cc3976fb7f
- Split competitive-analysis-2026-05.org → TOC + 9 competitor files in ideas/competitors/. Dropped date from filename. All competitor UUIDs generated, TOC keeps original UUID for backlink continuity. - Deleted passepartout-economics.org archive (replaced by 27-node KB). - Inlined 5 'See also' blocks into natural prose (compliance-index, first-mover-window, revenue-table, orders-of-magnitude-time, native-org-knowledge-base). - Linked 7 orphan compliance pages back to compliance index + finished truncated sentences. - Linked all 14 Agora requirement docs from topic-relevant pages (identity→lisp-machine-security, infrastructure→compute-marketplace, social-space→growth-strategy, exchange→agora-contracts, etc.). - Linked ai-industry-impact from investment-thesis, sufficiency-flip, verification-appliance, effects-growth-flywheel (up from 1 to 10+ pages). - Fixed CREATED timestamps to use git commit dates instead of today. - Made all links absolute from root (no port inheritance). - Removed stale agora/docs/ duplicate content.
2.4 KiB
SOC 2 (System and Organization Controls 2)
SOC 2 (System and Organization Controls 2)
What it is
An auditing standard developed by AICPA (American Institute of CPAs). Not a law. Certifies that a service organization's controls over security, availability, processing integrity, confidentiality, and privacy meet defined criteria.
Five Trust Service Criteria (TSC):
- Security (mandatory): protection against unauthorized access (firewall, access control, intrusion detection)
- Availability (optional): system available for operation and use as committed (uptime, redundancy, disaster recovery)
- Processing Integrity (optional): system processing is complete, valid, accurate, timely, and authorized
- Confidentiality (optional): information designated as confidential is protected as committed
- Privacy (optional): personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments
Two types:
- Type I: controls are suitably designed at a specific point in time
- Type II: controls operated effectively over a period (6-12 months)
Who must comply
Any SaaS or cloud service provider whose enterprise customers require audited vendors. Table stakes for B2B — most enterprise procurement contracts require SOC 2 Type II.
Penalties
No direct fines (not a law). But losing SOC 2 certification means losing enterprise customers. Misrepresentation of certification status is fraud.
Why it matters for the triad
SOC 2 is the entry-level certification for the compute marketplace. A provider needs SOC 2 Type II to sell compute to enterprises whose procurement policy requires audited vendors. The gate stack itself maps directly to the Security criterion (access controls, audit trails) — the Passepartout instance's deterministic gate log serves as the evidence artifact for the audit. No separate logging SIEM needed. This is the prerequisite to the larger verification monopoly play — once enterprises trust the audit trail, they buy domain-specific gate packages for the same infrastructure.