SOC 2 Readiness
✓ Audit-Ready Controls
ATStatus provides technical controls aligned with SOC 2 Trust Services Criteria, supporting your organization's compliance and audit requirements.
SOC 2 (System and Organization Controls) is a framework for managing customer data based on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Trust Services Criteria Coverage
Information and systems are protected against unauthorized access.
Strong CoverageInformation and systems are available for operation and use.
Strong CoverageSystem processing is complete, valid, accurate, and timely.
Partial CoverageInformation designated as confidential is protected.
Strong CoveragePersonal information is collected, used, retained, and disclosed appropriately.
Strong CoverageCommon Criteria (CC) Controls
CC1 — Control Environment
| Point of Focus | ATStatus Implementation |
|---|---|
| Demonstrates commitment to integrity | Hash-chained audit logs ensure data integrity |
| Exercises oversight responsibility | OWNER role with oversight of all users and settings |
| Establishes structure and authority | Hierarchical RBAC with clear authority levels |
CC2 — Communication and Information
| Point of Focus | ATStatus Implementation |
|---|---|
| Generates relevant information | Comprehensive audit logging, system monitoring |
| Uses internal communication | Incident updates, maintenance notifications |
| Uses external communication | Public status page, subscriber notifications |
CC5 — Control Activities
| Point of Focus | ATStatus Implementation |
|---|---|
| Selects and develops controls | Built-in security controls (RBAC, 2FA, encryption) |
| Deploys through policies | Configurable security settings, feature toggles |
| Uses technology controls | Input validation, rate limiting, CSRF protection |
CC6 — Logical and Physical Access
| Control | Description | Implementation |
|---|---|---|
| CC6.1 | Implements logical access security | RBAC, session management, authentication |
| CC6.2 | Registers and authorizes users | User creation workflow, role assignment |
| CC6.3 | Removes access when no longer needed | User deactivation, session revocation |
| CC6.6 | Manages credentials for infrastructure | API keys, environment variables, secrets management |
| CC6.7 | Restricts transmission of data | HTTPS enforcement, secure cookie configuration |
| CC6.8 | Prevents unauthorized software | Validated dependencies, no dynamic code execution |
CC7 — System Operations
| Control | Description | Implementation |
|---|---|---|
| CC7.1 | Detects and monitors anomalies | Audit logging, system monitoring, self-test |
| CC7.2 | Monitors system components | Automatic service monitoring (25 types) |
| CC7.3 | Evaluates security events | Severity-based audit event classification |
| CC7.4 | Responds to security incidents | Incident management workflow, notifications |
| CC7.5 | Recovers from incidents | Status updates, RCA documentation, resolution tracking |
Availability Criteria (A)
ATStatus is fundamentally a status communication platform, with built-in availability features:
- A1.1: Real-time service availability monitoring
- A1.2: Automatic status updates from monitoring checks
- A1.3: Maintenance window scheduling and communication
Confidentiality Criteria (C)
- C1.1: Classification through permission system
- C1.2: Protection through encryption and hashing
Privacy Criteria (P)
- P1-P8: Cookie consent management
- P4: Subscriber data collection with purpose
- P6: Data deletion capabilities
- P8: Data export for access requests
Audit Preparation
Type II audits examine controls over a period of time (typically 6-12 months). Start collecting evidence early using ATStatus's audit log export feature.
Evidence Collection Points
| Evidence Type | ATStatus Location | TSC Coverage |
|---|---|---|
| Access control configuration | Admin → Roles, Admin → Users | CC6.1, CC6.2 |
| Authentication settings | User profiles (2FA status) | CC6.1 |
| Activity logs | Admin → Audit Logs (export) | CC7.1, CC7.2, CC7.3 |
| Incident response records | Admin → Incidents (with RCA) | CC7.4, CC7.5 |
| Monitoring configuration | Admin → Components | A1.1, A1.2 |
| System health checks | Admin → Self-Test | CC7.2 |
SOC 2 certification requires a third-party CPA firm audit. ATStatus provides technical controls and evidence — your organization is responsible for the complete compliance program and engaging auditors.