Appearance

SOC 2 Mapping

SOC 2 is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients.

Assumetr generates evidence that maps directly to the Trust Services Criteria (TSC), specifically focusing on Security, Processing Integrity, and Privacy.

Common Criteria (CC) Mapping

The Assumetr Evidence Packet provides direct support for the following SOC 2 Common Criteria:

CC6.1 Logical Access Security

  • Criteria: The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.
  • Assumetr Evidence: The privacy_controls section of the evidence packet proves exactly what data fields (IP addresses, User-Agents, URL query strings) your application blocked from collection. It demonstrates "privacy by design" and logical separation.

CC6.5 Data Retention and Disposal

  • Criteria: The entity discontinues logical and physical protections over, and securely disposes of, information assets when they are no longer needed.
  • Assumetr Evidence: The retention_proof section contains system logs proving that raw telemetry data exceeding your configured retention window (e.g., 90 days) was securely purged from all operational datastores.

CC6.6 Third-Party Egress

  • Criteria: The entity evaluates the security of system boundaries and uses mechanisms to detect, prevent, and respond to incidents.
  • Assumetr Evidence: The egress_log catalogs every third-party Destination (e.g., Mixpanel, Snowflake) that received your raw telemetry. This proves to your auditor exactly where your data boundary extends.

P4.2 Data Minimisation (Privacy Category)

  • Criteria: The entity limits the collection of personal information to that necessary to fulfill its objectives.
  • Assumetr Evidence: The data_inventory provides a deduplicated schema of every event name and property key observed. This proves that you are not excessively collecting PII.

Presenting Evidence to Your Auditor

  1. Download the latest .json Evidence Packet from your Assumetr Dashboard.
  2. Provide the packet along with the Assumetr CLI verification instructions to your auditor.
  3. Your auditor can use the embedded Ed25519 public key to mathematically verify that the packet's SHA-256 payload signature is valid, proving the evidence has not been tampered with.