SOC 2 Type II Compliance

This document maps IDPFlare's security controls to SOC 2 Trust Services Criteria (TSC). It provides a gap analysis and implementation guidance for deployers preparing for a SOC 2 examination.

Disclaimer: This document is for informational purposes only. It does not constitute a SOC 2 report or guarantee of compliance. You are responsible for working with a qualified CPA firm to undergo a SOC 2 examination.

What is SOC 2?

SOC 2 is based on AICPA Trust Services Criteria (TSC) which consists of:

  • Security (always required)
  • Availability (optional)
  • Processing Integrity (optional)
  • Confidentiality (optional)
  • Privacy (optional)

This document focuses on Security (CC - Common Criteria) as it's the foundation for SOC 2.

Control Mapping Summary

SOC 2 Criteria IDPFlare Status Notes
CC3.1.2 Logical Access ✓ Built-in Auth, MFA, RBAC, session management
CC3.1.3 Encryption ✓ Built-in + Platform TLS, D1/KV encryption, MFA secret encryption
CC3.1.4 System Boundaries ✓ Built-in SSRF protection, HTTPS
CC3.1.6 System Operations ⚠ Partial Logging built-in; backup/monitoring required
CC3.1.7 Data Loss Prevention ✓ Built-in Input validation, XSS prevention

SOC 2 Trust Services Criteria

CC1.1 - Control Environment

Organizational controls - not implemented in software. You must implement:

  • Define governance structure
  • Create code of conduct, ethics policy
  • Define roles for IDPFlare management
  • Implement training program

CC2.1 - Communication and Information

Organizational controls - establish communication channels and incident reporting procedures.

CC2.2 - Risk Assessment

Organizational controls - you must implement:

  • Define security objectives
  • Conduct risk assessment process
  • Implement risk analysis methodology
  • Link risks to controls
  • Implement change risk assessment

CC2.3 - Monitoring Activities

Criteria IDPFlare Status Deployer Action Required
CC2.3.1 Ongoing/periodic evaluations ✗ GAP CRITICAL: Implement monitoring
CC2.3.2 Evaluates and communicates deficiencies ✗ GAP REQUIRED: Deficiency remediation process
CC2.3.3 Performs periodic evaluations ✗ GAP REQUIRED: Periodic audits/reviews
Implementation Guidance:
  • Set up Cloudflare Workers Analytics monitoring
  • Implement log aggregation to SIEM
  • Configure alerts for security events:
    • Failed login attempts (audit log: login_failure)
    • Account lockouts (audit log: account_locked)
    • MFA failures (audit log: mfa_verify_failure)
    • Rate limit exceeds (audit log: rate_limit_exceeded)

CC3.1.2 - Logical and Physical Access Controls

Detailed Access Control Mapping

SOC 2 Requirement IDPFlare Feature Configuration
Unique user identification User ID in users table Automatic
Authentication Password, social, SAML Configure providers
Multi-factor auth TOTP (RFC 6238) MFA_MODE = "required"
Session management Session tokens in KV SESSION_DURATION_SECONDS
Access revocation Refresh token revocation, session revocation Manual via API
Access token expiration Short-lived JWTs ACCESS_TOKEN_DURATION_SECONDS
Privilege review RBAC with scopes API key scopes
Failed login tracking Audit log RATE_LIMIT_LOGIN_ATTEMPTS
Account lockout User locking is_locked field

CC3.1.3 - System and Data Encryption

Cryptography Summary

  • In Transit: TLS 1.2+ (Cloudflare managed)
  • At Rest (Application): MFA secrets, backup codes encrypted with AES-GCM-256
  • At Rest (Database/KV): Platform-provided by Cloudflare (see note below)

Application Level

  • JWT signing: RS256 (RSA with SHA-256)
  • Password hashing: PBKDF2 with SHA-256 (100,000 iterations)
  • Random values: crypto.getRandomValues()
IMPORTANT: Encryption at Rest

Application-Level: MFA TOTP secrets and backup codes are encrypted with AES-GCM-256 before storage.

