Posture score
63%
Passing
34
Failing
20
Warnings
0
▶About this report — how to read it and how to verify timestamps
What you are looking at
This is a read-only compliance view generated by Scorifya Controls, a self-hosted SOC 2 readiness tool. It reflects the live state of Foundry Labs, Inc.'s control environment — this is not a curated PDF export. The data is queried directly from their instance at the time you load this page. You have no ability to modify anything through this link.
Automated checks
Automated checks run against Foundry Labs, Inc.'s cloud infrastructure (AWS, GitHub, GCP, Azure) using read-only API credentials stored on their server. Each check is tagged with the framework criteria it provides evidence for: AICPA Trust Services Criteria (TSC 2017) for SOC 2, PCI DSS 4.0.1 requirement numbers, ISO/IEC 27001:2022 Annex A controls, and HIPAA Security Rule citations (45 CFR). Use the Framework selector on the report to narrow the checks table to a single framework's evidence (rows without a mapping to that framework are hidden and excluded from the posture score), or leave it on All to see everything. Results shown here are the most recent run. As part of your engagement, you should independently verify material findings directly in their cloud consoles — these results are a starting point, not a substitute for your own testing.
Manual controls and attestations
Manual controls cover areas that cannot be automated: security awareness training, access reviews, vendor assessments, incident response testing, and similar. For each control, Foundry Labs, Inc. has designated an owner, recorded notes, attached evidence files, and set a next-review date. A control marked Compliant means the owner has attested that the control is operating effectively, with supporting evidence available below.
RFC 3161 cryptographic timestamps: what the DigiCert badge means
When Foundry Labs, Inc.saves a manual control attestation, Scorifya Controls immediately sends a SHA-256 fingerprint of the attestation data to DigiCert's Timestamp Authority (TSA). DigiCert signs that fingerprint with the current time and returns a timestamp token (a .tsr file). This token is stored alongside the attestation in their database.
The token proves two things independently of Foundry Labs, Inc. or Scorifya:
- The attestation data existed at the timestamp shown — it cannot have been backdated.
- The data has not been modified since — any change would produce a different fingerprint that no longer matches the token.
DigiCert has no knowledge of what the data contains — they only see the hash. They have no relationship with Foundry Labs, Inc. or Scorifya beyond providing a public timestamping service.
About the Timestamp Authorities
Timestamps are issued by DigiCert (primary) or Sectigo (fallback if DigiCert is unreachable at the moment of attestation). Both are among the world's largest certificate authorities, and both have their TSA root certificates included in the Microsoft Windows Root Certificate Program, Apple trust stores, Adobe Approved Trust List (AATL — used by Acrobat), and Java. They are widely used for code signing, legal documents, and financial records. RFC 3161 is the IETF standard for trusted timestamping, published in 2001 and adopted across regulated industries.
Each attestation below shows which TSA issued its timestamp. The expandable verification command is pre-filled with the correct CA certificate URL for that specific TSA.
How to independently verify a timestamp
For any attestation showing a verified badge, you can verify the timestamp yourself using OpenSSL (standard, pre-installed on macOS and Linux). No account or API key is needed. The exact commands — including the correct CA certificate for that attestation's TSA — are shown in the expandable Verify with OpenSSL section under each control.
- Click .tsr ↓ next to the control to download the timestamp token.
- Expand Verify with OpenSSL on that control — copy and run the two commands shown (one fetches the CA cert, one runs the verification).
- Verification: OK means the TSA confirmed this exact content existed at the timestamp shown. Any other result means the token is invalid or the data was modified after timestamping.
