Documentation
SOC 2 mapping
How Attestly artefacts line up with the AICPA Trust Services Criteria.
Last updated May 8, 2026
Attestly is not a SOC 2 audit firm — only a licensed CPA can issue an attestation. What we do is take care of two things every SOC 2 engagement needs: the continuously-updated control evidence that lives in your code, and a readiness pack that translates that evidence into the language an auditor expects to read.
What ships out of the box
| Plan | What you get |
|---|---|
| Free / Starter | The mapping below — a documented set of TSC criteria your existing Attestly artefacts already cover. |
| Growth and above | The full SOC 2 Readiness Generator — see SOC 2 Readiness. It produces a Common Criteria control matrix grounded in your actual stack, an evidence index, and a gap analysis. |
Trust Services Criteria we cover from your code
| Criterion | Attestly evidence |
|---|---|
| CC1.4 Communication of policies | Your trust center publishes the current version of every policy, with version history. |
| CC2.2 Internal communication | Approval emails are archived in the audit log. |
| CC2.3 Communication with external parties | Public trust center, subprocessor change notifications. |
| CC3.2 Risk identification | Drift alerts surface every change that affects a published document. |
| CC4.1 Monitoring of controls | Continuous scanning + per-PR drift checks. |
| CC6.1 Logical access | We surface the auth providers detected in your stack (Clerk, Auth0, WorkOS, etc.) and link to the source. |
| CC7.2 Anomaly detection | Drift bot acts as a control-effectiveness anomaly detector. |
| CC7.4 Incident handling | The audit log records every approval/rejection, with a tamper-evident hash chain. |
| CC8.1 Change management | Drift auto-PRs (Growth and above) re-render documents through your normal PR review workflow. |
| CC9.2 Vendor management | Live subprocessor list with last-detected timestamp and source citation. |
| A1.2 Capacity / availability | We surface your hosting providers and their published SLAs in the AI Trust Center. |
| C1.1 Confidentiality | DPA enumerates Annex II technical and organisational measures. |
| PI1.5 Output completeness | Every document version is reproducible from a recorded scan SHA. |
| P6.1 Privacy notice | Privacy policy with effective date, version history, and signature record on the DPA. |
Audit-log export
Settings → Audit Log → Export. Available formats:
- CSV — for upload to Drata/Vanta/Secureframe.
- JSON — for ingestion into your SIEM.
- PDF — for human-readable evidence requests.
Every entry has a tamper-evident hash linked to the previous entry — a
Merkle-style chain. Auditors can verify the chain offline using the
@attestly/audit-cli package.
Vendor management
The "vendor inventory" auditors love is exactly what your live subprocessor list is. Each entry carries:
- Last-detected timestamp.
- Source citation (
file:line). - Risk classification.
- DPA / sub-processor agreement status.
That's enough to satisfy SOC 2 vendor-management evidence requests for almost every audit firm we've encountered.
Working with Vanta, Drata, and Secureframe
The SOC 2 readiness pack and Attestly's audit-log export plug into all three of the popular GRC platforms. The recommended workflow:
- Run the SOC 2 readiness generator on your latest scan.
- Export the audit log as CSV.
- Upload the readiness pack as a policy artefact in Vanta/Drata/Secureframe.
- Map each "operator-supplied" evidence row to the corresponding control in your GRC tool. Attestly's evidence rows have stable IDs so the mapping only has to be done once.