Read-only demo with fictional data (Foundry Labs, Inc.). Nothing here is a real company.Get Controls for your own stack →

Foundry Labs, Inc.

Auditor view · Read-only · Expires 10/9/2026

SOC 2 Type II Observation Window FY2026 · 3/13/20269/9/2026Read-only access

Posture score

63%

Passing

34

Failing

20

Warnings

0

About this report — how to read it and how to verify timestamps

What you are looking at

This is a read-only compliance view generated by Scorifya Controls, a self-hosted SOC 2 readiness tool. It reflects the live state of Foundry Labs, Inc.'s control environment — this is not a curated PDF export. The data is queried directly from their instance at the time you load this page. You have no ability to modify anything through this link.

Automated checks

Automated checks run against Foundry Labs, Inc.'s cloud infrastructure (AWS, GitHub, GCP, Azure) using read-only API credentials stored on their server. Each check is tagged with the framework criteria it provides evidence for: AICPA Trust Services Criteria (TSC 2017) for SOC 2, PCI DSS 4.0.1 requirement numbers, ISO/IEC 27001:2022 Annex A controls, and HIPAA Security Rule citations (45 CFR). Use the Framework selector on the report to narrow the checks table to a single framework's evidence (rows without a mapping to that framework are hidden and excluded from the posture score), or leave it on All to see everything. Results shown here are the most recent run. As part of your engagement, you should independently verify material findings directly in their cloud consoles — these results are a starting point, not a substitute for your own testing.

Manual controls and attestations

Manual controls cover areas that cannot be automated: security awareness training, access reviews, vendor assessments, incident response testing, and similar. For each control, Foundry Labs, Inc. has designated an owner, recorded notes, attached evidence files, and set a next-review date. A control marked Compliant means the owner has attested that the control is operating effectively, with supporting evidence available below.

RFC 3161 cryptographic timestamps: what the DigiCert badge means

When Foundry Labs, Inc.saves a manual control attestation, Scorifya Controls immediately sends a SHA-256 fingerprint of the attestation data to DigiCert's Timestamp Authority (TSA). DigiCert signs that fingerprint with the current time and returns a timestamp token (a .tsr file). This token is stored alongside the attestation in their database.

The token proves two things independently of Foundry Labs, Inc. or Scorifya:

  • The attestation data existed at the timestamp shown — it cannot have been backdated.
  • The data has not been modified since — any change would produce a different fingerprint that no longer matches the token.

DigiCert has no knowledge of what the data contains — they only see the hash. They have no relationship with Foundry Labs, Inc. or Scorifya beyond providing a public timestamping service.

About the Timestamp Authorities

Timestamps are issued by DigiCert (primary) or Sectigo (fallback if DigiCert is unreachable at the moment of attestation). Both are among the world's largest certificate authorities, and both have their TSA root certificates included in the Microsoft Windows Root Certificate Program, Apple trust stores, Adobe Approved Trust List (AATL — used by Acrobat), and Java. They are widely used for code signing, legal documents, and financial records. RFC 3161 is the IETF standard for trusted timestamping, published in 2001 and adopted across regulated industries.

Each attestation below shows which TSA issued its timestamp. The expandable verification command is pre-filled with the correct CA certificate URL for that specific TSA.

How to independently verify a timestamp

For any attestation showing a verified badge, you can verify the timestamp yourself using OpenSSL (standard, pre-installed on macOS and Linux). No account or API key is needed. The exact commands — including the correct CA certificate for that attestation's TSA — are shown in the expandable Verify with OpenSSL section under each control.

  1. Click .tsr ↓ next to the control to download the timestamp token.
  2. Expand Verify with OpenSSL on that control — copy and run the two commands shown (one fetches the CA cert, one runs the verification).
  3. Verification: OK means the TSA confirmed this exact content existed at the timestamp shown. Any other result means the token is invalid or the data was modified after timestamping.

The content hash covers: control identifier, attestation status, owner, notes, evidence filenames, and the attestation timestamp. Evidence file contents are not hashed — verify those directly by reviewing the attached files.

Automated checks(54 total)

aws

CheckStatus

CloudTrail enabled in all regions

CloudTrail must be enabled in all regions to provide the activity logs required as SOC 2 audit evidence.