The content hash covers: control identifier, attestation status, owner, notes, evidence filenames, and the attestation timestamp. Evidence file contents are not hashed — verify those directly by reviewing the attached files.
aws
| Check | Status |
|---|---|
CloudTrail enabled in all regions CloudTrail must be enabled in all regions to provide the activity logs required as SOC 2 audit evidence. | FAIL |
CloudTrail log file validation enabled Log file validation ensures logs have not been tampered with — required for integrity evidence. | PASS |
CloudWatch alarm for root account usage A CloudWatch alarm must fire whenever the root account is used — required by CIS Benchmark 1.7. | PASS |
CloudWatch log groups retain at least 12 months Every CloudWatch log group used for audit evidence must retain at least 365 days of history. Short retention (7/30 day) defaults from CDK/Terraform stacks fail PCI 10.5.1 and weaken SOC 2 detection evidence. | PASS |
EBS default encryption enabled EBS default encryption ensures all new volumes are encrypted automatically. | PASS |
GuardDuty enabled in all regions Amazon GuardDuty provides continuous threat detection and must be active in every region. | FAIL |
Load balancer HTTPS listeners require TLS 1.2 or higher Every ALB and NLB HTTPS/TLS listener must use a security policy that requires TLSv1.2 or higher. Policies permitting TLSv1.0/1.1 fail PCI 4.2.1 (SSL/early-TLS are explicitly retired by PCI SSC). | PASS |
MFA enabled for all IAM users All IAM users with console access must have MFA enabled. Users without MFA are an immediate audit finding. | PASS |
No credentials unused for 90+ days IAM credentials unused for 90 or more days should be disabled or removed. | PASS |
No security groups expose SSH/RDP/DB ports to the internet Security groups must not allow 0.0.0.0/0 access to administrative or database ports (SSH, RDP, Postgres, MySQL, MSSQL, MongoDB, Redis, Elasticsearch, Memcached). PCI 1.4.1 explicitly requires restricting inbound traffic from untrusted networks. | PASS |
RDS instances encrypted at rest All RDS database instances must have storage encryption enabled. | FAIL |
RDS instances enforce TLS at the parameter group Every RDS instance (Postgres, MySQL/MariaDB, SQL Server, Aurora) must enforce TLS at the parameter-group level: rds.force_ssl=1 or require_secure_transport=ON. Enabling TLS support is not enough — clients can still connect in plaintext unless the engine rejects them. PCI 4.2.1 requires this end-to-end. | PASS |
RDS instances use non-default master username The RDS master username cannot be renamed after creation. Well-known defaults (admin, postgres, root, sa, mysql, oracle, master) are the first attackers try in credential spraying and fail PCI 2.2.5 (vendor defaults). | PASS |
Root account has no active access keys The AWS root account should never have active access keys. Root keys cannot be scoped and represent full account compromise if leaked. | FAIL |
S3 buckets encrypted at rest All S3 buckets must have server-side encryption enabled (SSE-S3 or SSE-KMS). | PASS |
S3 public access block enabled All S3 buckets should have public access blocked at the account level. | PASS |
S3 versioning enabled on critical buckets Versioning protects against accidental deletion and supports availability commitments. | FAIL |
Strong password policy configured IAM password policy must enforce minimum length (14+), complexity, and rotation requirements. | PASS |
VPC Flow Logs enabled VPC Flow Logs capture network traffic and are required for security monitoring and incident investigation. | FAIL |
azure
| Check | Status |
|---|---|
Azure Activity Log diagnostic settings configured Activity Log diagnostic settings must be configured to retain Administrative, Security, Alert, and Policy events. | FAIL |
Azure Key Vault in use for secrets management At least one Key Vault must exist in the subscription to manage application secrets, keys, and certificates. | PASS |
Azure PostgreSQL enforces SSL Every Azure Database for PostgreSQL Flexible Server should have require_secure_transport = ON so client connections must use TLS. | FAIL |
Azure SQL Transparent Data Encryption enabled Every user database on every Azure SQL server should have Transparent Data Encryption (TDE) enabled — on by default for new databases but can be disabled per-database. | FAIL |
Azure SQL server-level auditing enabled Every Azure SQL logical server should have server-level auditing enabled to capture data plane and management events. | PASS |
Azure Storage account public blob access disabled All storage accounts must have Allow Blob Public Access set to Disabled to prevent unintentional data exposure. | FAIL |
Azure managed disks encrypted at rest All Azure managed disks must use platform-managed or customer-managed encryption at rest. | FAIL |
