Security assurance path
SOC2 Readiness
Map BellPathOS security controls to SOC 2 readiness areas before a formal audit.
SOC 2 readinessLocal-first privacyClient-owned secretsCloudflare hardened
SOC 2 readiness
Readiness matrix
This is a product and operations readiness map. It is not a SOC 2 report. A formal report requires a licensed CPA firm to examine the design and/or operating effectiveness of controls.
| Control | Requirement | BellPathOS Implementation | Status |
|---|---|---|---|
| CC1.0 Control Environment | Maintain documented security responsibilities, policies, and owner accountability. | Added SOC2 evidence folder and policy templates; owner must maintain review cadence. | partial |
| CC2.0 Communication | Communicate data handling, privacy, support, and incident reporting to clients. | Trust Center, Data Control, Security Center, Vulnerability Disclosure, Incident Response pages. | implemented |
| CC3.0 Risk Assessment | Identify and assess security, privacy, AI, and bank connector risks. | SOC2 readiness matrix, risk register template, security-check page. | implemented |
| CC4.0 Monitoring | Monitor controls and collect evidence over time. | Evidence log templates added; operational monitoring still requires process. | partial |
| CC5.0 Control Activities | Implement browser hardening and release checks. | _headers security controls, go-live checklist, mobile QA, removed private/admin files. | implemented |
| CC6.0 Logical Access | Protect secrets and restrict access to sensitive tools. | Client-owned secrets model, local encrypted AI vault, Plaid Worker template with CORS allowlist. | partial |
| CC7.0 System Operations | Detect, respond, and recover from security events. | Incident response page, safe-mode recovery, cache reset, support diagnostics. | partial |
| CC8.0 Change Management | Track releases and changes. | Updates center, version manifest, go-live checklist, change-management policy template. | partial |
| CC9.0 Risk Mitigation | Manage vendor and third-party risks. | Vendor risk register template for Cloudflare, Plaid, AI providers, Stripe, and email providers. | partial |
| A1.0 Availability | Maintain recovery path and offline fallback. | Safe Mode, offline page, minimal service worker, no-cache for sensitive pages. | implemented |
| C1.0 Confidentiality | Classify and protect confidential data. | Data classification page and storage guardrails. | implemented |
| P1.0 Privacy | Give clients notice, consent, export, and delete controls. | Privacy consent, data control, trust center, local-first notes. | implemented |
| PI1.0 Processing Integrity | Preserve route and data workflow integrity. | Static link verification, route map, app registry, launch checks. | implemented |
Evidence folder
Audit preparation files included
Use the /security folder as the starting place for policies, evidence logs, vendor risk tracking, and incident/change management records.