Skip to main content

SOC 2

Nebula maintains SOC 2 readiness against the Trust Services

Criteria. The control matrix lives in docs/SOC2_MATRIX.md; this

page summarises the high-level posture.

Trust Services Criteria

  • Security: encryption at rest and in transit, MFA on admin

accounts, vulnerability scanning, incident response runbook.

  • Availability: pinned region, health endpoint, DR runbook.
  • Processing integrity: every state change anchored, integrity

cron, structured logs.

  • Confidentiality: PII redaction layer, classification field

on atoms, role-based access.

  • Privacy: AccessLog, ExportLog, right-to-erasure.

Audit cadence

Internal review monthly; external audit annually. Findings are

tracked in the docs/SOC2_FINDINGS.md log.

Cross links

  • /docs/compliance/irap: AU-specific posture
  • /docs/security/audit: the audit tables