Key Vaults use Azure RBAC Every Key Vault should use Azure RBAC for data-plane authorization instead of the legacy access-policy model, so access changes surface in IAM reviews. | FAIL |
Log Analytics workspaces retain logs for 90+ days Every Log Analytics workspace should retain logs for at least 90 days so security-relevant events remain queryable during an audit window. | PASS |
MFA enforced via Security Defaults or Conditional Access MFA must be enforced for all users via Azure Security Defaults or a Conditional Access policy. | FAIL |
Microsoft Defender for Cloud enabled on key workloads Defender for Cloud Standard tier must be enabled for VMs, SQL, App Services, Storage, and Containers. | PASS |
No NSG rule opens SSH/RDP to the internet No Network Security Group rule should allow inbound TCP 22 or 3389 from Internet / 0.0.0.0/0 / *. | PASS |
No stale Azure AD guest users Guest users who have not signed in for 90+ days (or have never signed in and were invited 90+ days ago) should be reviewed and removed. | PASS |
Privileged Identity Management activated for admin roles Global Administrator and Privileged Role Administrator assignments should be managed through Privileged Identity Management (PIM) as just-in-time eligibilities, not permanent active assignments. Requires Entra ID P2 licensing. | PASS |
Storage accounts require HTTPS Every storage account should have 'Secure transfer required' enabled so blob, file, queue, and table endpoints reject cleartext HTTP. | FAIL |
gcp
| Check | Status |
|---|---|
2-Step Verification enforced for all Google Workspace users All Google Workspace users must be enrolled in 2-Step Verification. Requires domain-wide delegation to the Admin SDK. | PASS |
Cloud Audit Logs enabled for all services Cloud Audit Logs must capture Admin Activity, Data Read, and Data Write events for all services at the project level. | FAIL |
Cloud SQL instances encrypted at rest All Cloud SQL instances should have encryption at rest enabled — Google-managed by default, or CMEK for stronger key custody. | FAIL |
Cloud SQL requires SSL connections Cloud SQL instances should require SSL/TLS for all connections to prevent credential and data exposure over the wire. | PASS |
Compute Engine disks are encrypted Every Compute Engine persistent disk should be encrypted, either with a customer-managed key (CMEK) or the default Google-managed key. | PASS |
GCS buckets block public access All Cloud Storage buckets must have Public Access Prevention enforced and no allUsers/allAuthenticatedUsers IAM bindings. | PASS |
KMS symmetric keys rotate within 90 days Every Cloud KMS symmetric encryption key should have automated rotation enabled with a period of 90 days or less. | PASS |
Long-term log sink configured At least one log sink should route project logs to BigQuery, Cloud Storage, Pub/Sub, or a custom log bucket to meet the 12-month audit-log retention requirement. | PASS |
No firewall rule opens SSH/RDP to the internet No VPC firewall rule should allow ingress to TCP 22 or 3389 from 0.0.0.0/0 — the most common exploit path for GCE instances. | PASS |
OS Login is enforced at the project level OS Login centralizes SSH access to Compute Engine through IAM identities instead of instance metadata keys; enforce it project-wide. | PASS |
Primitive IAM roles (Owner/Editor) not assigned to users The Owner and Editor primitive roles grant broad permissions and should not be assigned to human users in production. | PASS |
Service account keys not older than 90 days User-managed service account keys older than 90 days should be rotated to reduce credential compromise risk. | FAIL |
The default VPC network has been removed The auto-created 'default' VPC ships with permissive firewall rules and no flow logs; every benchmark recommends deleting it in production projects. | PASS |
Uniform bucket-level access enabled on GCS buckets Uniform bucket-level access must be enabled to ensure consistent IAM-only access control with no legacy ACLs. | PASS |
VPC Flow Logs enabled on all subnets VPC Flow Logs must be enabled on all subnets to capture network traffic for security monitoring and incident investigation. | FAIL |
github
| Check | Status |
|---|---|
2FA required for all org members GitHub organization must require 2FA for all members. | PASS |
Default branch protection enabled Main/master branch must require PR reviews before merging. Direct pushes are a change management finding. | FAIL |
Dependabot security alerts enabled Dependabot must be enabled on all repositories to detect known vulnerabilities in dependencies. | PASS |
Required status checks on default branch CI checks must pass before merging to default branch. | FAIL |
Secret scanning enabled GitHub secret scanning detects accidentally committed credentials. | PASS |
Manual controls(15 of 49 attested compliant)
Each compliant attestation carries an RFC 3161 timestamp from a trusted Certificate Authority (DigiCert or Sectigo), independently verifiable with OpenSSL.
