πŸ›‘οΈ SOC 2 Compliance, Built In

DataSurface provides a framework for implementing SOC 2 controls in your data platform operations. Audit trails, access controls, and change managementβ€”not bolted on, but architected from day one.

βœ“ SOC 2 Trust Service Criteria Coverage

Trust Service Criteria Coverage

DataSurface provides native support for key SOC 2 control areas. Here's what you get out of the box.

CC6

Logical & Physical Access Controls

Repository-based authorization, credential management, team isolation, and multi-level access control enforce who can access and modify what.

● Fully Supported
CC7

System Operations

Git-backed immutable audit trails, validation logging, and complete change attribution provide forensic-level visibility into all operations.

● Fully Supported
CC8

Change Management

Pre-merge validation, backwards compatibility checks, environment resolution, and automated testing ensure changes are authorized and safe.

● Fully Supported
CC9

Risk Mitigation

Workspace priority tracking, data container location management, and multi-region support enable business continuity planning.

● Fully Supported

Feature β†’ Control Mapping

DataSurface Feature SOC 2 Control What It Does
Repository-Based Authorization CC6.1 Only commits from authorized repos can modify objects. Changes from unauthorized sources are rejected.
Credential Management CC6.1 Tracks all credentials, separates normal from super-user access, validates credential usage during linting.
Multi-Level Authorization CC6.3 Three-tier model (Ecosystem β†’ Zone β†’ Team) enforces segregation of duties. Platform team can't modify business data.
Dataset Approval System CC6.3 Sensitive datastores require explicit approval before workspaces can access them. Creates audit trail of approvals.
Production Status Enforcement CC6.6 Separates prod/non-prod data. Validates status consistency. Prevents mixing test and production data.
Data Classification Policies CC6.6 Requires classification on all datasets. Governance zones restrict allowed classifications.
Deprecation Tracking CC6.7 Tracks deprecated assets, warns or blocks usage, provides migration paths.
Git-Based Audit Trail CC7.2 Every change is a Git commit. Immutable history with full attribution (who, what, when, why).
Pre-Merge Validation CC8.1 Validates authorization, consistency, and backwards compatibility before accepting any change.
Backwards Compatibility Checks CC8.1 Prevents breaking changes. Schema changes must be additive. Datastore changes can't remove datasets.
Workspace Priority CC9.1 Assigns business importance levels. Priority propagates through dependency chain for recovery planning.
Location Tracking CC9.1 Tracks physical/cloud locations of all data. Enables multi-region DR and data residency compliance.

πŸ“‹ Evidence Package for Auditors

When auditors come knocking, DataSurface provides structured evidence that demonstrates controls are in place and operating effectively.

πŸ“

Model Definition Files

  • Complete ecosystem definition showing authorization structure
  • Governance zone definitions with policies
  • Team definitions with datastores and workspaces
  • Full credential inventory
πŸ“œ

Git History

  • Immutable audit log of every change
  • Policy change history
  • Access control modifications
  • Who approved what, when
βœ…

Validation Reports

  • CI/CD logs showing validation checks
  • Failed validation attempts (blocked changes)
  • Backwards compatibility check results
  • Production status validation
πŸ”§

Configuration Evidence

  • Repository access controls
  • Branch protection rules
  • Required review settings
  • Commit signing requirements

Shared Responsibility Model

DataSurface is a framework. Achieving SOC 2 certification requires proper configuration and operation. Here's what we handle vs. what you configure.

⚑ DataSurface Provides

  • Repository-based authorization framework
  • Multi-level access control model
  • Credential tracking and validation
  • Git-backed immutable audit trails
  • Pre-merge validation pipeline
  • Backwards compatibility enforcement
  • Production/non-production separation
  • Data classification policy engine
  • Dataset approval workflow
  • Deprecation management
  • Location and priority tracking

🏒 You Configure

  • Git repository access controls
  • Branch protection rules
  • Pull request review requirements
  • Commit signing policies
  • Credential storage (Vault, Secrets Manager)
  • Credential rotation schedules
  • Team membership reviews
  • Classification scheme definitions
  • Monitoring and alerting
  • Incident response procedures
  • Backup and disaster recovery

πŸ“ Implementation Checklist

Initial Setup

  • Define ecosystem with repository ownership
  • Define governance zones matching compliance boundaries
  • Configure git repository access controls
  • Enable branch protection and required reviews
  • Set up CI/CD with validation checks

Ongoing Operations

  • Review team membership quarterly
  • Review credential inventory quarterly
  • Review workspace priorities semi-annually
  • Review data classifications annually
  • Preserve git history permanently

Audit Preparation

  • Generate complete git history export
  • Collect validation reports (12 months)
  • Document all policy changes
  • Prepare authorization enforcement evidence
  • Create gap analysis documentation

Ready to Simplify Compliance?

Schedule a conversation to see how DataSurface can help your organization meet SOC 2 requirements while accelerating data delivery.

Talk to Us About Compliance

Related Capabilities

Audit & Control Governance & Policy Git-Backed Workflow