SOC 2 Style Controls (Quick-Start)

CC1—Control Environment - Code of conduct & WISP accepted by staff; access reviews quarterly

CC2—Communication & Information - Security announcements documented; incident comms in playbook

CC3—Risk Assessment - Track top 10 risks (rules misconfig, key leakage, IAM drift)

CC4—Monitoring - Audit logs captured (auth/admin/Stripe); weekly review with checklist

CC6—Access Controls - Least-privilege IAM; MFA; periodic user access review (GCP, Stripe)

CC7—Change Management - PRs require review; CI runs tests and lint; tag releases

CC8—System Ops - Backups daily; restore test monthly; capacity monitored

CC9—Incident Management - Breach-Response Playbook; postmortems with follow-ups

CC10—Confidentiality - Data classification; restrict Storage/RTDB reads; tokenization (Stripe IDs only, no PANs)

Evidence to Collect - Screenshots of IAM roles - Export of audit logs - Backup & restore logs - Training attestation - PR review evidence