FAIL

CloudTrail log file validation enabled

Log file validation ensures logs have not been tampered with — required for integrity evidence.

PASS

CloudWatch alarm for root account usage

A CloudWatch alarm must fire whenever the root account is used — required by CIS Benchmark 1.7.

PASS

CloudWatch log groups retain at least 12 months

Every CloudWatch log group used for audit evidence must retain at least 365 days of history. Short retention (7/30 day) defaults from CDK/Terraform stacks fail PCI 10.5.1 and weaken SOC 2 detection evidence.

PASS

EBS default encryption enabled

EBS default encryption ensures all new volumes are encrypted automatically.

PASS

GuardDuty enabled in all regions

Amazon GuardDuty provides continuous threat detection and must be active in every region.

FAIL

Load balancer HTTPS listeners require TLS 1.2 or higher

Every ALB and NLB HTTPS/TLS listener must use a security policy that requires TLSv1.2 or higher. Policies permitting TLSv1.0/1.1 fail PCI 4.2.1 (SSL/early-TLS are explicitly retired by PCI SSC).

PASS

MFA enabled for all IAM users

All IAM users with console access must have MFA enabled. Users without MFA are an immediate audit finding.

PASS

No credentials unused for 90+ days

IAM credentials unused for 90 or more days should be disabled or removed.

PASS

No security groups expose SSH/RDP/DB ports to the internet

Security groups must not allow 0.0.0.0/0 access to administrative or database ports (SSH, RDP, Postgres, MySQL, MSSQL, MongoDB, Redis, Elasticsearch, Memcached). PCI 1.4.1 explicitly requires restricting inbound traffic from untrusted networks.

PASS

RDS instances encrypted at rest

All RDS database instances must have storage encryption enabled.

FAIL

RDS instances enforce TLS at the parameter group

Every RDS instance (Postgres, MySQL/MariaDB, SQL Server, Aurora) must enforce TLS at the parameter-group level: rds.force_ssl=1 or require_secure_transport=ON. Enabling TLS support is not enough — clients can still connect in plaintext unless the engine rejects them. PCI 4.2.1 requires this end-to-end.

PASS

RDS instances use non-default master username

The RDS master username cannot be renamed after creation. Well-known defaults (admin, postgres, root, sa, mysql, oracle, master) are the first attackers try in credential spraying and fail PCI 2.2.5 (vendor defaults).

PASS

Root account has no active access keys

The AWS root account should never have active access keys. Root keys cannot be scoped and represent full account compromise if leaked.

FAIL

S3 buckets encrypted at rest

All S3 buckets must have server-side encryption enabled (SSE-S3 or SSE-KMS).

PASS

S3 public access block enabled

All S3 buckets should have public access blocked at the account level.

PASS

S3 versioning enabled on critical buckets

Versioning protects against accidental deletion and supports availability commitments.

FAIL

Strong password policy configured

IAM password policy must enforce minimum length (14+), complexity, and rotation requirements.

PASS

VPC Flow Logs enabled

VPC Flow Logs capture network traffic and are required for security monitoring and incident investigation.

FAIL

azure

CheckStatus

Azure Activity Log diagnostic settings configured

Activity Log diagnostic settings must be configured to retain Administrative, Security, Alert, and Policy events.

FAIL

Azure Key Vault in use for secrets management

At least one Key Vault must exist in the subscription to manage application secrets, keys, and certificates.

PASS

Azure PostgreSQL enforces SSL

Every Azure Database for PostgreSQL Flexible Server should have require_secure_transport = ON so client connections must use TLS.

FAIL

Azure SQL Transparent Data Encryption enabled

Every user database on every Azure SQL server should have Transparent Data Encryption (TDE) enabled — on by default for new databases but can be disabled per-database.

FAIL

Azure SQL server-level auditing enabled

Every Azure SQL logical server should have server-level auditing enabled to capture data plane and management events.

PASS

Azure Storage account public blob access disabled

All storage accounts must have Allow Blob Public Access set to Disabled to prevent unintentional data exposure.

FAIL

Azure managed disks encrypted at rest

All Azure managed disks must use platform-managed or customer-managed encryption at rest.

