amr/hermes-brain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ede891f2cece7a47ffdb7b3329400c7bb4b4727c
hermes-brain/projects/passepartout/strategy/compliance/soc2.org
Hermes 0a8e77e949 Reorganize brain: projects/ top level, rename filenames, update homepage 
- Moved everything from ideas/passepartout/ to projects/passepartout/
- Moved legal structures to projects/flags/
- Created missing _index.org files for all subdirectories
- Stripped redundant passepartout- prefix from filenames
- Rewrote root _index.org as generalized brain index (projects + concepts)
- Updated Hugo nav to Projects/Concepts
- Updated build script section descriptions
- Deleted stale ideas/passepartout-economics.md orphan
2026-05-24 18:54:14 +00:00

2.4 KiB
Raw Blame History

SOC 2 (System and Organization Controls 2)

SOC 2 (System and Organization Controls 2)

What it is

An auditing standard developed by AICPA (American Institute of CPAs). Not a law. Certifies that a service organization's controls over security, availability, processing integrity, confidentiality, and privacy meet defined criteria.

Five Trust Service Criteria (TSC):

  • Security (mandatory): protection against unauthorized access (firewall, access control, intrusion detection)
  • Availability (optional): system available for operation and use as committed (uptime, redundancy, disaster recovery)
  • Processing Integrity (optional): system processing is complete, valid, accurate, timely, and authorized
  • Confidentiality (optional): information designated as confidential is protected as committed
  • Privacy (optional): personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments

Two types:

  • Type I: controls are suitably designed at a specific point in time
  • Type II: controls operated effectively over a period (6-12 months)

Who must comply

Any SaaS or cloud service provider whose enterprise customers require audited vendors. Table stakes for B2B — most enterprise procurement contracts require SOC 2 Type II.

Penalties

No direct fines (not a law). But losing SOC 2 certification means losing enterprise customers. Misrepresentation of certification status is fraud.

Why it matters for Passepartout

SOC 2 is the entry-level certification for the compute marketplace. A provider needs SOC 2 Type II to sell compute to enterprises whose procurement policy requires audited vendors. The gate stack itself maps directly to the Security criterion (access controls, audit trails) — the Passepartout instance's deterministic gate log serves as the evidence artifact for the audit. No separate logging SIEM needed. This is the prerequisite to the larger verification monopoly play — once enterprises trust the audit trail, they buy domain-specific gate packages for the same infrastructure.

Reference in New Issue View Git Blame Copy Permalink