Access Management
NDAs signed by all employees
SOC 2CC1.4ISO 270016.6HIPAA164.308(a)(3)(ii)(A)CompliantConfidentiality and non-disclosure agreements are signed by all employees and contractors.
"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."
/uploads/demo/manual-access-nda-evidence.pdfDigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 5/20/2026, 11:15:16 PM
SHA-256: 6d616e75616c2e6163636573732e6e64613a64656d6f
Verify with OpenSSL ▾
# 1. Download the .tsr file above # 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA): # curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem # 3. Verify: openssl ts -verify \ -in tsr-manual.access.nda-*.tsr \ -digest 6d616e75616c2e6163636573732e6e64613a64656d6f \ -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem) # Expected: Verification: OK
Offboarding access revoked within 24h
SOC 2CC6.2PCI8.2.5ISO 270016.5HIPAA164.308(a)(3)(ii)(C)Not StartedSystem access for terminated employees is revoked within 24 hours of separation.
Privileged access reviewed quarterly
SOC 2CC6.3PCI7.2.5ISO 270018.2HIPAA164.308(a)(4)(ii)(B)Not StartedAdministrator and privileged accounts are reviewed quarterly. Access is granted on least-privilege principles.
Quarterly user access review
SOC 2CC6.2PCI7.2.4ISO 270015.18HIPAA164.308(a)(4)(ii)(C)CompliantUser access to production systems and sensitive data is formally reviewed and certified every quarter.
"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."
/uploads/demo/manual-access-quarterly_review-evidence.pdfDigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 5/20/2026, 11:15:16 PM
SHA-256: 6d616e75616c2e6163636573732e717561727465726c795f7265766965773a64
Verify with OpenSSL ▾
# 1. Download the .tsr file above # 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA): # curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem # 3. Verify: openssl ts -verify \ -in tsr-manual.access.quarterly_review-*.tsr \ -digest 6d616e75616c2e6163636573732e717561727465726c795f7265766965773a64 \ -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem) # Expected: Verification: OK
Asset Management
Information asset inventory maintained
ISO 270015.9Not StartedAn inventory of information and associated assets (systems, data, media, cloud services) is maintained together with ownership and classification. Reviewed at least annually and updated when assets are added or retired.
Business Continuity
Annual disaster recovery test
SOC 2A1.2ISO 270015.30HIPAA164.308(a)(7)(ii)(D)Not StartedA disaster recovery test has been conducted in the current year and results have been reviewed by management.
Application and data criticality analysis
HIPAA164.308(a)(7)(ii)(E)Not StartedThe relative criticality of specific applications and data in support of contingency planning has been assessed and documented: which systems hold or process ePHI, their recovery priority, and the maximum tolerable downtime for each.
Business continuity plan documented
SOC 2CC9.1ISO 270015.29HIPAA164.308(a)(7)(i)Not StartedA business continuity plan has been reviewed, approved, and covers recovery time and recovery point objectives.
Cardholder Data
Cardholder data flow diagram documented
PCI12.5.2Not StartedA current diagram exists showing how cardholder data enters, is processed by, and leaves your systems (Stripe hosted Checkout, iframe, redirect). Reviewed and updated at least annually or upon any material change to the flow.
Payment-page script inventory + authorization
PCI6.4.3Not StartedA list of every script loaded on any page that accepts payment card data (including SAQ A hosted-Checkout redirect pages) is maintained with a documented business justification for each. Any script not on the list is treated as unauthorized.
Quarterly PCI scope confirmation
PCI12.5.2Not StartedEvery quarter, the CDE boundary is re-confirmed: what systems store, process, or transmit PAN; what systems are connected-to or security-impacting; what is out of scope and why. Changes are documented.
Change Management
Change management approval process
SOC 2CC8.1PCI6.5.1ISO 270018.32Not StartedAll production changes go through a documented approval process including testing requirements and rollback procedures.