FAIL

Key Vaults use Azure RBAC

Every Key Vault should use Azure RBAC for data-plane authorization instead of the legacy access-policy model, so access changes surface in IAM reviews.

FAIL

Log Analytics workspaces retain logs for 90+ days

Every Log Analytics workspace should retain logs for at least 90 days so security-relevant events remain queryable during an audit window.

PASS

MFA enforced via Security Defaults or Conditional Access

MFA must be enforced for all users via Azure Security Defaults or a Conditional Access policy.

FAIL

Microsoft Defender for Cloud enabled on key workloads

Defender for Cloud Standard tier must be enabled for VMs, SQL, App Services, Storage, and Containers.

PASS

No NSG rule opens SSH/RDP to the internet

No Network Security Group rule should allow inbound TCP 22 or 3389 from Internet / 0.0.0.0/0 / *.

PASS

No stale Azure AD guest users

Guest users who have not signed in for 90+ days (or have never signed in and were invited 90+ days ago) should be reviewed and removed.

PASS

Privileged Identity Management activated for admin roles

Global Administrator and Privileged Role Administrator assignments should be managed through Privileged Identity Management (PIM) as just-in-time eligibilities, not permanent active assignments. Requires Entra ID P2 licensing.

PASS

Storage accounts require HTTPS

Every storage account should have 'Secure transfer required' enabled so blob, file, queue, and table endpoints reject cleartext HTTP.

FAIL

gcp

CheckStatus

2-Step Verification enforced for all Google Workspace users

All Google Workspace users must be enrolled in 2-Step Verification. Requires domain-wide delegation to the Admin SDK.

PASS

Cloud Audit Logs enabled for all services

Cloud Audit Logs must capture Admin Activity, Data Read, and Data Write events for all services at the project level.

FAIL

Cloud SQL instances encrypted at rest

All Cloud SQL instances should have encryption at rest enabled — Google-managed by default, or CMEK for stronger key custody.

FAIL

Cloud SQL requires SSL connections

Cloud SQL instances should require SSL/TLS for all connections to prevent credential and data exposure over the wire.

PASS

Compute Engine disks are encrypted

Every Compute Engine persistent disk should be encrypted, either with a customer-managed key (CMEK) or the default Google-managed key.

PASS

GCS buckets block public access

All Cloud Storage buckets must have Public Access Prevention enforced and no allUsers/allAuthenticatedUsers IAM bindings.

PASS

KMS symmetric keys rotate within 90 days

Every Cloud KMS symmetric encryption key should have automated rotation enabled with a period of 90 days or less.

PASS

Long-term log sink configured

At least one log sink should route project logs to BigQuery, Cloud Storage, Pub/Sub, or a custom log bucket to meet the 12-month audit-log retention requirement.

PASS

No firewall rule opens SSH/RDP to the internet

No VPC firewall rule should allow ingress to TCP 22 or 3389 from 0.0.0.0/0 — the most common exploit path for GCE instances.

PASS

OS Login is enforced at the project level

OS Login centralizes SSH access to Compute Engine through IAM identities instead of instance metadata keys; enforce it project-wide.

PASS

Primitive IAM roles (Owner/Editor) not assigned to users

The Owner and Editor primitive roles grant broad permissions and should not be assigned to human users in production.

PASS

Service account keys not older than 90 days

User-managed service account keys older than 90 days should be rotated to reduce credential compromise risk.

FAIL

The default VPC network has been removed

The auto-created 'default' VPC ships with permissive firewall rules and no flow logs; every benchmark recommends deleting it in production projects.

PASS

Uniform bucket-level access enabled on GCS buckets

Uniform bucket-level access must be enabled to ensure consistent IAM-only access control with no legacy ACLs.

PASS

VPC Flow Logs enabled on all subnets

VPC Flow Logs must be enabled on all subnets to capture network traffic for security monitoring and incident investigation.

FAIL

github

CheckStatus

2FA required for all org members

GitHub organization must require 2FA for all members.

PASS

Default branch protection enabled

Main/master branch must require PR reviews before merging. Direct pushes are a change management finding.

FAIL

Dependabot security alerts enabled

Dependabot must be enabled on all repositories to detect known vulnerabilities in dependencies.

