Avnology ID
Trust

SOC 2 Alignment

How Avnology ID aligns with SOC 2 Trust Service Criteria.

SOC 2 Alignment

Avnology ID is designed to align with SOC 2 Type II Trust Service Criteria. This page provides a detailed mapping of each criterion to the controls implemented in Avnology ID, along with guidance on gathering audit evidence.

Trust Service Criteria overview

SOC 2 evaluates five Trust Service Criteria (TSC). Avnology ID addresses all five:

CriterionCoverageKey controls
Security (CC)FullAuthentication, authorization, encryption, audit logging, vulnerability management
Availability (A)Full99.99% SLA, multi-AZ, automated failover, monitoring
Confidentiality (C)FullEncryption at rest/transit, network isolation, access controls
Processing integrity (PI)FullInput validation, token verification, CSRF protection
Privacy (P)FullData minimization, consent, deletion, export

Security (Common Criteria)

CC1: Control environment

ControlImplementationEvidence
CC1.1 Integrity and ethical valuesSecurity policy, responsible disclosure programPolicy documents, security.txt
CC1.2 Board oversightSecurity review in every release cycleRelease checklists, security review logs
CC1.3 Organizational structureSeparation of duties between dev, ops, and security teamsRole definitions, access control lists
CC1.4 CompetenceSecurity training requirements for all engineersTraining records

CC2: Communication and information

ControlImplementationEvidence
CC2.1 Internal communicationSecurity advisories, incident runbooksInternal documentation, runbook audit trail
CC2.2 External communicationStatus page, changelog, vulnerability disclosure policystatus.avnology.com, security.txt

CC3: Risk assessment

ControlImplementationEvidence
CC3.1 Risk identificationThreat modeling, annual penetration testingThreat model documents, pentest reports
CC3.2 Risk analysisBuilt-in risk engine scores every sign-in attemptRisk assessment logs, conditional access policies
CC3.3 Fraud riskBreached password detection, impossible travel detectionHIBP integration logs, risk engine audit trail
CC3.4 Change-related riskBreaking change detection in CI, canary deploymentsCI/CD pipeline logs, deployment records

CC4: Monitoring

ControlImplementationEvidence
CC4.1 Ongoing monitoringPrometheus metrics, Grafana dashboards, automated alertingDashboard configurations, alert rules, incident history
CC4.2 Internal control deficiency remediationSecurity findings tracked as issues, SLA for remediationIssue tracker, SLA compliance reports

CC5: Control activities

ControlImplementationEvidence
CC5.1 Selection of controlsDefense-in-depth: network, application, identity layersArchitecture documentation
CC5.2 Technology controlsAutomated CI/CD, container scanning, SBOM generationPipeline logs, scan reports, SBOM artifacts
CC5.3 Control deploymentInfrastructure as code, immutable deploymentsTerraform state, Helm release history

CC6: Logical and physical access

ControlImplementationEvidence
CC6.1 Logical access securityReBAC (relationship-based access control), principle of least privilegePermission model, relation tuples
CC6.2 User registration and authorizationMFA enrollment, passkeys, admin role managementUser records, MFA enrollment logs
CC6.3 User deprovisioningSCIM deactivation, admin-initiated deletion, GDPR cascadeDeletion logs, SCIM sync records
CC6.6 Threat protectionRate limiting, CAPTCHA, risk engine, account lockoutRate limit configuration, risk assessment logs
CC6.7 Restriction on softwareContainer image signing, admission controller verificationCosign signatures, admission controller logs
CC6.8 Vulnerability detectionDependency scanning, container scanning, pentestScan reports, CVE remediation records

CC7: System operations

ControlImplementationEvidence
CC7.1 Infrastructure monitoringOpenTelemetry traces, Prometheus metrics, Loki logsGrafana dashboards, alert history
CC7.2 Anomaly detectionRisk engine, login failure spike alerts, token endpoint error alertsAlert rules, incident records
CC7.3 Incident responseDocumented runbooks, on-call rotation, post-incident reviewsRunbook documents, PIR records
CC7.4 Incident recoveryAutomated failover, database point-in-time recoveryRecovery test records, RTO/RPO measurements

CC8: Change management

ControlImplementationEvidence
CC8.1 Change authorizationPull request reviews, CI checks, buf breaking change detectionPR history, CI logs
CC8.2 TestingAutomated unit, integration, E2E tests; testcontainers for real DBTest reports, coverage metrics
CC8.3 Deployment controlsCanary deployments, rollback automation, feature flagsDeployment logs, rollback records

CC9: Risk mitigation

ControlImplementationEvidence
CC9.1 Risk mitigationConditional access policies, per-org security settingsPolicy configurations, enforcement logs
CC9.2 Vendor managementDependency scanning, SBOM, license complianceSBOM artifacts, license audit reports

Availability (A)

ControlImplementationEvidence
A1.1 Processing capacityHorizontal pod autoscaling, database read replicasHPA configurations, scaling event logs
A1.2 Environmental protectionsMulti-AZ deployment, geographic redundancyInfrastructure topology, AZ distribution
A1.3 Recovery proceduresAutomated database backup, point-in-time recovery, documented DR planBackup schedules, recovery test records

