Shared responsibility matrix (SOC 2 & enterprise)
Audience: Compliance officers, DevOps leads, security architects
Time: ~15 min
Prerequisites: Security overview, Custom deployment
Control Core is deployed in your environment. SOC 2 Type II attestation for your service requires both product capabilities and operator controls. This matrix separates responsibilities honestly — no implied 24/7 SOC operations from the vendor.
Service boundaries
| Component | Deployed by | Network boundary |
|---|---|---|
| Control Plane (UI + API) | Customer / partner | Your VPC or cluster |
| Bouncer (PEP) | Customer | Co-located with protected workloads |
| Postgres / Redis | Customer (in-chart or managed) | Your data plane |
| Policy Git repo | Customer | Your Git provider |
| IdP (SSO) | Customer | Your identity platform |
Responsibility matrix
| Area | Control Core (product + engineering) | Customer / operator |
|---|---|---|
| Access control (CC6) | RBAC APIs, MFA/SSO hooks, Rego enforcement via Bouncer | IdP configuration, role assignment, periodic access reviews |
| Encryption in transit (CC6.7) | Production connection guards in the Control Plane API; Helm TLS templates | Enable chart TLS, mount certs, sslmode=verify-full / rediss:// endpoints |
| Encryption at rest | Secrets via K8s secrets / ExternalSecrets | Database TDE, disk encryption, KMS key rotation |
| Audit & integrity (PI1) | Hash-chained AuditLog, export APIs, optional WORM checkpoint | SIEM forwarding, retention policy, key custody for checkpoints |
| Vulnerability mgmt (CC6.1) | SBOM generation scripts, local security gate | Run gate before promote; patch deps; cosign verify when signing enabled |
| Supply chain (CC6.8) | Optional cosign sign in build script; SBOM output | Mandate signed tags for prod; record verify output |
| Change management (CC8) | Policy versioning, sync audit events | CAB/approvals, release discipline, Helm change records |
| Backup / DR (CC7.5) | Optional postgres-backup CronJob in Helm | Enable backup or use cloud PITR; DR drills, RTO/RPO targets |
| Incident response (CC7) | Audit + SIEM outbox surfaces | 24/7 monitoring, runbooks, escalation — not provided by Control Core |
| Governance (CC1) | Engineering docs, feature flags | Board oversight, risk register, vendor management |
| Privacy (P1) | Masking via Rego at Bouncer | Lawful basis, consent processes, data subject requests |
SOC 1 / SOX ITGC (customer financial reporting)
Control Core does not issue a SOC 1 report for itself. Customers may use:
- Structured audit export from Control Plane
- Policy version history (Git +
PolicyVersion) - Bouncer decision logs for access to financial systems
You remain responsible for SOX 302/404 management assertion and CPA engagement.
Evidence artifacts (where to look)
| Need | Where |
|---|---|
| SOC 2 narrative | This page + Security guides |
| TSC checklist | Request from your account team before audit season |
| Vulnerability scan | Your CI/CD pipeline reports for the release tag |
| Signed images | cosign verify output archived with the change record |