PASS

Required status checks on default branch

CI checks must pass before merging to default branch.

FAIL

Secret scanning enabled

GitHub secret scanning detects accidentally committed credentials.

PASS

Manual controls(15 of 49 attested compliant)

Each compliant attestation carries an RFC 3161 timestamp from a trusted Certificate Authority (DigiCert or Sectigo), independently verifiable with OpenSSL.

Access Management

NDAs signed by all employees

SOC 2CC1.4ISO 270016.6HIPAA164.308(a)(3)(ii)(A)Compliant

Confidentiality and non-disclosure agreements are signed by all employees and contractors.

Owner: Sarah ChenNext review: 5/20/2027

"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."

/uploads/demo/manual-access-nda-evidence.pdf

DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 5/20/2026, 11:15:16 PM

SHA-256: 6d616e75616c2e6163636573732e6e64613a64656d6f

Download .tsr token ↓
Verify with OpenSSL ▾
# 1. Download the .tsr file above
# 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA):
#    curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem
# 3. Verify:
openssl ts -verify \
  -in tsr-manual.access.nda-*.tsr \
  -digest 6d616e75616c2e6163636573732e6e64613a64656d6f \
  -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem)
# Expected: Verification: OK

Offboarding access revoked within 24h

SOC 2CC6.2PCI8.2.5ISO 270016.5HIPAA164.308(a)(3)(ii)(C)Not Started

System access for terminated employees is revoked within 24 hours of separation.

Privileged access reviewed quarterly

SOC 2CC6.3PCI7.2.5ISO 270018.2HIPAA164.308(a)(4)(ii)(B)Not Started

Administrator and privileged accounts are reviewed quarterly. Access is granted on least-privilege principles.

Quarterly user access review

SOC 2CC6.2PCI7.2.4ISO 270015.18HIPAA164.308(a)(4)(ii)(C)Compliant

User access to production systems and sensitive data is formally reviewed and certified every quarter.

Owner: Sarah ChenNext review: 5/20/2027

"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."

/uploads/demo/manual-access-quarterly_review-evidence.pdf

DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 5/20/2026, 11:15:16 PM

SHA-256: 6d616e75616c2e6163636573732e717561727465726c795f7265766965773a64

Download .tsr token ↓
Verify with OpenSSL ▾
# 1. Download the .tsr file above
# 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA):
#    curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem
# 3. Verify:
openssl ts -verify \
  -in tsr-manual.access.quarterly_review-*.tsr \
  -digest 6d616e75616c2e6163636573732e717561727465726c795f7265766965773a64 \
  -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem)
# Expected: Verification: OK

Asset Management

Information asset inventory maintained

ISO 270015.9Not Started

An inventory of information and associated assets (systems, data, media, cloud services) is maintained together with ownership and classification. Reviewed at least annually and updated when assets are added or retired.

Business Continuity

Annual disaster recovery test

SOC 2A1.2ISO 270015.30HIPAA164.308(a)(7)(ii)(D)Not Started

A disaster recovery test has been conducted in the current year and results have been reviewed by management.

Application and data criticality analysis

HIPAA164.308(a)(7)(ii)(E)Not Started

The relative criticality of specific applications and data in support of contingency planning has been assessed and documented: which systems hold or process ePHI, their recovery priority, and the maximum tolerable downtime for each.

Business continuity plan documented

SOC 2CC9.1ISO 270015.29HIPAA164.308(a)(7)(i)Not Started

A business continuity plan has been reviewed, approved, and covers recovery time and recovery point objectives.

Cardholder Data

Cardholder data flow diagram documented

PCI12.5.2Not Started

A current diagram exists showing how cardholder data enters, is processed by, and leaves your systems (Stripe hosted Checkout, iframe, redirect). Reviewed and updated at least annually or upon any material change to the flow.

Payment-page script inventory + authorization

PCI6.4.3Not Started

A list of every script loaded on any page that accepts payment card data (including SAQ A hosted-Checkout redirect pages) is maintained with a documented business justification for each. Any script not on the list is treated as unauthorized.