Security requirements in SDLC
SOC 2CC8.1ISO 270018.25Not StartedSecurity requirements are incorporated into the software development lifecycle including code review and security testing.
Governance
Annual CMMC L1 self-assessment and SPRS affirmation
CMMC L132 CFR 170.22CompliantA CMMC Level 1 self-assessment against all 17 practices has been completed within the past 12 months, and a senior official has affirmed continuing compliance in the Supplier Performance Risk System (SPRS). The assessment record and the affirmation date are retained.
"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."
/uploads/demo/manual-cmmc-sprs_affirmation-evidence.pdfDigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 5/18/2026, 11:15:16 PM
SHA-256: 6d616e75616c2e636d6d632e737072735f61666669726d6174696f6e3a64656d
Verify with OpenSSL ▾
# 1. Download the .tsr file above # 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA): # curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem # 3. Verify: openssl ts -verify \ -in tsr-manual.cmmc.sprs_affirmation-*.tsr \ -digest 6d616e75616c2e636d6d632e737072735f61666669726d6174696f6e3a64656d \ -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem) # Expected: Verification: OK
FCI scoping documented
CMMC L1AC.L1-3.1.1CompliantThe systems, storage locations, and external connections that store, process, or transmit Federal Contract Information are identified and documented, including which contracts the FCI relates to. Reviewed at least annually and when systems or contracts change. Knowing where FCI lives is the precondition for limiting access to it.
"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."
/uploads/demo/manual-cmmc-fci_scoping-evidence.pdfDigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 5/18/2026, 11:15:16 PM
SHA-256: 6d616e75616c2e636d6d632e6663695f73636f70696e673a64656d6f
Verify with OpenSSL ▾
# 1. Download the .tsr file above # 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA): # curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem # 3. Verify: openssl ts -verify \ -in tsr-manual.cmmc.fci_scoping-*.tsr \ -digest 6d616e75616c2e636d6d632e6663695f73636f70696e673a64656d6f \ -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem) # Expected: Verification: OK
HIPAA security official designated
HIPAA164.308(a)(2)CompliantA specific individual is formally designated as the security official responsible for developing and implementing the Security Rule policies and procedures. The designation is documented and current.
"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."
/uploads/demo/manual-hipaa-security_officer-evidence.pdfDigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 7/2/2026, 11:15:16 PM
SHA-256: 6d616e75616c2e68697061612e73656375726974795f6f6666696365723a6465
Verify with OpenSSL ▾
# 1. Download the .tsr file above # 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA): # curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem # 3. Verify: openssl ts -verify \ -in tsr-manual.hipaa.security_officer-*.tsr \ -digest 6d616e75616c2e68697061612e73656375726974795f6f6666696365723a6465 \ -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem) # Expected: Verification: OK
ISMS scope defined and documented
ISO 27001Cl. 4.3Not StartedThe scope of the Information Security Management System is documented, including boundaries and applicability, interfaces and dependencies, and any exclusions with justification. Reviewed at least annually and after significant organizational change.
Information security objectives set and measured
ISO 27001Cl. 6.2Not StartedInformation security objectives are established at relevant functions and levels, are consistent with the security policy, are measurable where practical, and are monitored, communicated, and updated as appropriate.
Information security policy approved
SOC 2CC5.3ISO 270015.1HIPAA164.316(a)CompliantA formal information security policy has been reviewed and approved by management within the past 12 months.
"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."
/uploads/demo/manual-governance-security_policy-evidence.pdfDigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 7/3/2026, 11:15:16 PM
SHA-256: 6d616e75616c2e676f7665726e616e63652e73656375726974795f706f6c6963
Verify with OpenSSL ▾
# 1. Download the .tsr file above # 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA): # curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem # 3. Verify: openssl ts -verify \ -in tsr-manual.governance.security_policy-*.tsr \ -digest 6d616e75616c2e676f7665726e616e63652e73656375726974795f706f6c6963 \ -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem) # Expected: Verification: OK
Management information security oversight
SOC 2CC1.1ISO 270015.4HIPAA164.308(a)(1)(i)CompliantManagement reviews and approves the information security program annually and accountability is assigned.
