy
"The entity maintains processing integrity in system operations."
Implementation:
| Control | How AuditSwarm Implements |
|---|---|
| Data Integrity | Suggestions pattern prevents unauthorized modifications |
| Transactions | Prisma transactions for atomic operations |
| Validation | GraphQL schema-level validation |
| Type Safety | TypeScript throughout the codebase |
Evidence:
- GraphQL schema with Pothos type generation
- TypeScript strict mode configuration
- Prisma transaction support in approval workflows
C: Confidentiality
C1.1 - Data Protection
"The entity protects confidential information."
Implementation:
| Control | How AuditSwarm Implements |
|---|---|
| Encryption at Rest | Field-level encryption for sensitive data (AES-256-GCM) |
| Encryption in Transit | TLS/SSL for all connections |
| Secrets Management | GCP Secret Manager for credentials |
| No API Key Storage | AI agents bring their own LLM capabilities |
Evidence:
apps/web/src/lib/utils/encryption.ts- AES-256-GCM implementation- Cloud Run HTTPS enforcement
- GCP Secret Manager configuration
P: Privacy
P1.1 - Personal Information Protection
"The entity collects, uses, retains, and disposes of personal information in conformity with commitments."
Implementation:
| Control | How AuditSwarm Implements |
|---|---|
| User Isolation | Each user sees only their own data and suggestions |
| GDPR Compliance | Right to access, rectification, erasure |
| Data Minimization | Collect only necessary information |
| Consent Management | OAuth flow requires explicit consent |
Evidence:
- User-scoped queries in GraphQL resolvers
- Soft delete support via status fields
- OAuth consent flow implementation
Audit Trail Implementation
The AuditLog table provides a tamper-proof audit trail:
CREATE TABLE AuditLog (
id BIGSERIAL PRIMARY KEY,
userId TEXT,
sessionId TEXT,
correlationId TEXT,
actionType TEXT NOT NULL, -- CREATE, UPDATE, DELETE, VIEW
operation TEXT,
entityType TEXT,
entityId TEXT,
tableName TEXT NOT NULL,
recordId TEXT,
oldValues TEXT, -- JSON of previous values
newValues TEXT, -- JSON of new values
changedFields TEXT,
ipAddress TEXT,
userAgent TEXT,
requestMethod TEXT,
requestUrl TEXT,
responseStatus INT,
errorMessage TEXT,
executionTimeMs INT,
source TEXT,
timestamp TIMESTAMP DEFAULT NOW()
);
Key Features:
- Captures WHO (userId, sessionId)
- Captures WHAT (actionType, entityType, entityId)
- Captures WHEN (timestamp)
- Captures HOW (requestMethod, requestUrl)
- Preserves BEFORE/AFTER (oldValues, newValues)
Compliance Checklist
SOC2 Requirements
- User authentication and session management
- Comprehensive audit logging (AuditLog)
- Change tracking (version fields)
- Data encryption capabilities
- Access control (RBAC)
- Monitoring and alerting (SystemNotification)
- Incident management workflow
- Vendor management (via Dashboard)
- Risk assessment (Risk table)
- Control testing (Control table)
AI-Specific Controls
- All AI interactions logged in AuditLog
- Suggestions require explicit human approval
- AI cannot directly modify production data
- Agent metadata captured for attribution
- Full audit trail of AI suggestions and approvals