Platform-Level: D1 database and KV storage encryption is documented by Cloudflare:
  • D1: "All objects stored in D1 are encrypted at rest" - Data Security
  • KV: "All values stored in KV are encrypted at rest with 256-bit AES-GCM" - Data Security
For SOC 2 audits, reference these documentation URLs as evidence of platform-provided encryption.

Key Management Guidance

  • JWT keys: Generate via scripts/generate-keys.js
  • Encryption key: 32-byte hex key stored as secret
  • Rotation: Document procedures and implement schedule

CC3.1.6 - System Operations

Critical Implementation Requirements

1. Backup/Recovery

  • Implement D1 export automation
  • Test restoration quarterly
  • Document RTO/RPO
wrangler d1 exports backup DATABASE_ID > backup_$(date +%Y%m%d).sql

2. Incident Response

  • Create incident response plan
  • Define severity levels
  • Establish notification procedures
  • Document roles and responsibilities

3. Monitoring

  • Export audit logs to SIEM
  • Configure alerts for security events
  • Regular review of access logs

Gap Summary

Critical Gaps (Must Address for SOC 2)

SOC 2 Criteria Gap Priority
CC2.3.1 No monitoring system P0
CC3.1.2c No periodic access review P0
CC3.1.5 No change management process P0
CC3.1.6c No backup implementation P0
CC3.1.6b,g No incident response process P0
CC3.1.6h No system monitoring P0

Implementation Timeline

Sprint 1: Critical Controls (Week 1-4)

1. Backup Implementation

  • Set up automated D1 backups
  • Create backup retention policy
  • Document restoration procedures
  • Conduct first restoration test

2. Monitoring Implementation

  • Export audit logs to SIEM (Cloudflare Logs, Datadog, etc.)
  • Set up alerts for security events
  • Create monitoring dashboard

3. Incident Response

  • Document incident response plan
  • Define severity levels
  • Create incident templates
  • Conduct tabletop exercise

Sprint 2: Process Controls (Week 5-8)

1. Change Management

  • Document change management process
  • Implement change ticketing
  • Create change forms/templates
  • Set up pre-production testing

2. Access Management

  • Document access request process
  • Implement quarterly access reviews
  • Create role definitions
  • Document provisioning/deprovisioning

Sprint 3: Audit Preparation (Week 9-12)

1. Policy Development

  • Security policy
  • Acceptable use policy
  • Data classification policy
  • Incident response policy

2. Evidence Collection

  • Set up evidence gathering
  • Create evidence mapping
  • Implement evidence retention
  • Prepare for auditor request

3. Pre-Assessment

  • Conduct internal audit
  • Address identified gaps
  • Refine documentation
  • Select CPA firm

Sample Evidence List

Evidence Description Location
Security policies Documented security policies Internal
Access review Quarterly access review documentation Internal
Change log List of changes to configuration Git + tickets
Audit logs Security event logs D1 audit_log table
Backup verification Test restoration results Internal
Incident tickets Security incident records Ticket system
Training records Employee security training HR system
Risk assessment Annual risk assessment Internal
Network diagram System architecture documentation Internal
Vendor review Cloudflare/IDPFlare review Internal
Penetration test External penetration test results Internal
Vulnerability scan Security scan results Internal

Auditor Question Preparation

Question Answer Evidence
How is user access controlled? RBAC with API key scopes, audit logs
How are changes managed? Change tickets, Git history, testing
How are backups performed? D1 export automation, test results
How are incidents detected? Audit log monitoring, alerts
How is MFA implemented? TOTP (RFC 6238), encrypted secrets
How are secrets managed? Cloudflare Workers Secrets, access controlled
How is encryption used? RS256 JWT, AES-GCM MFA, HTTPS
What's the change process? Ticket → Approval → Test → Deploy
How often is access reviewed? Quarterly (documented)

References

← Back to Compliance Overview