# Sukma SOC Audit-Ready Statement

Effective Date: February 27, 2026

Sukma operates with audit-ready controls across security, availability,
and confidentiality. This statement describes our current operating
posture and evidence model for buyers, institutions, and security
reviewers. It is not a claim of completed third-party attestation.

## Scoped Services

- Sukma frontend application
- course-service
- user-service
- supergraph

## Control Focus

- Security
- Availability
- Confidentiality

## Operating Posture

- Role-based controls for compliance-critical operations
- Access review workflows with auditable decisions
- Evidence receipts with hashing and traceability
- Retention, redaction, and purge governance for governed conversation records and session artifacts
- Incident workflows that support review and operational accountability

## Evidence Model

- Structured evidence records with time boundaries and source references
- Reviewable evidence for buyer diligence and external audit preparation
- Exportable records for access reviews, governance changes, retention operations, and purge actions across governed session artifacts

## Applicability

SOC operational controls apply across institution-managed and independent
learner environments. FERPA language is limited to institution-managed
records.

## Positioning

Appropriate language:
- SOC audit-ready controls
- audit-ready operating posture

Not appropriate before external attestation:
- SOC certified
- SOC attested
- SOC compliant as a final assurance claim