Quarterly PCI scope confirmation

PCI12.5.2Not Started

Every quarter, the CDE boundary is re-confirmed: what systems store, process, or transmit PAN; what systems are connected-to or security-impacting; what is out of scope and why. Changes are documented.

Change Management

Change management approval process

SOC 2CC8.1PCI6.5.1ISO 270018.32Not Started

All production changes go through a documented approval process including testing requirements and rollback procedures.

Security requirements in SDLC

SOC 2CC8.1ISO 270018.25Not Started

Security requirements are incorporated into the software development lifecycle including code review and security testing.

Governance

Annual CMMC L1 self-assessment and SPRS affirmation

CMMC L132 CFR 170.22Compliant

A CMMC Level 1 self-assessment against all 17 practices has been completed within the past 12 months, and a senior official has affirmed continuing compliance in the Supplier Performance Risk System (SPRS). The assessment record and the affirmation date are retained.

Owner: Sarah ChenNext review: 5/18/2027

"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."

/uploads/demo/manual-cmmc-sprs_affirmation-evidence.pdf

DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 5/18/2026, 11:15:16 PM

SHA-256: 6d616e75616c2e636d6d632e737072735f61666669726d6174696f6e3a64656d

Download .tsr token ↓
Verify with OpenSSL ▾
# 1. Download the .tsr file above
# 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA):
#    curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem
# 3. Verify:
openssl ts -verify \
  -in tsr-manual.cmmc.sprs_affirmation-*.tsr \
  -digest 6d616e75616c2e636d6d632e737072735f61666669726d6174696f6e3a64656d \
  -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem)
# Expected: Verification: OK

FCI scoping documented

CMMC L1AC.L1-3.1.1Compliant

The systems, storage locations, and external connections that store, process, or transmit Federal Contract Information are identified and documented, including which contracts the FCI relates to. Reviewed at least annually and when systems or contracts change. Knowing where FCI lives is the precondition for limiting access to it.

Owner: Sarah ChenNext review: 5/18/2027

"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."

/uploads/demo/manual-cmmc-fci_scoping-evidence.pdf

DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 5/18/2026, 11:15:16 PM

SHA-256: 6d616e75616c2e636d6d632e6663695f73636f70696e673a64656d6f

Download .tsr token ↓
Verify with OpenSSL ▾
# 1. Download the .tsr file above
# 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA):
#    curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem
# 3. Verify:
openssl ts -verify \
  -in tsr-manual.cmmc.fci_scoping-*.tsr \
  -digest 6d616e75616c2e636d6d632e6663695f73636f70696e673a64656d6f \
  -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem)
# Expected: Verification: OK

HIPAA security official designated

HIPAA164.308(a)(2)Compliant

A specific individual is formally designated as the security official responsible for developing and implementing the Security Rule policies and procedures. The designation is documented and current.

Owner: Sarah ChenNext review: 7/2/2027

"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."

/uploads/demo/manual-hipaa-security_officer-evidence.pdf

DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 7/2/2026, 11:15:16 PM

SHA-256: 6d616e75616c2e68697061612e73656375726974795f6f6666696365723a6465

Download .tsr token ↓
Verify with OpenSSL ▾
# 1. Download the .tsr file above
# 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA):
#    curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem
# 3. Verify:
openssl ts -verify \
  -in tsr-manual.hipaa.security_officer-*.tsr \
  -digest 6d616e75616c2e68697061612e73656375726974795f6f6666696365723a6465 \
  -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem)
# Expected: Verification: OK

ISMS scope defined and documented

ISO 27001Cl. 4.3Not Started

The scope of the Information Security Management System is documented, including boundaries and applicability, interfaces and dependencies, and any exclusions with justification. Reviewed at least annually and after significant organizational change.

Information security objectives set and measured

ISO 27001Cl. 6.2Not Started

Information security objectives are established at relevant functions and levels, are consistent with the security policy, are measurable where practical, and are monitored, communicated, and updated as appropriate.

Information security policy approved

SOC 2CC5.3ISO 270015.1HIPAA164.316(a)Compliant

A formal information security policy has been reviewed and approved by management within the past 12 months.

Owner: Sarah ChenNext review: 7/3/2027

"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."

