SOC2 Compliance Evidence

🧾 To the SOC2 Auditor

This evidence package documents the security controls implemented in democompany's database layer.

Controls Verified:

CC6.1 - Logical access controls (RLS enabled on all tables)
CC6.7 - Restrict logical access (tenant isolation verified via attack simulations)

Evidence Integrity: Schema fingerprint sha256-demo-e3b0 - any change invalidates this audit.

Remediation Status: 100% of SOC2 controls were verified as compliant at audit time. The attached _PRODUCTION.sql brings the environment to 100% compliance.

For additional evidence or clarification, contact auditor@otobrixlabs.com

📋 Executive Summary

The democompany database lacks a unified tenant isolation policy, exposing all customer credentials to any authenticated account. This constitutes a direct failure of logical access control controls.

Compliance Impact: Immediate risk of SOC2/GDPR non-compliance for all Enterprise tenants.

FAIL: CRITICAL GAPS

Control	Status	Evidence	Remediation Date	Verified By	Gaps
CC6.1 Logical Access Controls	⚠️ FIXED	RLS policies are missing on the credentials_entity table.	March 12, 2026	Otobrix Labs	CRIT-01 CRIT-03
CC6.7 Data Isolation	⚠️ FIXED	Transitive trust vulnerabilities allow path traversal between project boundaries.	March 12, 2026	Otobrix Labs	CRIT-04 PATH-01

SOC2 Compliance Evidence Package

🧾 To the SOC2 Auditor

📋 Executive Summary

🔐 SOC2 Control Matrix

📅 Remediation Roadmap

📁 Evidence Package Contents

🧾 For Your SOC2 Auditor