Skip to main content

SOC 2 Preparation

Status: DRAFT Owner: Engineering Last Review: 2026-02-21 Applicable Standards: SOC 2 Type II (AICPA Trust Service Criteria 2017)

1. Purpose

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA that evaluates an organization’s controls relevant to security, availability, processing integrity, confidentiality, and privacy. This document maps Equa’s current controls to the SOC 2 Trust Service Criteria, identifies gaps, and provides a remediation roadmap toward Type II readiness.

2. Scope

ComponentIn ScopeNotes
equa-serverYesBackend API, authentication, authorization, data persistence
equa-webYesFrontend SPA, input validation, file uploads
PostgreSQL (Cloud SQL)YesData storage, session management, audit logs
AWS S3YesDocument storage
Google Cloud RunYesApplication hosting, deployment
equabot-gatewayPartialAgent permission proxy and rate limiting

3. Common Criteria Control Summary

The following table maps SOC 2 Common Criteria (CC) control IDs to their current implementation status. Detailed coverage is provided in the sections below and in the referenced compliance documents.
CC CategoryControl IDsDescriptionStatusReference
CC1 Control EnvironmentCC1.1—CC1.5Commitment to integrity, board oversight, organizational structure, competence, accountabilityGapNo formal governance documentation
CC2 Communication and InformationCC2.1—CC2.3Internal/external communication, information qualityPartialAudit logging exists; no formal communication policies
CC3 Risk AssessmentCC3.1—CC3.4Risk identification, fraud risk, change impactGapNo formal risk assessment process
CC4 Monitoring ActivitiesCC4.1—CC4.2Ongoing monitoring, deficiency evaluationGapBasic health checks only; no continuous monitoring program
CC5 Control ActivitiesCC5.1—CC5.3Control selection, technology controls, policy deploymentPartialTechnical controls exist; no formal policies
CC6 Logical and Physical AccessCC6.1—CC6.8Access security, credentials, authorization, restrictions, threats, system changesPartialRBAC implemented; gaps in rate limiting, MFA enforcement; see Access Control Model and Security Architecture
CC7 System OperationsCC7.1—CC7.5Infrastructure monitoring, incident detection, response, recovery, communicationPartialHealth monitoring and incident response documented; see Incident Response Plan
CC8 Change ManagementCC8.1Infrastructure, data, software, procedure changesPartialCI/CD pipeline exists; no formal change approval process
CC9 Risk MitigationCC9.1—CC9.2Risk mitigation activities, vendor managementGapNo formal vendor risk management

Additional Criteria

CategoryControl IDsStatusReference
A1 AvailabilityA1.1—A1.3PartialCloud Run autoscaling; no formal SLA
C1 ConfidentialityC1.1—C1.2PartialEncryption at rest/transit; no data classification policy
PI1 Processing IntegrityPI1.1—PI1.5PartialORM validation; no reconciliation checks
P1 PrivacyP1.1—P1.8PartialData inventory documented; no published privacy policy; see Data Privacy and GDPR

4. Trust Service Criteria Detail

4.1 Security (CC6)

Security controls protect the system against unauthorized access. Current Controls:
ControlImplementationStatusReference
AuthenticationThree methods: password (bcrypt, 10 rounds), Google OAuth 2.0, magic links (15-min expiry)ImplementedSecurity Architecture
RBAC Authorization14 built-in permissions, 13+ built-in roles, cascading permission modelImplementedAccess Control Model
Session Managementexpress-session with TypeORM store, 29-day rolling sessions, secure cookiesImplementedSecurity Architecture
Transport EncryptionHTTPS via Google-managed SSL, TLS to databaseImplementedSecurity Architecture
Password Hashingbcrypt with 10 roundsImplementedSecurity Architecture
Agent Rate LimitingTool calls/min, write ops/min, destructive ops/hour limitsImplementedSecurity Architecture
Gaps:
GapSOC 2 ControlPriorityReference
No API-wide rate limitingCC6.1HighSecurity Architecture
No enforced multi-factor authenticationCC6.1HighSecurity Architecture
No password complexity policyCC6.1Medium
No intrusion detection systemCC6.6Medium
No vulnerability scanning (equa-server/equa-web)CC6.8MediumSecurity Architecture
No security headers (helmet)CC6.6MediumSecurity Architecture

4.2 Availability (A1)

Availability controls ensure the system is operational and accessible as committed. Current Controls:
ControlImplementationStatus
AutoscalingGoogle Cloud Run, 1—10 instances based on request volumeImplemented
Health ChecksCloud Run built-in health endpoint monitoringImplemented
Managed DatabaseGoogle Cloud SQL with automated backupsImplemented
Container IsolationEach request handled by an isolated container instanceImplemented
Gaps:
GapSOC 2 ControlPriority
No formal SLA definedA1.1High
No uptime monitoring / status pageA1.2High
No disaster recovery plan documentedA1.2High
No load testing performedA1.1Medium
No multi-region failoverA1.2Low