"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."
/uploads/demo/manual-governance-board_oversight-evidence.pdfDigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 7/3/2026, 11:15:16 PM
SHA-256: 6d616e75616c2e676f7665726e616e63652e626f6172645f6f76657273696768
Verify with OpenSSL ▾
# 1. Download the .tsr file above # 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA): # curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem # 3. Verify: openssl ts -verify \ -in tsr-manual.governance.board_oversight-*.tsr \ -digest 6d616e75616c2e676f7665726e616e63652e626f6172645f6f76657273696768 \ -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem) # Expected: Verification: OK
Management review of the ISMS completed
ISO 27001Cl. 9.3Not StartedTop management has reviewed the ISMS within the past 12 months, considering audit results, feedback, risk assessment results, achievement of objectives, and opportunities for improvement. Decisions and actions are documented.
Statement of Applicability documented
ISO 27001Cl. 6.1.3Not StartedA current Statement of Applicability lists every Annex A control, whether it is included or excluded, the justification for the decision, and whether it is implemented. Updated whenever the risk treatment plan or applied controls change.
HR & Training
Annual security awareness training
SOC 2CC1.4PCI12.6.1ISO 270016.3HIPAA164.308(a)(5)(i)CompliantAll employees have completed security awareness training in the current calendar year.
"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."
/uploads/demo/manual-hr-security_training-evidence.pdfDigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 7/2/2026, 11:15:16 PM
SHA-256: 6d616e75616c2e68722e73656375726974795f747261696e696e673a64656d6f
Verify with OpenSSL ▾
# 1. Download the .tsr file above # 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA): # curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem # 3. Verify: openssl ts -verify \ -in tsr-manual.hr.security_training-*.tsr \ -digest 6d616e75616c2e68722e73656375726974795f747261696e696e673a64656d6f \ -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem) # Expected: Verification: OK
Background checks for new hires
SOC 2CC1.4PCI12.7.1ISO 270016.1HIPAA164.308(a)(3)(ii)(B)CompliantPre-employment background checks are conducted for all employees with access to production systems.
"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."
/uploads/demo/manual-hr-background_checks-evidence.pdfDigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 7/2/2026, 11:15:16 PM
SHA-256: 6d616e75616c2e68722e6261636b67726f756e645f636865636b733a64656d6f
Verify with OpenSSL ▾
# 1. Download the .tsr file above # 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA): # curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem # 3. Verify: openssl ts -verify \ -in tsr-manual.hr.background_checks-*.tsr \ -digest 6d616e75616c2e68722e6261636b67726f756e645f636865636b733a64656d6f \ -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem) # Expected: Verification: OK
PCI security awareness training (annual)
PCI12.6.1Not StartedPersonnel with access to systems in scope for PCI DSS complete PCI-specific security awareness training at hire and at least annually thereafter. Training covers cardholder data handling, phishing, and role-specific responsibilities. Attendance and materials are retained.
Workforce sanction policy documented
HIPAA164.308(a)(1)(ii)(C)Not StartedA documented sanction policy applies appropriate consequences to workforce members who fail to comply with security policies and procedures. Application of sanctions is recorded when they occur.
Incident Response
Annual IR tabletop exercise
SOC 2CC7.4PCI12.10.2ISO 270015.24HIPAA164.308(a)(6)(ii)Not StartedAn incident response tabletop exercise has been conducted in the current year and results have been documented.
Breach notification process documented
SOC 2CC7.5PCI12.10.3ISO 270016.8HIPAA164.404Not StartedA breach notification process is documented and tested, complying with applicable regulatory requirements.
Card-breach incident response playbook
PCI12.10.1Not StartedThe incident response plan includes card-brand-specific breach notification steps: forensics firm on retainer, card-brand notification contacts (Visa/Mastercard/Amex/Discover), acquirer notification path, and evidence preservation procedures for CHD-related incidents.
Incident response plan documented
SOC 2CC7.4PCI12.10.1ISO 270015.24HIPAA164.308(a)(6)(i)CompliantA formal incident response plan exists, has been approved by management, and is reviewed and updated annually.
"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."
