A SaaS codebase that walks into the SOC 2 audit with the evidence pack already written

What lands in your output bundle

When the genome carries any compliance flag (soc2: true is the explicit one, but any of hipaa / pci / gdpr flips this on too), Archiet emits the SOC 2 overlay artifact pack:

compliance/soc2/
├── control_matrix.md              # Trust Services Criteria mappings (Security/Availability/Confidentiality)
├── access_review_runbook.md       # quarterly RBAC review process
├── change_management_policy.md    # PR approval + deploy gates
├── incident_response_runbook.md   # detection, triage, postmortem
└── risk_register.md               # starter register the team can iterate on

app/security/
├── audit_writer.{stack-ext}       # append-only event emitter with SHA-256 hash chain
├── audit_reader.{stack-ext}       # replay API with attribution + chain verification
├── audit_pii_redactor.{stack-ext} # read-time redaction for non-admin readers
└── audit_siem_exporter.{stack-ext}# Splunk HEC / Datadog Logs / CloudWatch sink

app/auth/
├── oauth_handler.{stack-ext}      # PKCE auth-code flow for Google / GitHub / Microsoft / OIDC
├── saml_handler.{stack-ext}       # SAML 2.0 (Enterprise plan)
└── okta_azuread_handler.{stack-ext}  # Okta / Azure AD (Enterprise plan)

alembic/versions/
├── NNNN_audit_events.py           # audit_events + Postgres trigger blocking UPDATE/DELETE
└── NNNN_oauth_connections.py      # oauth_connections (encrypted tokens, per-tenant scope)

What's already wired

Audit infrastructure (CC7 — System Operations)

• Append-only audit_events table with a Postgres trigger that raises on UPDATE or DELETE. Auditors verify by attempting the mutation and showing the rejection.
• SHA-256 hash chain per workspace. The reader verifies the chain on load and surfaces tamper_detected: true if any link breaks.
• Per-(workspace, sink) cursor SIEM export to Splunk HEC / Datadog Logs / CloudWatch — idempotent restart, no duplicates, no loss.
• Replay API reconstructs entity state at any past timestamp.

Access controls (CC6 — Logical and Physical Access Controls)

• OAuth + OIDC chain on Professional (Google / GitHub / Microsoft / custom OIDC). PKCE everywhere — no implicit flow.
• SAML 2.0, Okta, Azure AD on Enterprise — the answer to "yes, we support enterprise SSO" on the first sales call.
• Encrypted token storage at rest (refresh + access tokens encrypted with the workspace ENCRYPTION_MASTER_KEY before they touch the database).
• Multi-tenant row-level isolation. Every query gets WHERE workspace_id = :workspace_id injected. The architecture forbids cross-tenant data reads.
• access_review_runbook.md documents the quarterly RBAC review the audit will ask about.

Change management (CC8 — Change Management)

• change_management_policy.md documents the PR approval + deploy gate workflow.
• Generated CI/CD includes the deploy gate as a GitHub Actions check.
• ADRs in MADR v4 format for every material decision — auditors can trace any change back to its design rationale.

Incident response (CC7.4)

• incident_response_runbook.md covers detection, triage, communication, postmortem.
• Audit infrastructure provides the forensic timeline (replay API + hash-chain verification).

Risk management (CC3 — Risk Assessment)

• risk_register.md template with starter rows the team iterates on quarterly.
• Drift detection flags when implementation diverges from blueprint — early warning for risks that grew silently.

What this answers in your enterprise security review

• "Show me your audit log." → audit_events schema + hash chain + replay API.
• "What's your SSO support?" → OAuth + OIDC chain + SAML 2.0 + Okta + Azure AD (Enterprise).
• "How do you isolate tenants?" → row-level workspace isolation enforced in every query.
• "How do you handle change management?" → change_management_policy.md + deploy gate in CI/CD.
• "What's your incident response process?" → incident_response_runbook.md + audit replay.
• "Show me your risk register." → risk_register.md (starter, team iterates).

Stacks supported

Flask · FastAPI · Django · NestJS · Laravel · Rails · Go · Java (Spring) · .NET · Salesforce Apex · SAP CAP · Dynamics 365.

Pricing

The SOC 2 artifact pack + audit infrastructure + OAuth + OIDC chain ship on the Professional plan ($599/mo, $419/mo annual). SAML / Okta / Azure AD enterprise SSO ships on Enterprise. Strict-mode SOC 2 Type II compliance flags ship on Enterprise too.

Related

• See the audit infrastructure feature page for the technical detail of the audit generator.
• See the OAuth providers feature page for the auth chain detail.
• See the SaaS industry page for the full B2B SaaS positioning.
• See the compliance frameworks page for the full SOC 2 + ISO 27001 + GDPR + HIPAA + PCI-DSS + DORA + NIS2 framework overview.