SOC 2 compliance
without the consulting bill.
Trust service criteria mapped directly to infrastructure controls. Every check produces audit-ready evidence — no binder assembly required.
What SOC 2
actually requires.
SOC 2 Type II is an attestation framework developed by the AICPA that evaluates a service organization’s controls over time. Unlike Type I (which captures a point-in-time snapshot), Type II examines the operating effectiveness of controls over a minimum observation period of six months.
The framework is built around five Trust Service Criteria: Security (CC1–CC9), Availability (A1), Processing Integrity (PI1), Confidentiality (C1), and Privacy (P1–P8). Security is always in scope; the remaining four are selected based on the services you provide.
For infrastructure hosting, the Common Criteria (CC) controls are where most of the work lives. These cover logical and physical access, system operations, change management, and risk mitigation. PrismWeb’s sixteen checks address the technical controls your auditor expects to see operating continuously — not just documented in a policy binder.
The challenge for most organizations isn’t understanding what SOC 2 requires — it’s producing evidence that controls are actually working. That’s what our infrastructure does by design.
How PrismWeb maps to
SOC 2 controls.
| Check | SOC 2 Controls | Trust Service Category |
|---|---|---|
| DNSSEC | CC6.1, CC6.6 | Security, Availability |
| SSL/TLS | CC6.1, CC6.7 | Security, Confidentiality |
| Enhanced HTTPS | CC6.1, CC6.7 | Security, Confidentiality |
| Enhanced TLS | CC6.1, CC6.7, CC7.2 | Security, Confidentiality |
| Certificate Validation | CC6.1, CC6.7 | Security |
| Security Headers | CC6.1, CC6.6, CC7.2 | Security |
| SPF | CC6.1, CC6.6 | Security |
| DKIM | CC6.1, CC6.6 | Security, Processing Integrity |
| DMARC | CC6.1, CC6.6, CC7.2 | Security, Processing Integrity |
| MTA-STS | CC6.1, CC6.7 | Security, Confidentiality |
| TLS-RPT | CC7.2, CC7.3 | Security |
| IP Abuse | CC6.6, CC7.2 | Security, Availability |
| WordPress Detection | CC7.1, CC8.1 | Security |
| Website Scanning | CC7.1, CC7.2 | Security, Privacy |
| IPv6 | CC6.1, A1.2 | Availability |
| RPKI | CC6.1, CC6.6 | Security, Availability |
What we hand
your auditor.
Timestamped reports showing control status across all sixteen checks for each quarter in your observation period. Formatted for auditor consumption with control IDs pre-mapped.
Written descriptions of each control’s design and implementation, ready to include in your SOC 2 Type II report’s description of the system.
Logs demonstrating that checks run on schedule, anomalies are detected, and remediations occur within SLA. This is the operating effectiveness evidence Type II requires.
When a control fails or degrades, we log the exception, the root cause, and the remediation timeline. Auditors expect exceptions — they want to see how you handle them.
Direct access to our team during your audit period to answer technical questions about control implementation and provide additional evidence as requested.
Pass your SOC 2 audit
with infrastructure evidence.
Stop paying consultants to document controls that should be producing their own evidence. Our infrastructure does the work — you get the reports.