amr/hermes-brain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cc3976fb7f792cae1423e37b6067c57efa23f288
hermes-brain/ideas/compliance/soc2.org
Hermes cc3976fb7f ideas: editorial sweep — atomization, interlinking, restructuring 
- Split competitive-analysis-2026-05.org → TOC + 9 competitor files in
  ideas/competitors/. Dropped date from filename. All competitor UUIDs
  generated, TOC keeps original UUID for backlink continuity.
- Deleted passepartout-economics.org archive (replaced by 27-node KB).
- Inlined 5 'See also' blocks into natural prose (compliance-index,
  first-mover-window, revenue-table, orders-of-magnitude-time,
  native-org-knowledge-base).
- Linked 7 orphan compliance pages back to compliance index + finished
  truncated sentences.
- Linked all 14 Agora requirement docs from topic-relevant pages
  (identity→lisp-machine-security, infrastructure→compute-marketplace,
  social-space→growth-strategy, exchange→agora-contracts, etc.).
- Linked ai-industry-impact from investment-thesis, sufficiency-flip,
  verification-appliance, effects-growth-flywheel (up from 1 to 10+ pages).
- Fixed CREATED timestamps to use git commit dates instead of today.
- Made all links absolute from root (no port inheritance).
- Removed stale agora/docs/ duplicate content.
2026-05-24 16:25:55 +00:00

55 lines
2.4 KiB
Org Mode
Raw Blame History

:PROPERTIES:
:ID: ed65031c-cbd2-4ad2-bd53-a67791e183cd
:ID: auto-soc2
:CREATED: [2026-05-23 Sat]
:END:
#+title: SOC 2 (System and Organization Controls 2)
#+filetags: :passepartout:compliance:framework:soc2:
* SOC 2 (System and Organization Controls 2)
** What it is
An auditing standard developed by AICPA (American Institute of CPAs). Not a law.
Certifies that a service organization's controls over security, availability,
processing integrity, confidentiality, and privacy meet defined criteria.
Five Trust Service Criteria (TSC):
- **Security** (mandatory): protection against unauthorized access (firewall,
access control, intrusion detection)
- **Availability** (optional): system available for operation and use as
committed (uptime, redundancy, disaster recovery)
- **Processing Integrity** (optional): system processing is complete, valid,
accurate, timely, and authorized
- **Confidentiality** (optional): information designated as confidential is
protected as committed
- **Privacy** (optional): personal information is collected, used, retained,
disclosed, and disposed of in conformity with commitments
Two types:
- **Type I:** controls are suitably designed at a specific point in time
- **Type II:** controls operated effectively over a period (6-12 months)
** Who must comply
Any SaaS or cloud service provider whose enterprise customers require audited
vendors. Table stakes for B2B — most enterprise procurement contracts require
SOC 2 Type II.
** Penalties
No direct fines (not a law). But losing SOC 2 certification means losing
enterprise customers. Misrepresentation of certification status is fraud.
** Why it matters for the triad
SOC 2 is the entry-level certification for the [[id:3c6b0449-a8fb-5b89-b82a-34efb21ef5b5][compute marketplace]]. A provider
needs SOC 2 Type II to sell compute to enterprises whose procurement policy
requires audited vendors. The gate stack itself maps directly to the Security
criterion (access controls, audit trails) — the [[id:28c46769-c14b-42aa-ac7a-69d310157f8f][Passepartout]] instance's
deterministic gate log serves as the evidence artifact for the audit. No
separate logging SIEM needed. This is the prerequisite to the larger
[[id:827bc546-e887-5b7c-9b65-6392beaf0920][verification monopoly]] play — once enterprises trust the audit trail, they
buy domain-specific gate packages for the same infrastructure.
Reference in New Issue View Git Blame Copy Permalink