/uploads/demo/manual-governance-security_policy-evidence.pdf

DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 7/3/2026, 11:15:16 PM

SHA-256: 6d616e75616c2e676f7665726e616e63652e73656375726974795f706f6c6963

Download .tsr token ↓
Verify with OpenSSL ▾
# 1. Download the .tsr file above
# 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA):
#    curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem
# 3. Verify:
openssl ts -verify \
  -in tsr-manual.governance.security_policy-*.tsr \
  -digest 6d616e75616c2e676f7665726e616e63652e73656375726974795f706f6c6963 \
  -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem)
# Expected: Verification: OK

Management information security oversight

SOC 2CC1.1ISO 270015.4HIPAA164.308(a)(1)(i)Compliant

Management reviews and approves the information security program annually and accountability is assigned.

Owner: Sarah ChenNext review: 7/3/2027

"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."

/uploads/demo/manual-governance-board_oversight-evidence.pdf

DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 7/3/2026, 11:15:16 PM

SHA-256: 6d616e75616c2e676f7665726e616e63652e626f6172645f6f76657273696768

Download .tsr token ↓
Verify with OpenSSL ▾
# 1. Download the .tsr file above
# 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA):
#    curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem
# 3. Verify:
openssl ts -verify \
  -in tsr-manual.governance.board_oversight-*.tsr \
  -digest 6d616e75616c2e676f7665726e616e63652e626f6172645f6f76657273696768 \
  -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem)
# Expected: Verification: OK

Management review of the ISMS completed

ISO 27001Cl. 9.3Not Started

Top management has reviewed the ISMS within the past 12 months, considering audit results, feedback, risk assessment results, achievement of objectives, and opportunities for improvement. Decisions and actions are documented.

Statement of Applicability documented

ISO 27001Cl. 6.1.3Not Started

A current Statement of Applicability lists every Annex A control, whether it is included or excluded, the justification for the decision, and whether it is implemented. Updated whenever the risk treatment plan or applied controls change.

HR & Training

Annual security awareness training

SOC 2CC1.4PCI12.6.1ISO 270016.3HIPAA164.308(a)(5)(i)Compliant

All employees have completed security awareness training in the current calendar year.

Owner: Sarah ChenNext review: 7/2/2027

"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."

/uploads/demo/manual-hr-security_training-evidence.pdf

DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 7/2/2026, 11:15:16 PM

SHA-256: 6d616e75616c2e68722e73656375726974795f747261696e696e673a64656d6f

Download .tsr token ↓
Verify with OpenSSL ▾
# 1. Download the .tsr file above
# 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA):
#    curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem
# 3. Verify:
openssl ts -verify \
  -in tsr-manual.hr.security_training-*.tsr \
  -digest 6d616e75616c2e68722e73656375726974795f747261696e696e673a64656d6f \
  -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem)
# Expected: Verification: OK

Background checks for new hires

SOC 2CC1.4PCI12.7.1ISO 270016.1HIPAA164.308(a)(3)(ii)(B)Compliant

Pre-employment background checks are conducted for all employees with access to production systems.

Owner: Sarah ChenNext review: 7/2/2027

"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."

/uploads/demo/manual-hr-background_checks-evidence.pdf

DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 7/2/2026, 11:15:16 PM

SHA-256: 6d616e75616c2e68722e6261636b67726f756e645f636865636b733a64656d6f

Download .tsr token ↓
Verify with OpenSSL ▾
# 1. Download the .tsr file above
# 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA):
#    curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem
# 3. Verify:
openssl ts -verify \
  -in tsr-manual.hr.background_checks-*.tsr \
  -digest 6d616e75616c2e68722e6261636b67726f756e645f636865636b733a64656d6f \
  -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem)
# Expected: Verification: OK

PCI security awareness training (annual)

PCI12.6.1Not Started

Personnel with access to systems in scope for PCI DSS complete PCI-specific security awareness training at hire and at least annually thereafter. Training covers cardholder data handling, phishing, and role-specific responsibilities. Attendance and materials are retained.

Workforce sanction policy documented

HIPAA164.308(a)(1)(ii)(C)Not Started

A documented sanction policy applies appropriate consequences to workforce members who fail to comply with security policies and procedures. Application of sanctions is recorded when they occur.

