Loading…
Loading…
Most Flask boilerplates skip compliance. Most SOC 2 frameworks ignore the stack. Archiet generates a complete Flask + Next.js SaaS with all 10 Trust Services Criteria mapped to actual code — auth, audit log, RLS, encryption, evidence narratives.
Open-source Flask SaaS boilerplates ship auth, billing, and CRUD — but skip the controls SOC 2 auditors actually check: workspace-scoped database queries, audit logging on every PII read, role-based access enforcement at the route level, encryption at rest for sensitive columns, and evidence narratives mapping each control to the relevant Trust Services Criteria. Bolting these on later costs 4-6 weeks per audit. Archiet generates them as part of the application from day one.
Backend: Flask 3.x with SQLAlchemy 2.0, Alembic migrations, Flask-JWT-Extended with httpOnly cookies (never localStorage), workspace-scoped query helpers, audit log models for every PII access, RBAC middleware with route-level enforcement, AES-256 encryption for flagged columns. Frontend: Next.js 15 App Router with httpOnly cookie auth, server-side session validation, accessibility-compliant forms. Both connect via a documented OpenAPI 3.1 spec generated from the same ArchiMate model.
CC1 (Control Environment) → governance.md + audit log model. CC2 (Communication) → notification service + email templates. CC3 (Risk Assessment) → security review checklist + threat model. CC4 (Monitoring) → Prometheus metrics + alert rules. CC5 (Control Activities) → RBAC middleware + audit log. CC6 (Logical Access) → JWT auth + role enforcement. CC7 (System Operations) → health checks + deployment manifests. CC8 (Change Management) → migration scripts + ADR docs. CC9 (Risk Mitigation) → backup + DR runbooks. A1/PI1/C1/P1 → applied per data classification on each model field.
Workspace isolation is enforced in three layers: (1) every SQLAlchemy query filters by workspace_id via the Query.all() guard, (2) Postgres row-level security policies enforce isolation at the database, (3) audit log entries record the workspace_id of every cross-workspace access attempt. Auditors get evidence at all three layers — not just a sentence in a policy doc.
The same pipeline that generates the application generates a /docs/compliance directory: control-narratives.md (one paragraph per Trust Services Criterion mapping to specific code files), evidence-checklist.md (auditor-facing list with file:line references), data-flow-diagrams.svg (rendered from the ArchiMate model), and a SOC 2 readiness scorecard. Drop-in starting point for your auditor — not the final pack, but eliminates the first 60% of the work.
Financial technology companies need SOC 2 Type II before their first enterprise deal. Archiet maps your architecture to all 10 Trust Services Criteria automatically — evidence narratives included.
B2B SaaS buyers expect SOC 2 Type II. Archiet generates compliant architecture with multi-tenant isolation, audit logging, and encryption — mapped to Trust Services Criteria automatically.
Microservices make GDPR harder — personal data flows across service boundaries. Archiet maps data classifications to each service and generates GDPR controls: consent tracking, data export, right to erasure, and breach notification.