SOC 2 controls
ThorStack's SOC 2 Type II posture, the controls that map to it, and where to find evidence.
Posture
ThorStack maintains controls aligned with SOC 2 Type II under the AICPA Trust Services Criteria, Security, Availability, Confidentiality. We're additionally aligned with GDPR and ISO 27001 practices.
The latest report is available under NDA from your account team.
Control families
| Family | What it covers |
|---|---|
| CC1, Control environment | Org structure, board oversight, ethics. |
| CC2, Communication | Security policy, training, incident comms. |
| CC3, Risk assessment | Annual risk review, threat modeling. |
| CC4, Monitoring | Continuous monitoring, internal audit. |
| CC5, Control activities | Change management, code review, deployment. |
| CC6, Logical access | RBAC, MFA, key management. |
| CC7, System operations | Incident response, patching, vulnerability scanning. |
| CC8, Change management | SDLC, separation of duties. |
| CC9, Risk mitigation | Vendor management, BCP/DR. |
Evidence pointers
Customers asking for evidence are pointed at:
- The audit trail (see Audit logs) for any data-handling control.
- The change-management trail (per-deploy runbook) for CC5 / CC8.
- The vulnerability scanner output (Snyk, Trivy) for CC7.
- The vendor sub-processor list for CC9, published at
thorstack.com/legal/dpa.
Sub-processors
Every infrastructure provider that holds tenant data is listed in the DPA. Adding or removing a sub-processor triggers a customer notice in advance.
Pen tests
We run an external penetration test annually plus a continuous bug bounty. The most recent pen-test letter (no findings of high or critical severity) is shareable under NDA.
Compliance for your customers
If your customers ask about your compliance, the same controls flow through, your tenant inherits the platform's posture for the controls we operate. Where you operate the control (e.g. user provisioning), the audit trail is your evidence.
Next
- Audit logs, the evidence layer.
- Data residency, where your tenant lives.
- Encryption & secrets, how we protect data at rest.