SOC 2 Type I Readiness Summary
Honest Framing: SOC2-Ready vs SOC2-Certified
"SOC2-ready" means the technical controls that a SOC 2 Type I audit evaluates are implemented and verifiable. It does NOT mean a licensed CPA/auditor has issued an opinion letter. That step requires a formal audit engagement (named gate: Iskra + auditor).
We surface this distinction because security-conscious buyers deserve accurate language. A vendor claiming "SOC2 compliant" without a letter is typically meaning "SOC2-ready" — we say what we mean.
Trust Service Criteria Control Mapping
| SOC 2 Criterion | Control | Status |
|---|---|---|
| CC6.1 — Logical Access Controls | Authentik SAML/SCIM: all access requires authenticated identity. Role-based permissions enforced at Forgejo + API layers. | IMPLEMENTED |
| CC6.2 — User Registration | Magic-link email + SCIM auto-provisioning. No anonymous access. Account creation requires verified email. | IMPLEMENTED |
| CC6.3 — Access Removal | SCIM deprovisioning removes access within 60s of IdP change. Admin override available via Authentik API. | IMPLEMENTED |
| CC7.1 — System Monitoring | F9 cryptographic audit trail: every push, merge, admin action logged to append-only Redis Stream. Immutable by design. Uptime monitoring with auto-SLA-credit on breach. | IMPLEMENTED |
| CC7.2 — Security Events | Forgejo Actions + F6 AI issue triage provide automated anomaly detection. Watchdog alerting via Telegram. | IMPLEMENTED |
| CC8.1 — Change Management | All infrastructure changes logged in F9 audit trail. Git-based config as code. Rollback procedures documented per-service. | IMPLEMENTED |
| A1.1 — Availability SLA | 99.9% SLA commitment. Public status page at empiregit-status.pages.dev. Auto-credit on breach — no ticket required. | IMPLEMENTED |
| C1.1 — Confidentiality Classification | BYO-LLM keys: code never used to train AI models. Tenant isolation by namespace. Customer data never crosses tenants. | IMPLEMENTED |
| P6.1 — Data Retention | Configurable retention policies. Audit trail retention configurable (7y financial / 3y standard). | PARTIAL (policy docs in progress) |
| Formal Audit Opinion | Licensed CPA/auditor engagement, evidence review, opinion letter issuance. | GATED (requires Iskra + auditor engagement) |
Live F9 Audit Report
The F9 audit trail is live and queryable. Authorized enterprise customers may request an audit log export via the platform API:
GET https://empiregit.eliteaiempire.com/api/v1/audit/report
The report returns: total event count, event breakdown by type, immutability attestation (immutable_append_only: true), SSO IdP reference, and store type (redis_stream). This constitutes the primary evidence artifact for CC7.1 audit control.