Compliance & SOC 2

Audit-ready,
by design.

SOC 2 control evidence tracking, GDPR Article 30 ROPA, DSR workflow with 30-day SLA, Article 33 72-hour breach notification, audit-log SIEM streaming, subprocessor registry, and DPA signing.

SOC 2 Type II · Trust Services

Period: 1 Jan 2026 → 30 Jun 2026

Audit-ready
CC6.1
Logical Access Controls
auto evidence
CC7.2
System Monitoring
auto evidence
CC1.4
Background Checks
manual evidence
A1.2
Capacity Management
auto evidence
C1.1
Confidentiality Commitments
manual evidence
68 controls trackedEvidence collected: 96%
SOC 2
Trust services criteria
GDPR
ROPA + DSR built-in
72h
Breach notification timer
SIEM
Audit log streaming
SOC 2 Evidence

Controls. Evidence. Audit period.

Every Trust Services criterion mapped to OfficeBlink controls. Auto-collected technical evidence, manual workflow for the rest. Auditor-friendly export.

  • CC + A + C + PI criteria mapped
  • Auto-collected technical evidence
  • Manual evidence workflow with owner
  • Continuous evidence collection
  • Auditor-friendly bundle export
  • Audit period configuration

SOC 2 Type II · Trust Services

Period: 1 Jan 2026 → 30 Jun 2026

Audit-ready
CC6.1
Logical Access Controls
auto evidence
CC7.2
System Monitoring
auto evidence
CC1.4
Background Checks
manual evidence
A1.2
Capacity Management
auto evidence
C1.1
Confidentiality Commitments
manual evidence
68 controls trackedEvidence collected: 96%
GDPR Article 30

A live record of processing activities.

No more annual ROPA spreadsheet. Every processing activity, its legal basis, recipients, retention, and cross-border transfers — auto-discovered from the platform and surfaced for the DPO.

  • Auto-discovered processing activities
  • Legal basis per activity
  • Recipient and sub-processor mapping
  • Retention policy per data category
  • Cross-border transfer registry
  • Annual review reminder

Article 30 ROPA

Live registry
Payroll Processing
Legal basis:Contract
Recipients:Bank, HMRC
Performance Reviews
Legal basis:Legitimate Interest
Recipients:Internal
Benefits Enrollment
Legal basis:Contract
Recipients:Carriers
Recruitment
Legal basis:Consent
Recipients:Hiring Mgr
DSR Workflow

30-day SLA, end-to-end.

Access, rectification, erasure, portability, restriction, objection — each with a workflow that locates the data, compiles the bundle, reviews internally, and delivers within statutory deadlines.

  • Identity verification step
  • Auto-locate data subject across modules
  • Compile export bundle (machine-readable)
  • Internal review with sign-off
  • Delivery and receipt confirmation
  • SLA timer with alerts

DSR · Right to Access

SLA 18d left
Identity verified
Day 1
Data subject record located
Day 2
Export bundle compiled
Day 5
Internal review
Day 10
Delivery + receipt
Day 12
Statutory deadline: 30 days from receipt of request.
Breach Notification

Article 33 timer starts on detection.

A breach record opens at detection. The 72-hour countdown is visible to everyone involved. Notification templates, supervisory authority directory, and Article 34 data subject notification — all built in.

  • 72-hour countdown from detection
  • Triage workflow with scoping
  • Supervisory authority directory
  • Notification template per jurisdiction
  • Article 34 affected data subject notice
  • Post-mortem template

Article 33 — 72-hour notification

Detected breaches start the clock automatically.

Time remaining
61h 22m
until supervisory authority notification
Detected
Triage
Notified
SIEM Streaming

Every event, every actor, into your SIEM.

Audit logs stream to S3, HTTPS, or Kafka in JSON / NDJSON / CEF. Native consumers for Splunk, Datadog, Sumo Logic, and Elastic.

  • S3 / HTTPS sink / Kafka topic
  • JSON · NDJSON · CEF
  • Actor, action, resource, tenant, IP
  • Replayable from the dashboard
  • Splunk · Datadog · Sumo · Elastic
  • Custom shape via outbound transformer

Audit-log SIEM stream

Every event, every actor — streamed to your SIEM.

events.ndjson
{"actor":"user_42","action":"employee.read","tenant":"acme",...}
{"actor":"key_91","action":"payroll.run.approve",...}
{"actor":"user_18","action":"comp.cycle.lock",...}
Splunk·Datadog·Sumo·Elastic
Subprocessors & DPA

A trust page buyers can actually use.

The full subprocessor list, their purpose, region, and change history. DPA signing self-serve. Plus the latest SOC 2 letter under NDA.

  • Live subprocessor registry
  • Region and purpose per processor
  • 30-day change notification subscription
  • Standard DPA with SCC annex
  • Self-serve DPA signing
  • SOC 2 / pen-test letters under NDA

Subprocessor Registry

12 sub-processors
AWS
Hosting
eu-west-1
Cloudflare
Edge / CDN
Global
Postmark
Transactional email
us-east-1
Stripe
Payments
Global
Common Questions

Compliance, answered.

Our SOC 2 Type II observation window is currently in progress. The control framework is fully implemented, evidence is being collected continuously, and our auditor letter is available under NDA.

Pass your next security review in a week.

See SOC 2 evidence, GDPR ROPA, DSR workflow, and breach timers in one walkthrough.