# SOC Control Mapping (Implementation Baseline)

Effective Date: February 27, 2026

This mapping is a readiness baseline for external audit preparation.

## Security

- CC6.1 / CC6.2 Access Governance
  - Organization role checks (`owner`/`admin`) on compliance mutations
  - Access review campaign workflow and item-level attestations
- CC6.3 Authentication Strength
  - MFA signal gate on compliance-critical operations when enabled
- CC7.2 Change and Detection Logging
  - Compliance evidence receipts with hashes and source references
  - Session and governance audit trails with actor + timestamp metadata

## Availability

- A1.1 Service Availability Monitoring
  - Health endpoints and scheduler lifecycle management
- A1.2 Incident Process Support
  - Session compliance incident lifecycle (open, acknowledge, resolve)
  - Purge hold behavior for active high/critical incidents

## Confidentiality

- C1.1 Data Handling Boundaries
  - Institution governance controls for organization-managed session artifacts
  - Privacy and account controls for independent learner environments
- C1.2 Retention and Disposal
  - Governed conversation redaction window (7-90 days, default 30)
  - Metadata retention after redaction
  - Explicit organization purge workflow for governed hard deletes

## Notes

- External auditor procedures may refine control language and test evidence.