SOC 2 Compliance

Field	Value
Document ID	ASCEND-COMP-003
Version	1.0.0
Last Updated	December 19, 2025
Author	Ascend Engineering Team
Publisher	OW-KAI Technologies Inc.
Classification	Enterprise Client Documentation
Compliance	SOC 2 CC6.1/CC6.2, PCI-DSS 7.1/8.3, HIPAA 164.312, NIST 800-53 AC-2/SI-4

Reading Time: 8 minutes | Skill Level: Intermediate

Overview

ASCEND maintains SOC 2 Type II certification, demonstrating ongoing compliance with the AICPA Trust Services Criteria. Our platform provides the controls and evidence needed for your organization's SOC 2 audits.

Trust Services Criteria

Security (CC6)

Control	Description	ASCEND Implementation
CC6.1	Logical access security	RBAC, API key management, MFA
CC6.2	Access provisioning	JIT provisioning, access reviews
CC6.3	Access removal	Auto-deprovisioning, offboarding
CC6.6	External threats	WAF, DDoS protection, rate limiting
CC6.7	Transmission protection	TLS 1.3, certificate pinning
CC6.8	Malicious software	Input validation, code scanning

Availability (A1)

Control	Description	ASCEND Implementation
A1.1	Capacity planning	Auto-scaling, load balancing
A1.2	Recovery procedures	Multi-region DR, automated backups
A1.3	Recovery testing	Quarterly DR tests

Confidentiality (C1)

Control	Description	ASCEND Implementation
C1.1	Data classification	Automatic PII detection
C1.2	Data protection	AES-256 encryption

Access Control Evidence

Generate Access Review Report

curl -X POST "https://pilot.owkai.app/api/compliance-export/exports" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "framework": "soc2",
    "report_type": "access_review",
    "period_start": "2025-10-01",
    "period_end": "2025-12-31",
    "include_sections": [
      "user_list",
      "role_assignments",
      "access_changes",
      "terminated_users",
      "privilege_escalations"
    ]
  }'

User Access Report

{
  "report_type": "access_review",
  "period": "2025-Q4",
  "summary": {
    "total_users": 150,
    "active_users": 145,
    "new_users": 12,
    "removed_users": 7,
    "role_changes": 23
  },
  "users": [
    {
      "user_id": "user_001",
      "email": "admin@company.com",
      "role": "admin",
      "created_at": "2024-06-15",
      "last_login": "2025-12-15T09:00:00Z",
      "mfa_enabled": true,
      "access_changes": []
    }
  ],
  "removed_users": [
    {
      "user_id": "user_050",
      "email": "former@company.com",
      "removed_at": "2025-11-20",
      "removal_reason": "termination",
      "access_removed_within_24h": true
    }
  ]
}

Change Management (CC8)

Configuration Changes

curl "https://pilot.owkai.app/api/audit/changes?category=configuration&days=90" \
  -H "Authorization: Bearer <admin_jwt>"

Response:

{
  "changes": [
    {
      "change_id": "chg_001",
      "timestamp": "2025-12-10T14:30:00Z",
      "change_type": "policy_update",
      "changed_by": "admin@company.com",
      "description": "Updated risk threshold from 80 to 75",
      "before": {"auto_deny_threshold": 80},
      "after": {"auto_deny_threshold": 75},
      "approval": {
        "approved_by": "security@company.com",
        "approved_at": "2025-12-10T14:25:00Z"
      }
    }
  ]
}

Change Approval Workflow

All significant changes require approval:

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│   Change    │────▶│   Review    │────▶│   Deploy    │
│   Request   │     │   Approve   │     │   Monitor   │
└─────────────┘     └─────────────┘     └─────────────┘

Monitoring & Logging (CC7)

System Monitoring

curl "https://pilot.owkai.app/api/compliance/monitoring-status" \
  -H "Authorization: Bearer <admin_jwt>"

Response:

{
  "monitoring_status": "active",
  "components": {
    "api_monitoring": {"status": "healthy", "latency_p99_ms": 120},
    "database_monitoring": {"status": "healthy", "connections": 45},
    "security_monitoring": {"status": "healthy", "alerts_24h": 2}
  },
  "alerting": {
    "channels_configured": 3,
    "alerts_sent_30d": 15,
    "avg_response_time_min": 8
  }
}

