SOC 2
How Scrydon supports the AICPA Trust Services Criteria — security, availability, processing integrity, confidentiality, privacy.
SOC 2 is the AICPA's audit framework for service organisations. The five Trust Services Criteria (TSC) cover security, availability, processing integrity, confidentiality, and privacy.
This page covers what Scrydon supports for each criterion.
Security (Common Criteria)
The Common Criteria are required for every SOC 2 report.
| Criterion | Scrydon support |
|---|---|
| CC1 — Control environment | Documented in this site + your org's policy library. |
| CC2 — Communication & information | Audit log, change-management events, customer-visible roadmap. |
| CC3 — Risk assessment | AI governance risk-assessment template. See AI governance. |
| CC4 — Monitoring activities | Continuous audit, platform metrics, SIEM forwarder. |
| CC5 — Control activities | Authorisation, audit, mTLS, ingress hardening — see Security. |
| CC6 — Logical access | Permission model. |
| CC6.1 — Logical access security | SSO, SCIM, three-tier hierarchy, role-based clearance. |
| CC6.6 — Logical access for system users | Workspace + team grants, audit on every grant. |
| CC6.7 — Restricting data transmission | mTLS, egress allowlist, ingress hardening. See Network boundary. |
| CC6.8 — Detection of unauthorised activity | Audit log + SIEM forwarder. |
| CC7 — System operations | Operations docs, change-management events. See Deployment. |
| CC8 — Change management | Workflow versioning, ontology branches, audit-evidenced deploys. |
| CC9 — Risk mitigation | Vulnerability management process, supply-chain integrity. |
Availability
If you're including the Availability TSC:
| Criterion | Scrydon support |
|---|---|
| A1.1 — System performance | Workflow-level metrics + cluster metrics. |
| A1.2 — Backup / recovery | Documented backup-restore runbook. See Deployment → Operations. |
| A1.3 — Recovery testing | Scheduled DR-test runbook. |
Confidentiality
| Criterion | Scrydon support |
|---|---|
| C1.1 — Confidentiality identified | Classifications (public, internal, confidential, restricted). |
| C1.2 — Disposal | Per-record delete + retention. |
Processing integrity
| Criterion | Scrydon support |
|---|---|
| PI1.1 — Inputs are accurate, complete, valid | Zod-validated server inputs, schema-validated workflow inputs. |
| PI1.2 — Processing is timely + complete | Workflow runtime emits per-run metrics; failed runs are retried per the workflow's retry policy. |
| PI1.3 — Outputs are accurate, complete, valid | Evaluator block, structured-output schemas, response validation. |
Privacy
If your SOC 2 report includes Privacy, see GDPR — most of the privacy controls overlap. The differences are mostly documentation-level (notice, consent flows, data-subject rights process), all of which the platform supports.
Sub-service organisations
In Scrydon deployments, Scrydon is generally not a sub-service organisation because the platform runs in your cluster. Sub-service organisations to consider are:
- Your cloud provider (AWS / Azure / GCP) — they may carve out their SOC 2 from your scope.
- Your IdP (Microsoft Entra, Okta, OneLogin) — typically in scope if you rely on them for authentication.
- External AI vendors if your workflows call them (OpenAI, Anthropic, etc.) — depends on your scoping decisions.
Vanta automation
Scrydon emits the audit events Vanta needs for automatic evidence collection on CC6, CC7, CC8. Logical access reviews, change-management events, monitoring events — all SIEM-forwardable and Vanta-compatible.
Related
- ISO 27001 — significant overlap on the Common Criteria.
- Security — every control above resolves to a specific page.
- Audit logging — the underlying evidence.