/uploads/demo/manual-incident-ir_plan-evidence.pdfDigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 7/1/2026, 11:15:16 PM
SHA-256: 6d616e75616c2e696e636964656e742e69725f706c616e3a64656d6f
Verify with OpenSSL ▾
# 1. Download the .tsr file above # 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA): # curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem # 3. Verify: openssl ts -verify \ -in tsr-manual.incident.ir_plan-*.tsr \ -digest 6d616e75616c2e696e636964656e742e69725f706c616e3a64656d6f \ -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem) # Expected: Verification: OK
Monitoring
Annual penetration test
SOC 2CC7.1PCI11.4.1ISO 270018.8HIPAA164.308(a)(8)Not StartedAn annual penetration test has been completed by a qualified third party and critical findings have been remediated.
ISMS internal audit completed
ISO 27001Cl. 9.2Not StartedAn internal audit of the ISMS has been conducted within the past 12 months against the requirements of ISO/IEC 27001 and the organization's own procedures. Findings are documented and tracked to closure.
Nonconformities and corrective actions tracked
ISO 27001Cl. 10.2Not StartedNonconformities identified through audit, incident, or review are logged with root cause, corrective action, responsible owner, and closure evidence. The tracker is reviewed by management on a defined cadence.
Payment-page tamper detection evidence
PCI11.6.1Not StartedA change-detection mechanism is in place on all payment pages (including redirects to hosted Checkout) that alerts on unauthorized modification of headers, scripts, or content. Evidence of alert testing and any triaged alerts is retained.
Physical Safeguards
Device and media controls documented
HIPAA164.310(d)(1)Not StartedPolicies govern the receipt, movement, reuse, and disposal of hardware and electronic media containing ePHI: sanitization before reuse, destruction records for disposed media, accountability logs for media movement, and backup before equipment moves.
Facility access controls documented
HIPAA164.310(a)(1)Not StartedPolicies and procedures limit physical access to systems containing ePHI and the facilities housing them (office, data-room, or the physical-access responsibilities delegated to a cloud or colocation provider), while ensuring authorized access is allowed. Contingency operations and facility security plans are addressed.
Media sanitized before disposal or reuse
CMMC L1MP.L1-3.8.3CompliantInformation system media containing Federal Contract Information, paper and digital, is sanitized or destroyed before disposal or release for reuse, with a record of what was sanitized or destroyed, when, how, and by whom.
"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."
/uploads/demo/manual-cmmc-media_disposal-evidence.pdfDigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 5/18/2026, 11:15:16 PM
SHA-256: 6d616e75616c2e636d6d632e6d656469615f646973706f73616c3a64656d6f
Verify with OpenSSL ▾
# 1. Download the .tsr file above # 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA): # curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem # 3. Verify: openssl ts -verify \ -in tsr-manual.cmmc.media_disposal-*.tsr \ -digest 6d616e75616c2e636d6d632e6d656469615f646973706f73616c3a64656d6f \ -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem) # Expected: Verification: OK
Physical access devices controlled
CMMC L1PE.L1-3.10.5Not StartedKeys, badges, access cards, and other physical access devices for areas housing Federal Contract Information are inventoried, issued against named individuals, and recovered or deactivated when no longer needed.
Visitors escorted and activity logged
CMMC L1PE.L1-3.10.3Not StartedVisitors to facilities housing systems with Federal Contract Information are escorted, their activity is monitored, and physical access is logged. For fully cloud-hosted environments, the provider's physical-access responsibility and any office areas where FCI is handled are both addressed.
Workstation use and security policy
HIPAA164.310(b)CompliantPolicies specify the proper functions, manner of use, and physical safeguards for workstations that can access ePHI: screen locking, disk encryption on laptops, clean-desk expectations for PHI, and restrictions on public or shared devices.
"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."
