Free interactive tool

SOC 2 Control Mapper

Answer 12 questions about your stack. Get a SOC 2 readiness checklist mapping your answers to specific Trust Services Criteria controls (CC1-CC9). Identifies gaps + tells you how to close them. Download as markdown for your team.

5 minutes. No signup. Runs entirely in your browser — your answers never leave the page.

Question 1 of 120/12 answered

1
Is MFA enforced for all human access to your production systems?
Includes admin consoles (AWS, GCP, Azure), GitHub org, deploy tooling, and any production database access. SSO with mandatory MFA counts.
2
Does every multi-tenant data query filter by workspace_id / org_id at the ORM layer?
If your app has multiple customers in one database, every Query.all() must scope to a tenant. A single missed filter = cross-tenant data leak.
3
Do you log every state-changing API call (create/update/delete) with actor + timestamp + before/after?
An audit trail lets you reconstruct who did what, when. Required for incident response, compliance review, and customer trust.
4
Is sensitive data encrypted at rest in your production database (AES-256 or equivalent)?
Most managed databases (RDS, Cloud SQL, Aurora) offer this with one checkbox. Verify it's actually enabled — defaults vary.
5
Is all traffic to your app behind HTTPS / TLS 1.2+ with valid certificates?
Includes API endpoints, frontend, internal service-to-service calls. Mixed-content warnings or http:// callbacks fail this.
6
Are all secrets (API keys, DB passwords, JWT secrets) stored in environment variables or a vault — not in source code?
Hardcoded secrets in git history are a SOC 2 finding even if you rotate them later. The history is the evidence.
7
Does your app enforce role-based access control (RBAC) at the route/endpoint level?
Not just hiding UI elements — actual server-side checks that a user with 'viewer' role can't POST to admin endpoints.
8
Do you have a written incident response playbook (what to do if a customer reports a security issue)?
Even one page is enough to start. Should include: who's notified, how to acknowledge the reporter, disclosure timeline, postmortem requirement.
9
Do you run automated dependency vulnerability scanning on every deploy?
GitHub Dependabot, Snyk, npm audit, pip-audit — any tool that catches known-vulnerable dependencies before they ship to prod.
10
Do you remove access for departed employees within 24 hours of termination?
Includes GitHub org membership, AWS IAM, Slack workspace, deploy tools, and shared customer accounts. Quarterly access review for active employees is the next bar.
11
Have you successfully restored from a backup in the last 90 days (test, not just schedule)?
Daily backups that have never been tested are not backups — they're hopeful files. A documented restore proves the backup actually works.
12
Do you have a written data retention + deletion policy that customers can read?
Should answer: how long is customer data kept after they delete an account? What about backups? Is there a way for them to request deletion (GDPR DSR)?

Frequently asked

Is this a real SOC 2 audit?: No. This is a self-assessment to identify obvious gaps before you talk to an auditor. A real SOC 2 Type II report requires a licensed CPA firm and 6+ months of evidence collection.
How does this differ from Vanta or Drata?: Vanta and Drata automate evidence collection on a running production app. This mapper helps you self-evaluate your design BEFORE you spend money on a compliance platform. Use this first to decide if you're ready for the next step.
How does Archiet relate to this?: Archiet generates production-ready apps with these SOC 2 controls baked in from the architecture stage — RBAC, tenant isolation, audit logging, secrets management, encryption configuration. The mapper is honest education either way; the conversion is real because Archiet does close the gaps it identifies.
Where does my data go?: Nowhere. The mapper runs entirely in your browser. There's no signup, no telemetry, no server call. Refresh the page and your answers are gone.

Loading…

SOC 2 Control Mapper

5 minutes. No signup. Runs entirely in your browser — your answers never leave the page.

Frequently asked

Is this a real SOC 2 audit?

No. This is a self-assessment to identify obvious gaps before you talk to an auditor. A real SOC 2 Type II report requires a licensed CPA firm and 6+ months of evidence collection.

How does this differ from Vanta or Drata?

Vanta and Drata automate evidence collection on a running production app. This mapper helps you self-evaluate your design BEFORE you spend money on a compliance platform. Use this first to decide if you're ready for the next step.

How does Archiet relate to this?

Archiet generates production-ready apps with these SOC 2 controls baked in from the architecture stage — RBAC, tenant isolation, audit logging, secrets management, encryption configuration. The mapper is honest education either way; the conversion is real because Archiet does close the gaps it identifies.

Where does my data go?

Nowhere. The mapper runs entirely in your browser. There's no signup, no telemetry, no server call. Refresh the page and your answers are gone.