Skip to content
HeliosDB HeliosDB Nano

SOC 2 Type II Readiness Guide

SOC 2 Type II Readiness Guide

Overview

This document maps HeliosDB Nano’s security controls to SOC 2 Trust Services Criteria, demonstrating readiness for SOC 2 Type II certification.

Trust Services Criteria Mapping

CC1: Control Environment

CriteriaControlHeliosDB ImplementationEvidence
CC1.1Commitment to integrity and ethical valuesCode of Conduct, Contribution GuidelinesCODE_OF_CONDUCT.md, CONTRIBUTING.md
CC1.2Board oversightGovernance documentationdocs/governance/GOVERNANCE.md
CC1.3Management establishes structuresOrganizational structuredocs/governance/GOVERNANCE.md
CC1.4Commitment to competenceHiring and training policiesHR documentation
CC1.5Accountability enforcementPerformance managementHR documentation

CC2: Communication and Information

CriteriaControlHeliosDB ImplementationEvidence
CC2.1Internal communicationInternal documentationdocs/ directory
CC2.2External communicationPublic documentation, API docsREADME.md, docs/API_REFERENCE.md
CC2.3Security policies communicatedSecurity documentationSECURITY.md, docs/compliance/

CC3: Risk Assessment

CriteriaControlHeliosDB ImplementationEvidence
CC3.1Risk identificationThreat modeling, risk registerdocs/series-a/RISK_REGISTER.md
CC3.2Risk analysisSecurity assessmentsSecurity audit reports
CC3.3Fraud risk considerationSecurity controlsdocs/compliance/SECURITY_POLICY.md
CC3.4Change impact assessmentChange management processdocs/compliance/CHANGE_MANAGEMENT.md

CC4: Monitoring Activities

CriteriaControlHeliosDB ImplementationEvidence
CC4.1Ongoing monitoringLogging, metrics, alertingBuilt-in tracing, metrics
CC4.2Deficiency evaluationIncident managementdocs/compliance/INCIDENT_RESPONSE.md

CC5: Control Activities

CriteriaControlHeliosDB ImplementationEvidence
CC5.1Selection of controlsRisk-based control selectionSecurity architecture docs
CC5.2Technology controlsTechnical implementationSource code, configurations
CC5.3Policies and proceduresDocumented proceduresdocs/compliance/, docs/enterprise/

CC6: Logical and Physical Access Controls

CriteriaControlHeliosDB ImplementationEvidence
CC6.1Access to infrastructureRole-based accessdocs/compliance/ACCESS_CONTROL.md
CC6.2System access registrationUser provisioningAuthentication system
CC6.3Access removalDeprovisioning processAccess control procedures
CC6.4Access reviewPeriodic access reviewsAudit logs
CC6.5Access authenticationStrong authenticationTLS, JWT, password policies
CC6.6Access protectionEncryption in transit/at restTDE, ZKE, TLS 1.3
CC6.7Transmission encryptionTLS implementationrustls configuration
CC6.8Destruction of dataSecure deletionZeroize library

CC7: System Operations

CriteriaControlHeliosDB ImplementationEvidence
CC7.1Vulnerability detectionSecurity scanningCI/CD pipeline
CC7.2Incident monitoringLogging and alertingTracing infrastructure
CC7.3Security analysisLog analysisdocs/enterprise/RUNBOOKS.md
CC7.4Incident responseIR proceduresdocs/compliance/INCIDENT_RESPONSE.md
CC7.5Recovery from incidentsRecovery proceduresdocs/enterprise/DISASTER_RECOVERY.md

CC8: Change Management

CriteriaControlHeliosDB ImplementationEvidence
CC8.1Change authorizationPR approval processGitHub branch protection
CC8.2Change testingCI/CD testingGitHub Actions workflows
CC8.3Change deploymentRelease processdocs/governance/RELEASE_PROCESS.md

CC9: Risk Mitigation

CriteriaControlHeliosDB ImplementationEvidence
CC9.1Vendor managementDependency managementCargo.toml, license review
CC9.2Business continuityBC/DR plansdocs/enterprise/BUSINESS_CONTINUITY.md

Security Controls Summary

Authentication & Authorization

┌─────────────────────────────────────────────────────────────────┐
│                    Authentication Flow                          │
├─────────────────────────────────────────────────────────────────┤
│  Client → TLS 1.3 → PostgreSQL Auth → Row-Level Security       │
│                           │                                     │
│                    ┌──────┴──────┐                              │
│                    │  Methods    │                              │
│                    ├─────────────┤                              │
│                    │ • Password  │ (Argon2id/PBKDF2 hashed)    │
│                    │ • SCRAM-256 │ (PostgreSQL compatible)      │
│                    │ • JWT       │ (RS256/ES256 signed)         │
│                    │ • mTLS      │ (Certificate-based)          │
│                    └─────────────┘                              │
└─────────────────────────────────────────────────────────────────┘

Encryption Architecture

┌─────────────────────────────────────────────────────────────────┐
│                    Encryption Layers                            │
├─────────────────────────────────────────────────────────────────┤
│  Layer 1: Transit        TLS 1.3 (ECDHE + AES-256-GCM)         │
│  Layer 2: TDE            AES-256-GCM (server-managed keys)      │
│  Layer 3: ZKE            AES-256-GCM (client-managed keys)      │
│  Layer 4: Field-Level    Per-column encryption (optional)       │
└─────────────────────────────────────────────────────────────────┘

Audit Logging

Event TypeLogged FieldsRetention
AuthenticationUser, timestamp, IP, result90 days
AuthorizationUser, resource, action, result90 days
Data AccessUser, table, query type, timestamp30 days
Schema ChangesUser, DDL statement, timestamp1 year
Admin ActionsUser, action, parameters, timestamp1 year

Gap Analysis

Currently Implemented

  • Encryption at rest (TDE)
  • Encryption in transit (TLS 1.3)
  • Authentication (multiple methods)
  • Row-level security
  • Audit logging infrastructure
  • Secure key management
  • Change management (PR process)
  • Vulnerability scanning (Clippy, cargo-audit)

In Progress

  • SOC 2 Type II audit engagement
  • Penetration testing (annual)
  • Security awareness training documentation
  • Vendor risk assessment process

Planned

  • Security Operations Center (SOC) monitoring
  • Bug bounty program
  • Third-party security audit
  • ISO 27001 certification

Evidence Collection

Automated Evidence

Evidence TypeCollection MethodStorage
Access logsApplication loggingLog aggregation service
Change historyGit commitsGitHub
Test resultsCI/CD pipelineGitHub Actions
Vulnerability scanscargo-auditCI/CD artifacts
Code reviewsPull request reviewsGitHub

Manual Evidence

Evidence TypeCollection MethodFrequency
Policy reviewsAnnual review cycleAnnually
Access reviewsManual auditQuarterly
Risk assessmentsSecurity team reviewAnnually
Penetration testsThird-party engagementAnnually

Audit Preparation Checklist

Pre-Audit (3 months before)

  • Review all policies and procedures
  • Conduct internal control testing
  • Update risk assessment
  • Verify evidence collection systems
  • Brief relevant personnel

During Audit

  • Provide auditor access to systems
  • Coordinate evidence requests
  • Address auditor questions
  • Document control walkthroughs

Post-Audit

  • Review draft report
  • Address any findings
  • Implement remediation plans
  • Obtain final report

Contact

For SOC 2 compliance inquiries: