SOC 2 Compliance
SOC 2 Type II is the most commonly required security certification for SaaS companies selling to enterprises. vybdocs helps satisfy the Change Management and Logical Access criteria automatically by enforcing constraints on every AI-generated commit.
Relevant trust service criteria
| Criteria | Name | How vybdocs helps |
|---|---|---|
| CC6.1 | Logical and physical access controls | Rules enforce authentication, secret management, access control |
| CC6.6 | Logical access security measures | Input validation rules prevent injection attacks |
| CC6.7 | Transmission protection | Rules ban HTTP for external API calls |
| CC7.1 | Detection of malicious/unauthorized activity | Rules ban eval(), prototype pollution, injection vectors |
| CC7.2 | System monitoring | Rules require logging and audit trail annotations |
| CC8.1 | Change management | Every code change is checked before merge; Evidence Pack proves it |
Applying the SOC 2 baseline
vyb init --pack us-saas-general
The us-saas-general pack covers the core SOC 2 criteria. Adjust for your specific controls.
What auditors ask for
SOC 2 Type II auditors typically ask for:
- Evidence of a code review process —
vyb checkprovides automated, documented enforcement on every PR. - Evidence that security controls are enforced consistently — the Evidence Pack chain proves every commit was checked.
- Evidence of access control implementation — rules requiring authentication middleware satisfy CC6.1.
- Period of performance — Evidence Packs timestamped over the audit period (typically 12 months).
What to present to auditors
Present the following:
.vyb/spec.yaml— your declared controls- Evidence Pack archive (all packs from the audit period)
vyb evidence --verifyoutput confirming chain integrity- Your GitHub Actions log showing
vyb checkon every PR
Example auditor conversation
Auditor: "How do you ensure that developers don't introduce hardcoded secrets into the codebase?"
You: "We enforce a no-hardcoded-secrets rule at block severity in our constraint spec. Every PR runs vyb check, which tests the diff against this rule. If any line matches the pattern for inline secrets, the PR is blocked and cannot be merged. The Evidence Pack from each passing run is archived and cryptographically signed — here is the archive covering the audit period."
CC8.1 — Change management in detail
CC8.1 requires that "changes to infrastructure, data, software, and procedures are authorized, designed, developed, tested, and approved." vybdocs addresses the testing and approval parts:
- Testing:
vyb checkevaluates every change against your declared constraints - Approval: The Evidence Pack is the artifact proving the change was tested and met the criteria
- Authorization: The spec itself is version-controlled — changes to the spec are themselves gated by
vyb check
Retention
Store Evidence Packs for at least 12 months (the SOC 2 Type II minimum period). Recommended: AWS S3 with Object Lock enabled, or Azure Blob Storage with immutability policy.
Next: EU AI Act