# SOC 2 controls matrix (Common Criteria 2017, plus A and C)

**Version:** 1.0
**Effective date:** 2026-04-17

This maps Frameboard's controls to AICPA's Trust Services Criteria. Scope: Security (CC), Availability (A), Confidentiality (C). Privacy (P) and Processing Integrity (PI) are out of scope for the first attestation.

For each control: **ID**, **criterion**, **control description**, **owner**, **evidence location**.

## CC1 - Control environment

| ID | Control | Owner | Evidence |
|---|---|---|---|
| CC1.1 | Policy set is signed off by the founder and reviewed annually | Founder | `00-overview.md` (governance section) |
| CC1.2 | Staff acknowledge policies on hire and annually | Founder | HR records; acknowledgement forms |
| CC1.3 | Roles and responsibilities defined | Founder | `00-overview.md` (RACI table) |

## CC2 - Communication and information

| ID | Control | Owner | Evidence |
|---|---|---|---|
| CC2.1 | External security comms - `security@myframeboard.app` monitored | Founder | Inbox; response SLA <1 working day |
| CC2.2 | Customer-facing security page published and maintained | Founder | `/security.html` |
| CC2.3 | Incident notification process documented and tested | Founder | `02-incident-response-policy.md` |

## CC3 - Risk assessment

| ID | Control | Owner | Evidence |
|---|---|---|---|
| CC3.1 | Annual risk assessment conducted; register maintained | Founder | `08-risk-assessment-policy.md` |
| CC3.2 | Sub-processor risk reviewed at least annually | Founder | `04-vendor-management-policy.md` |

## CC4 - Monitoring activities

| ID | Control | Owner | Evidence |
|---|---|---|---|
| CC4.1 | Error reporter captures production errors; reviewed weekly | Founder | `/js/error-reporter.js`; log reviews |
| CC4.2 | Admin Audit Log captures every privileged action | Founder | Airtable `Admin Audit Log` table |
| CC4.3 | Monthly access review across all production systems | Founder | Access review log in Airtable |

## CC5 - Control activities

| ID | Control | Owner | Evidence |
|---|---|---|---|
| CC5.1 | Change management process followed for every production deploy | Founder | `06-change-management-policy.md`; git history |
| CC5.2 | Backup restore tested quarterly | Founder | `docs/security/exercises/` |

## CC6 - Logical and physical access controls

| ID | Control | Owner | Evidence |
|---|---|---|---|
| CC6.1 | MFA required on every production system | Founder | System configurations; onboarding checklist |
| CC6.2 | Access provisioned per role; revoked on departure within 1 business day | Founder | Access log |
| CC6.3 | Customer passwords hashed with bcrypt | Founder | `netlify/functions/auth-login.js`, `auth-signup.js` |
| CC6.4 | Session tokens expire after 30 days | Founder | `netlify/functions/lib/auth.js` (`JWT_EXPIRY = '30d'`) |
| CC6.5 | SSO (Google Workspace) available to Enterprise for domain-level enforcement | Founder | `SSO-MVP-SCOPE.md`; `netlify/functions/sso-*.js` |
| CC6.6 | Rate limiting on auth-sensitive endpoints | Founder | `netlify/functions/lib/limits.js` |
| CC6.7 | Physical access - no on-prem systems; cloud providers handle physical security | Founder | Sub-processor certifications |
| CC6.8 | Developer workstations encrypted, auto-lock, MFA on OS | Founder | `01-access-control-policy.md` |

## CC7 - System operations

| ID | Control | Owner | Evidence |
|---|---|---|---|
| CC7.1 | Incident response process documented; SEV taxonomy defined | Founder | `02-incident-response-policy.md` |
| CC7.2 | Incidents logged with timeline, root cause, action items | Founder | `docs/security/incidents/` |
| CC7.3 | Quarterly tabletop exercises | Founder | `docs/security/exercises/` |
| CC7.4 | Customer notification within 72 hours of confirmed breach | Founder | Incident response policy |

## CC8 - Change management

| ID | Control | Owner | Evidence |
|---|---|---|---|
| CC8.1 | Change management policy followed for code, config, schema | Founder | `06-change-management-policy.md` |
| CC8.2 | Rollback plan for every change | Founder | Netlify instant-rollback; Airtable backups |
| CC8.3 | Emergency change process documented | Founder | `06-change-management-policy.md` |

## CC9 - Risk mitigation

| ID | Control | Owner | Evidence |
|---|---|---|---|
| CC9.1 | Sub-processor list public and maintained | Founder | `/subprocessors` (public) |
| CC9.2 | DPAs in place with all sub-processors | Founder | Vendor records |
| CC9.3 | Cyber insurance in place | Founder | Policy document |

## A (Availability) - additional controls

| ID | Control | Owner | Evidence |
|---|---|---|---|
| A1.1 | RTO/RPO targets defined and tested | Founder | `03-bcp-dr-policy.md` |
| A1.2 | Automated backups run nightly | Founder | Netlify Scheduled Function |
| A1.3 | Status page for customer-facing availability | Founder | `status.myframeboard.app` |

## C (Confidentiality) - additional controls

| ID | Control | Owner | Evidence |
|---|---|---|---|
| C1.1 | Data classified and handling rules defined | Founder | `05-data-classification-policy.md` |
| C1.2 | Customer data encrypted at rest by every sub-processor | Founder | Sub-processor documentation |
| C1.3 | Zero-data-retention arrangement with AI providers | Founder | Anthropic contract; ZDR config |
| C1.4 | Data export and delete available to every customer | Founder | Settings > Data in product |

## Coverage summary

- 30 controls mapped to Trust Services Criteria
- 0 controls currently marked "not implemented"
- 3 controls flagged as "compensating" at single-founder stage (see `06-change-management-policy.md` section 3)

## Ready for auditor engagement?

This matrix is ready to share with a SOC 2 auditor for scoping. Anticipated gaps the auditor will raise:

1. **Separation of duties** - single founder means one person both develops and deploys. Compensating controls documented. Resolve by second engineer hire
2. **Penetration test** - not yet engaged. Book before observation window opens
3. **Vendor risk questionnaires** - we rely on vendors' SOC 2 reports today, not our own questionnaires. Auditor may want custom questionnaires; easy to add
4. **Continuous monitoring tooling** - we don't run a tool like Vanta, Drata, or Secureframe. Readiness bundle like this gets us most of the way but automation helps during the observation window

Recommended next step: engage a SOC 2 auditor (Prescient Security, A-LIGN, or Schellman) for a readiness assessment before starting the observation window.