4.3 Confidentiality (C1)

Confidentiality controls protect information designated as confidential. Current Controls:
ControlImplementationStatusReference
Database Encryption at RestGoogle Cloud SQL (AES-256, Google-managed keys)ImplementedSecurity Architecture
File Storage EncryptionAmazon S3 server-side encryption (SSE-S3)Implemented
Session EncryptionSessions stored in encrypted database, transmitted via secure cookies over HTTPSImplementedSecurity Architecture
Transport EncryptionTLS for all client-server and server-database connectionsImplemented
Gaps:
GapSOC 2 ControlPriorityReference
No data classification policyC1.1High
Sensitive fields stored in plaintext (bank accounts, tax IDs, OAuth tokens)C1.2HighSecurity Architecture
No customer-managed encryption keysC1.2Medium
No DLP (Data Loss Prevention) controlsC1.2Medium
S3 bucket access not auditedC1.2Medium

4.4 Processing Integrity (PI1)

Processing integrity controls ensure that system processing is complete, valid, accurate, and timely. Current Controls:
ControlImplementationStatus
ORM ValidationTypeORM entity decorators enforce data types, constraints, and relationshipsImplemented
Content-Addressed HashingDocument integrity verified via content-addressed hashes (Blocks, Changes entities)Implemented
Database ConstraintsForeign keys, unique constraints, and not-null constraints enforce data integrityImplemented
Transaction SupportDatabase transactions ensure atomicity for multi-step operationsImplemented
Gaps:
GapSOC 2 ControlPriorityReference
Limited API input validationPI1.2HighSecurity Architecture
No reconciliation checks for equity calculationsPI1.3HighEquity Regulatory Compliance
No automated testing of calculation correctnessPI1.4Medium
No change management process documentedPI1.5Medium

4.5 Privacy (P1)

Privacy controls address the collection, use, retention, disclosure, and disposal of personal information. Current Controls:
ControlImplementationStatusReference
Data InventoryPII entities documented with field-level detailDocumentedData Privacy and GDPR
Purpose LimitationProcessing purposes mapped to GDPR Art. 6 lawful basesDocumentedData Privacy and GDPR
Email BlacklistsUnsubscribe/bounce management prevents unwanted communicationsImplementedData Privacy and GDPR
Soft Deletesdeleted boolean flag on key entities preserves data while removing from active useImplementedData Retention Policy
Gaps:
GapSOC 2 ControlPriorityReference
No published privacy policyP1.1HighData Privacy and GDPR
No consent management mechanismP1.1HighData Privacy and GDPR
No self-service data exportP3.1MediumData Privacy and GDPR
No self-service data deletionP4.2MediumData Retention Policy
No data processing agreements with sub-processorsP6.1HighData Privacy and GDPR
No automated retention enforcementP4.2HighData Retention Policy

5. Remediation Roadmap

Phase 1: Critical (0—3 months)

ItemSOC 2 ControlReference
API-wide rate limiting on all endpointsCC6.1Security Architecture
Draft and publish privacy policyP1.1Data Privacy and GDPR
Data classification policyC1.1
External uptime monitoring and public status pageA1.2
Execute DPAs with Google Cloud, AWS, and email providersP6.1Data Privacy and GDPR
Document disaster recovery plan (RTO/RPO targets)A1.2
Add security headers (helmet middleware)CC6.6Security Architecture

Phase 2: Important (3—6 months)

ItemSOC 2 ControlReference
Enforce multi-factor authentication (TOTP for admins)CC6.1Security Architecture
Immutable audit logs with hash chainingCC7.2Audit Trail Design
Comprehensive API input validationPI1.2Security Architecture
Automated cap table reconciliation checksPI1.3Equity Regulatory Compliance
Vulnerability scanning in CI/CD (equa-server, equa-web)CC6.8Security Architecture
Formal SLA with availability commitmentsA1.1
Encrypt sensitive plaintext fields (bank accounts, tax IDs, OAuth tokens)C1.2Security Architecture

Phase 3: SOC 2 Readiness (6—12 months)

ItemSOC 2 ControlReference
Self-service data rights (export + deletion)P3.1, P4.2Data Privacy and GDPR
Cookie consent and processing consent trackingP1.1Data Privacy and GDPR
Documented change management processCC8.1, PI1.5
Third-party penetration testingCC6.1
Employee security awareness trainingCC1.4
Formal risk assessment processCC3.1—CC3.4
Vendor risk management programCC9.1—CC9.2
SOC 2 Type I audit (point-in-time assessment)All
SOC 2 Type II audit (after 6+ months of sustained controls)All

6. Cross-Reference to Compliance Documents

Control AreaCompliance Document
Authentication, encryption, network securitySecurity Architecture
RBAC, permissions, data room accessAccess Control Model
Event logging, audit trail integrityAudit Trail Design
Data privacy, GDPR, user rightsData Privacy and GDPR
Data lifecycle, retention schedulesData Retention Policy
Incident detection, response, recoveryIncident Response Plan
Securities compliance, cap table integrityEquity Regulatory Compliance

7. Revision History

DateVersionAuthorChanges
2026-02-210.1Agent (Phase 5 Session A)Initial draft
2026-02-210.2Agent (Phase 5 Session B)Template alignment (status header, scope table, numbered sections), CC control ID summary table, cross-references to all compliance documents throughout, remediation roadmap with document references