SOC 2 Trust Services Criteria

DocuStack is designed to meet SOC 2 Type II requirements across Security, Availability, and Confidentiality trust services criteria.

Security (Common Criteria)

Organization and Management (CC1)

Criteria	Description	DocuStack Implementation
CC1.1	COSO Principle 1: Integrity and ethical values	Code of conduct, security policies
CC1.2	COSO Principle 2: Board oversight	Security governance, executive reporting
CC1.3	COSO Principle 3: Management structure	Organizational chart, defined roles
CC1.4	COSO Principle 4: Commitment to competence	Training programs, certifications
CC1.5	COSO Principle 5: Accountability	Performance reviews, security metrics

Communication (CC2)

Criteria	Description	DocuStack Implementation
CC2.1	Internal communication	Security awareness, incident reporting
CC2.2	External communication	Customer notifications, status page
CC2.3	Communication with third parties	Vendor assessments, BAAs

Risk Assessment (CC3)

Criteria	Description	DocuStack Implementation
CC3.1	Risk assessment objectives	Annual risk assessments
CC3.2	Risk identification and analysis	Threat modeling, vulnerability scanning
CC3.3	Fraud risk assessment	Access controls, segregation of duties
CC3.4	Change impact assessment	Change management process

Monitoring (CC4)

Criteria	Description	DocuStack Implementation
CC4.1	Monitoring activities	CloudWatch, Security Hub, GuardDuty
CC4.2	Deficiency evaluation	Incident tracking, remediation

Control Activities (CC5)

Criteria	Description	DocuStack Implementation
CC5.1	Control activities selection	Defense-in-depth controls
CC5.2	Technology controls	SCPs, AWS Config, encryption
CC5.3	Policy deployment	Infrastructure as Code, GitOps

Logical and Physical Access (CC6)

Criteria	Description	DocuStack Implementation
CC6.1	Logical access security	IAM Identity Center, RBAC
CC6.2	Access provisioning	Documented access requests
CC6.3	Access removal	Automated deprovisioning
CC6.4	Access review	Quarterly access reviews
CC6.5	Physical access restrictions	AWS data center controls
CC6.6	Logical access restrictions	Security groups, NACLs, SCPs
CC6.7	Data transmission protection	TLS 1.2+, VPC endpoints
CC6.8	Malware prevention	Container scanning, GuardDuty

System Operations (CC7)

Criteria	Description	DocuStack Implementation
CC7.1	Vulnerability management	Dependabot, ECR scanning
CC7.2	Anomaly detection	GuardDuty, CloudWatch anomaly detection
CC7.3	Security event evaluation	Security Hub findings
CC7.4	Incident response	Documented IR procedures
CC7.5	Incident recovery	Backup restoration, DR procedures

Change Management (CC8)

Criteria	Description	DocuStack Implementation
CC8.1	Change management	Terrateam, PR-based changes

Risk Mitigation (CC9)

Criteria	Description	DocuStack Implementation
CC9.1	Risk mitigation	Multi-account isolation, encryption
CC9.2	Vendor risk management	Vendor assessments, BAAs

Availability (A1)

Criteria	Description	DocuStack Implementation
A1.1	Capacity management	Auto-scaling, resource monitoring
A1.2	Environmental protections	AWS data center controls
A1.3	Recovery procedures	RDS backups, S3 versioning, DR plan

Confidentiality (C1)

Criteria	Description	DocuStack Implementation
C1.1	Confidential information identification	Data classification policy
C1.2	Confidential information disposal	S3 lifecycle, secure deletion

Access Control Architecture

┌─────────────────────────────────────────────────────────────────────────────┐
│                         IAM Identity Center (SSO)                            │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                              │
│   ┌─────────────┐   ┌─────────────┐   ┌─────────────┐   ┌─────────────┐    │
│   │   Admin     │   │  Developer  │   │  ReadOnly   │   │   Auditor   │    │
│   │   Group     │   │   Group     │   │   Group     │   │   Group     │    │
│   └──────┬──────┘   └──────┬──────┘   └──────┬──────┘   └──────┬──────┘    │
│          │                 │                 │                 │            │
│          ▼                 ▼                 ▼                 ▼            │
│   ┌─────────────────────────────────────────────────────────────────────┐   │
│   │                    Permission Sets                                   │   │
│   │                                                                      │   │
│   │   Admin:      AdministratorAccess (Prod: requires MFA)              │   │
│   │   Developer:  PowerUserAccess (Dev/Staging only)                    │   │
│   │   ReadOnly:   ViewOnlyAccess (All accounts)                         │   │
│   │   Auditor:    SecurityAudit + CloudTrail read (All accounts)        │   │
│   │                                                                      │   │
│   └─────────────────────────────────────────────────────────────────────┘   │
│                                                                              │
│   Key Features:                                                             │
│   • Short-lived credentials (1-hour session)                               │
│   • MFA enforcement for all users                                          │
│   • No long-lived access keys                                              │
│   • Centralized access management                                          │
│   • Audit trail of all access                                              │
│                                                                              │
└─────────────────────────────────────────────────────────────────────────────┘

Audit Logging

Log Type	Source	Destination	Retention
CloudTrail	All accounts	Log Archive S3	7 years
VPC Flow Logs	All VPCs	Log Archive S3	1 year
CloudWatch Logs	Applications	CloudWatch	90 days
S3 Access Logs	Document buckets	Log Archive S3	1 year
RDS Audit Logs	PostgreSQL	CloudWatch	90 days
ALB Access Logs	Load balancers	Log Archive S3	1 year

Evidence Artifacts

Artifact	Location	Purpose
CloudTrail logs	Log Archive S3	API audit trail
AWS Config history	Config S3 bucket	Configuration compliance
Security Hub reports	Security Hub	Security posture
Access review records	HR system	Access control evidence
Training records	LMS	Workforce security
Penetration test reports	Secure storage	Vulnerability management
Risk assessment reports	Secure storage	Risk management
Incident reports	Ticketing system	Incident response
DR test results	Secure storage	Business continuity

Administrative Controls

Security Policies

Policy	Description	Review Frequency
Information Security Policy	Overall security framework	Annual
Acceptable Use Policy	Employee technology usage	Annual
Access Control Policy	Access provisioning/deprovisioning	Annual
Data Classification Policy	PHI handling requirements	Annual
Incident Response Policy	Security incident procedures	Annual
Business Continuity Policy	DR and continuity procedures	Annual
Vendor Management Policy	Third-party risk management	Annual
Change Management Policy	Infrastructure change procedures	Annual

Workforce Security

Control	Implementation
Background Checks	Required for all employees with PHI access
Security Training	Annual HIPAA and security awareness training
Confidentiality Agreements	Signed by all employees
Access Reviews	Quarterly review of access privileges
Termination Procedures	Same-day access revocation

Physical Controls (AWS Responsibility)

Physical security controls are managed by AWS under the shared responsibility model:

Certification	Scope	Verification
SOC 2 Type II	All AWS services	AWS Artifact
ISO 27001	Information security	AWS Artifact
HIPAA	HIPAA-eligible services	AWS BAA
FedRAMP	Government workloads	AWS Artifact
PCI DSS	Payment processing	AWS Artifact

AWS Physical Security Controls:

• 24/7 security personnel
• Biometric access controls
• Video surveillance
• Environmental controls (fire, flood, temperature)
• Redundant power and cooling
• Hardware destruction procedures

Related

• Compliance Overview
• HIPAA Security Rule
• Technical Controls