Availability targets

MetricTargetMeasurement
Overall availability99.99%< 52 minutes downtime per year
RTO (Recovery Time Objective)< 15 minutesTime to restore service after failure
RPO (Recovery Point Objective)< 5 minutesMaximum data loss window
Backup frequencyContinuous (WAL streaming) + daily fullPostgreSQL WAL archiving
Backup retention30 daysPoint-in-time recovery window

Confidentiality (C)

ControlImplementationEvidence
C1.1 Confidential information identificationData classification: credentials (critical), PII (sensitive), metadata (internal)Data classification policy
C1.2 Confidential information disposal14-point GDPR cascade deletion, cryptographic erasureDeletion audit logs

Data classification

CategoryExamplesEncryptionAccess
CriticalPassword hashes, OAuth client secrets, API key hashes, SAML certificatesAES-256-GCM (application layer) + AES-256 (database layer)Service accounts only, no human access
SensitiveEmail, phone, name, profile dataAES-256 (database layer)Admin API with audit logging
InternalOrganization names, OAuth client names, webhook URLsAES-256 (database layer)Admin API
PublicOrganization slugs, JWKS, discovery endpointsNone requiredPublic access

Processing integrity (PI)

ControlImplementationEvidence
PI1.1 Quality of processingServer-side protobuf validation (protovalidate), Zod schema validation on frontendValidation rules in .proto files
PI1.2 Accuracy of outputsJWT signature verification against JWKS, SAML assertion signature validationToken verification logs
PI1.3 Completeness of processingWebhook delivery with retry, DLQ for failed deliveries, idempotency keysDelivery logs, DLQ records
PI1.4 Timeliness of processingSLA targets (p99 < 300ms login, p99 < 50ms permission check)Latency metrics, SLA reports

Privacy (P)

ControlImplementationEvidence
P1.1 Privacy noticeOAuth consent screen with granular scope selectionConsent records
P2.1 Data collection limitationConfigurable identity schemas -- collect only needed fieldsSchema configurations
P3.1 Data retentionConfigurable audit log retention, session TTL, token TTLRetention policies
P4.1 Data use limitationScope-based access control, purpose limitation in consentScope definitions, consent records
P5.1 Data qualityEmail/phone verification flowsVerification records
P6.1 Data access (DSAR)JSON export of all user data via admin APIExport logs
P6.5 Data deletionGDPR Art. 17 cascade deletion (14-point cleanup)Deletion audit trail
P7.1 Third-party data handlingWebhook payload filtering, no sensitive data in logsWebhook configurations, logging policy
P8.1 Data breach notificationIncident response procedure, 72-hour GDPR notification timelineIncident response plan

Audit log access

Avnology ID maintains immutable, append-only audit logs for all security-relevant events. Export these logs for your compliance team or SIEM:

SIEM integration

Avnology ID supports real-time log streaming to popular SIEM platforms:

SIEMIntegration method
SplunkWebhook to Splunk HEC endpoint
DatadogWebhook to Datadog HTTP intake
Elastic / ELKWebhook to Elasticsearch ingest endpoint
Microsoft SentinelWebhook to Sentinel data connector
Google ChronicleWebhook to Chronicle ingestion API

Configure a webhook with the audit.* event category to stream all audit events to your SIEM in real time.

Continuous compliance monitoring

Automated checks

Avnology ID runs continuous compliance checks:

CheckFrequencyWhat it verifies
MFA adoption rateDailyPercentage of users with MFA enrolled
Dormant accountsWeeklyAccounts inactive > 90 days
Unused service accountsWeeklyService accounts with no API calls > 90 days
Password ageDailyUsers with passwords older than the org policy
Admin role reviewMonthlyUsers with admin roles, flagged for review
Failed login trendsReal-timeSpike detection for potential attacks

Compliance dashboard

Query compliance metrics via the analytics API:

const metrics = await auth.admin.getComplianceMetrics({
  organizationId: "org_acme",
});

console.log(metrics.mfaAdoptionRate);       // 0.87 (87%)
console.log(metrics.passkeyAdoptionRate);   // 0.42 (42%)
console.log(metrics.dormantAccountCount);

Preparing for a SOC 2 audit

If your organization is undergoing a SOC 2 audit, Avnology ID provides the following to support evidence gathering:

  1. Audit log exports -- Full event history in JSON or CSV format
  2. Configuration snapshots -- Current security settings, policies, and role assignments
  3. SIEM integration -- Real-time event streaming for continuous monitoring evidence
  4. Compliance metrics API -- Programmatic access to adoption and security metrics
  5. Pentest reports -- Available to enterprise customers under NDA
  6. SBOM -- Software Bill of Materials for supply chain verification

Next steps

GDPR Compliance

How Avnology ID supports GDPR requirements -- data access, portability, erasure, and consent.

API Versioning

Avnology ID API versioning strategy and backward compatibility guarantees.

On this page

SOC 2 AlignmentTrust Service Criteria overviewSecurity (Common Criteria)CC1: Control environmentCC2: Communication and informationCC3: Risk assessmentCC4: MonitoringCC5: Control activitiesCC6: Logical and physical accessCC7: System operationsCC8: Change managementCC9: Risk mitigationAvailability (A)Availability targetsConfidentiality (C)Data classificationProcessing integrity (PI)Privacy (P)Audit log accessSIEM integrationContinuous compliance monitoringAutomated checksCompliance dashboardPreparing for a SOC 2 auditNext steps