Framework · SOC 2

SOC 2 attestation, enforced from Day 0.

Common Criteria plus Availability and Confidentiality. 60 to 80 controls in scope. ZeroTB enforces each one across the same engine, and produces evidence as a byproduct.

SOC 2System and Organization Controls 2
Scope

Common Criteria plus what your buyers ask for.

Most engagements include the Common Criteria plus Availability and Confidentiality. Some add Processing Integrity or Privacy. ZeroTB scopes the engagement to your actual environment and customer obligations, not a templated worst case.

Each Trust Services Criterion is mapped to one or more enforcement domains. The Blueprint becomes your control library. Every check fires against the Blueprint. Every audit reads from it.

Type 1 attests to design at a point in time. Type 2 attests to operating effectiveness over a window, typically six to twelve months. ZeroTB carries you cleanly through both.

SOC 2 attestation seal rendered as architectural draftsman work, with concentric rings, tick marks, and a pentagonal inscription

Scope at a glance

Trust Services Criteria
CC + Availability + Confidentiality
Controls in scope
60 to 80, environment-dependent
Type 1
Design at a point in time
Type 2
Operating effectiveness, 6 to 12 months
Domains used
All five
How the Common Criteria map

Five CC categories. Five enforcement domains.

Each Common Criteria category translates to enforcement actions on one or more ZeroTB domains. The mapping is direct and the controls fire continuously.

01

Logical access (CC6)

User access, authentication, authorization, and segregation of duties.

  • Joiner-mover-leaver tied to HRIS events
  • MFA across the access perimeter, no SMS fallback
  • Privileged access with just-in-time elevation
  • Periodic access reviews certified per manager
  • Segregation of duties on production and financial systems
02

System operations (CC7)

Change management, vulnerability management, incident response.

  • Branch protection, required reviewers, signed commits
  • Configuration baselines on every cloud resource
  • Vulnerability detection with SLA-tracked remediation
  • Incident response evidenced through workflow
  • Logging and monitoring across the environment
03

Risk and governance (CC3, CC4, CC5)

Risk assessment, monitoring, control activities.

  • Risk assessment cadence enforced
  • Vendor due diligence orchestrated
  • Policy attestation tracked per role
  • Audit trail across every enforcement action
  • Evidence routed to auditors directly from the Blueprint
What ZeroTB enforces specifically

Concrete actions, traced and timestamped.

01

Access provisioning, modification, and termination across every connected system

02

MFA enforcement and continuous verification across the access perimeter

03

Branch protection and deploy authorization separated from authoring

04

Configuration baselines on every cloud resource, with drift detection

05

Encryption at rest and in transit, verified continuously

06

Backup isolation and restore testing on a defined cadence

07

Logging at the action level, retained per policy

08

Vendor and policy attestation orchestrated through workflow

09

Quarterly risk assessment cadence enforced and evidenced

10

Auditor-ready evidence chain produced as a byproduct of every action

See a SOC 2 Blueprint built on your stack.

Book a call
See all frameworks