Audit Log Integrity

curl "https://pilot.owkai.app/api/audit/integrity-check" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "period_start": "2025-01-01",
    "period_end": "2025-12-31"
  }'

Response:

{
  "integrity_status": "valid",
  "records_checked": 1250000,
  "hash_chain_valid": true,
  "gaps_detected": 0,
  "tampering_detected": false,
  "last_verified": "2025-12-15T10:00:00Z"
}

Risk Assessment (CC3)

Risk Management Integration

curl "https://pilot.owkai.app/api/compliance/risk-assessment" \
  -H "Authorization: Bearer <admin_jwt>"

Response:

{
  "assessment_date": "2025-12-15",
  "overall_risk_level": "low",
  "categories": {
    "access_control": {"risk": "low", "controls": 12, "effective": 12},
    "data_protection": {"risk": "low", "controls": 8, "effective": 8},
    "availability": {"risk": "low", "controls": 5, "effective": 5},
    "change_management": {"risk": "low", "controls": 6, "effective": 6}
  },
  "open_findings": 0,
  "remediation_in_progress": 0
}

Evidence Package

Generate SOC 2 Evidence Package

curl -X POST "https://pilot.owkai.app/api/compliance/evidence-pack" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "framework": "soc2",
    "audit_period": {
      "start": "2025-01-01",
      "end": "2025-12-31"
    },
    "control_categories": [
      "CC6",
      "CC7",
      "CC8",
      "A1",
      "C1"
    ],
    "include_artifacts": [
      "access_reviews",
      "change_logs",
      "incident_reports",
      "monitoring_reports",
      "encryption_evidence",
      "backup_verification"
    ]
  }'

Evidence Package Contents

soc2_evidence_2025.zip
├── CC6_Access_Control/
│   ├── user_access_list.csv
│   ├── role_definitions.json
│   ├── access_reviews_q1-q4.pdf
│   └── terminated_user_report.csv
├── CC7_System_Operations/
│   ├── monitoring_dashboard_screenshots/
│   ├── alert_history.csv
│   └── incident_response_log.json
├── CC8_Change_Management/
│   ├── change_requests.csv
│   ├── deployment_log.json
│   └── approval_records.pdf
├── A1_Availability/
│   ├── uptime_report.pdf
│   ├── dr_test_results.pdf
│   └── backup_verification.json
└── C1_Confidentiality/
    ├── encryption_status.json
    └── data_classification_policy.pdf

Continuous Compliance

Automated Control Testing

curl -X POST "https://pilot.owkai.app/api/compliance/test-controls" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "framework": "soc2",
    "controls": ["CC6.1", "CC6.2", "CC7.1"]
  }'

Response:

{
  "test_results": [
    {
      "control": "CC6.1",
      "status": "pass",
      "tests_run": 5,
      "tests_passed": 5,
      "evidence": ["All users have unique IDs", "MFA enabled for 100%"]
    },
    {
      "control": "CC6.2",
      "status": "pass",
      "tests_run": 3,
      "tests_passed": 3,
      "evidence": ["Provisioning requires approval", "Access reviews completed"]
    }
  ]
}

Auditor Portal

Configure Auditor Access

curl -X POST "https://pilot.owkai.app/api/compliance/auditor-access" \
  -H "Authorization: Bearer <admin_jwt>" \
  -d '{
    "auditor_email": "auditor@auditfirm.com",
    "audit_firm": "Big Four Audit LLP",
    "access_start": "2026-01-15",
    "access_end": "2026-02-28",
    "permissions": [
      "view_audit_logs",
      "view_access_controls",
      "export_evidence",
      "view_configurations"
    ]
  }'

Best Practices

1. Quarterly Reviews

• Access reviews every quarter
• Control testing monthly
• Evidence collection ongoing

2. Continuous Monitoring

• Real-time alerting for control failures
• Automated compliance checks
• Dashboard visibility

3. Documentation

• Document all exceptions
• Maintain remediation plans
• Track control changes

Next Steps

• HIPAA Compliance - Healthcare requirements
• Compliance Overview - All frameworks
• Audit Logging - Logging details

---

Document Version: 1.0.0 | Last Updated: December 2025