SOC 2
SOC 2 is an AICPA assurance reporting framework for service organizations. The related Trust Services Criteria cover security, availability, processing integrity, confidentiality, and privacy.
Buyer question
“If WWKG is part of our service, what evidence can it provide for SOC 2 controls?”
WWKG fit
| Trust Services area | WWKG fit | Status |
|---|---|---|
| Security | Workspace encryption, identity, signed commits, validation, and branch review support data-layer security evidence. | Partial fit |
| Availability | Peer-to-peer operation, cached blocks, replication policy, and local-first operation can support resilience evidence. | Partial fit |
| Processing integrity | Commit history, validation rules, deterministic changes, and branch promotion provide evidence over data changes. | Native fit |
| Confidentiality | End-to-end encryption and workspace membership help protect confidential data from infrastructure operators. | Native fit |
| Privacy | Scoped workspaces, provenance, metadata, and access boundaries support privacy controls, but privacy operations remain broader than WWKG. | Partial fit |
What WWKG can say
WWKG can produce useful SOC 2 evidence around the data plane:
- Commit records showing who changed data.
- Branch and merge records showing review before production promotion.
- Validation reports showing rejected or warned data-quality issues.
- Workspace membership and encryption evidence.
- Events and activity records for operational traceability.
- Replication and node topology evidence for availability discussions.
Assessment boundary
SOC 2 reports cover the service organization’s system and controls. Access reviews, change-management procedures, incident response, vendor management, HR controls, customer commitments, and the independent attestation process remain part of the buyer’s control environment.
WWKG can supply data-layer controls and evidence that support SOC 2 security, availability, confidentiality, processing-integrity, and privacy criteria.