/uploads/demo/manual-hipaa-workstation_security-evidence.pdfDigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 7/2/2026, 11:15:16 PM
SHA-256: 6d616e75616c2e68697061612e776f726b73746174696f6e5f73656375726974
Verify with OpenSSL ▾
# 1. Download the .tsr file above # 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA): # curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem # 3. Verify: openssl ts -verify \ -in tsr-manual.hipaa.workstation_security-*.tsr \ -digest 6d616e75616c2e68697061612e776f726b73746174696f6e5f73656375726974 \ -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem) # Expected: Verification: OK
Risk Management
Annual risk assessment completed
SOC 2CC3.1PCI12.3.1ISO 27001Cl. 6.1.2HIPAA164.308(a)(1)(ii)(B)Not StartedAn information security risk assessment covering the in-scope environment has been completed in the current year.
Fraud risk assessment
SOC 2CC3.3ISO 270015.7Not StartedFraud risks have been identified and controls are in place and monitored to mitigate them.
Risk treatment plan approved
ISO 27001Cl. 6.1.3Not StartedA risk treatment plan is documented showing selected treatment options, necessary controls (from Annex A and elsewhere), residual risk, and risk-owner approvals. Reviewed after the annual risk assessment or upon significant change.
ePHI-scoped risk analysis completed
HIPAA164.308(a)(1)(ii)(A)CompliantAn accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI has been completed, is documented, and is updated when the environment or threat landscape changes materially. Scope explicitly identifies where ePHI is created, received, maintained, and transmitted.
"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."
/uploads/demo/manual-hipaa-risk_analysis-evidence.pdfDigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 7/2/2026, 11:15:16 PM
SHA-256: 6d616e75616c2e68697061612e7269736b5f616e616c797369733a64656d6f
Verify with OpenSSL ▾
# 1. Download the .tsr file above # 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA): # curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem # 3. Verify: openssl ts -verify \ -in tsr-manual.hipaa.risk_analysis-*.tsr \ -digest 6d616e75616c2e68697061612e7269736b5f616e616c797369733a64656d6f \ -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem) # Expected: Verification: OK
Vendor Management
Annual vendor security review
SOC 2CC9.2PCI12.8.4ISO 270015.19HIPAA164.308(b)(1)CompliantAll vendors with access to production data or systems have been assessed for security controls annually.
"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."
/uploads/demo/manual-vendor-annual_review-evidence.pdfDigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 6/18/2026, 11:15:16 PM
SHA-256: 6d616e75616c2e76656e646f722e616e6e75616c5f7265766965773a64656d6f
Verify with OpenSSL ▾
# 1. Download the .tsr file above # 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA): # curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem # 3. Verify: openssl ts -verify \ -in tsr-manual.vendor.annual_review-*.tsr \ -digest 6d616e75616c2e76656e646f722e616e6e75616c5f7265766965773a64656d6f \ -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem) # Expected: Verification: OK
Business associate inventory maintained
HIPAA164.308(b)(1)CompliantA current inventory lists every business associate and subcontractor that creates, receives, maintains, or transmits ePHI on the organization's behalf, with the BAA status and date for each. Reviewed at least annually.
"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."
/uploads/demo/manual-hipaa-baa_inventory-evidence.pdfDigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 7/2/2026, 11:15:16 PM
SHA-256: 6d616e75616c2e68697061612e6261615f696e76656e746f72793a64656d6f
Verify with OpenSSL ▾
# 1. Download the .tsr file above # 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA): # curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem # 3. Verify: openssl ts -verify \ -in tsr-manual.hipaa.baa_inventory-*.tsr \ -digest 6d616e75616c2e68697061612e6261615f696e76656e746f72793a64656d6f \ -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem) # Expected: Verification: OK
Third-party service provider (TPSP) list
PCI12.8.1Not StartedA maintained list of all TPSPs with which cardholder data is shared or that could affect the security of the CDE (payment processor, cloud host, ASV, WAF, tag manager) including each party's PCI DSS AoC status and responsibility matrix.
Vendor DPAs / BAAs in place
SOC 2CC9.2PCI12.8.2ISO 270015.20HIPAA164.314(a)(1)Not StartedData Processing Agreements or Business Associate Agreements are signed with all vendors handling customer or sensitive data.
Written PCI responsibility agreements with TPSPs
PCI12.8.2Not StartedSigned written agreements are in place with each TPSP in scope that explicitly acknowledge which PCI DSS requirements they are responsible for on your behalf.