SOC 2 controls
ThorStack's SOC 2 Type II posture, the controls that map to it, and where to find evidence.
Posture
ThorStack maintains controls aligned with SOC 2 Type II under the AICPA Trust Services Criteria — Security, Availability, Confidentiality. We're additionally aligned with GDPR and ISO 27001 practices.
The latest report is available under NDA from your account team.
Control families
| Family | What it covers |
|---|---|
| CC1 — Control environment | Org structure, board oversight, ethics. |
| CC2 — Communication | Security policy, training, incident comms. |
| CC3 — Risk assessment | Annual risk review, threat modeling. |
| CC4 — Monitoring | Continuous monitoring, internal audit. |
| CC5 — Control activities | Change management, code review, deployment. |
| CC6 — Logical access | RBAC, MFA, key management. |
| CC7 — System operations | Incident response, patching, vulnerability scanning. |
| CC8 — Change management | SDLC, separation of duties. |
| CC9 — Risk mitigation | Vendor management, BCP/DR. |
Evidence pointers
Customers asking for evidence are pointed at:
- The audit trail (see Audit logs) for any data-handling control.
- The change-management trail (per-deploy runbook) for CC5 / CC8.
- The vulnerability scanner output (Snyk, Trivy) for CC7.
- The vendor sub-processor list for CC9 — published at
thorstack.com/legal/dpa.
Sub-processors
Every infrastructure provider that holds tenant data is listed in the DPA. Adding or removing a sub-processor triggers a customer notice in advance.
Pen tests
We run an external penetration test annually plus a continuous bug bounty. The most recent pen-test letter (no findings of high or critical severity) is shareable under NDA.
Compliance for your customers
If your customers ask about your compliance, the same controls flow through — your tenant inherits the platform's posture for the controls we operate. Where you operate the control (e.g. user provisioning), the audit trail is your evidence.
Next
- Audit logs — the evidence layer.
- Data residency — where your tenant lives.
- Encryption & secrets — how we protect data at rest.