Incident Response

Annual IR tabletop exercise

SOC 2CC7.4PCI12.10.2ISO 270015.24HIPAA164.308(a)(6)(ii)Not Started

An incident response tabletop exercise has been conducted in the current year and results have been documented.

Breach notification process documented

SOC 2CC7.5PCI12.10.3ISO 270016.8HIPAA164.404Not Started

A breach notification process is documented and tested, complying with applicable regulatory requirements.

Card-breach incident response playbook

PCI12.10.1Not Started

The incident response plan includes card-brand-specific breach notification steps: forensics firm on retainer, card-brand notification contacts (Visa/Mastercard/Amex/Discover), acquirer notification path, and evidence preservation procedures for CHD-related incidents.

Incident response plan documented

SOC 2CC7.4PCI12.10.1ISO 270015.24HIPAA164.308(a)(6)(i)Compliant

A formal incident response plan exists, has been approved by management, and is reviewed and updated annually.

Owner: Sarah ChenNext review: 7/1/2027

"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."

/uploads/demo/manual-incident-ir_plan-evidence.pdf

DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 7/1/2026, 11:15:16 PM

SHA-256: 6d616e75616c2e696e636964656e742e69725f706c616e3a64656d6f

Download .tsr token ↓
Verify with OpenSSL ▾
# 1. Download the .tsr file above
# 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA):
#    curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem
# 3. Verify:
openssl ts -verify \
  -in tsr-manual.incident.ir_plan-*.tsr \
  -digest 6d616e75616c2e696e636964656e742e69725f706c616e3a64656d6f \
  -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem)
# Expected: Verification: OK

Monitoring

Annual penetration test

SOC 2CC7.1PCI11.4.1ISO 270018.8HIPAA164.308(a)(8)Not Started

An annual penetration test has been completed by a qualified third party and critical findings have been remediated.

ISMS internal audit completed

ISO 27001Cl. 9.2Not Started

An internal audit of the ISMS has been conducted within the past 12 months against the requirements of ISO/IEC 27001 and the organization's own procedures. Findings are documented and tracked to closure.

Nonconformities and corrective actions tracked

ISO 27001Cl. 10.2Not Started

Nonconformities identified through audit, incident, or review are logged with root cause, corrective action, responsible owner, and closure evidence. The tracker is reviewed by management on a defined cadence.

Payment-page tamper detection evidence

PCI11.6.1Not Started

A change-detection mechanism is in place on all payment pages (including redirects to hosted Checkout) that alerts on unauthorized modification of headers, scripts, or content. Evidence of alert testing and any triaged alerts is retained.

Physical Safeguards

Device and media controls documented

HIPAA164.310(d)(1)Not Started

Policies govern the receipt, movement, reuse, and disposal of hardware and electronic media containing ePHI: sanitization before reuse, destruction records for disposed media, accountability logs for media movement, and backup before equipment moves.

Facility access controls documented

HIPAA164.310(a)(1)Not Started

Policies and procedures limit physical access to systems containing ePHI and the facilities housing them (office, data-room, or the physical-access responsibilities delegated to a cloud or colocation provider), while ensuring authorized access is allowed. Contingency operations and facility security plans are addressed.

Media sanitized before disposal or reuse

CMMC L1MP.L1-3.8.3Compliant

Information system media containing Federal Contract Information, paper and digital, is sanitized or destroyed before disposal or release for reuse, with a record of what was sanitized or destroyed, when, how, and by whom.

Owner: Sarah ChenNext review: 5/18/2027

"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."

/uploads/demo/manual-cmmc-media_disposal-evidence.pdf

DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 5/18/2026, 11:15:16 PM

SHA-256: 6d616e75616c2e636d6d632e6d656469615f646973706f73616c3a64656d6f

Download .tsr token ↓
Verify with OpenSSL ▾
# 1. Download the .tsr file above
# 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA):
#    curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem
# 3. Verify:
openssl ts -verify \
  -in tsr-manual.cmmc.media_disposal-*.tsr \
  -digest 6d616e75616c2e636d6d632e6d656469615f646973706f73616c3a64656d6f \
  -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem)
# Expected: Verification: OK

Physical access devices controlled

CMMC L1PE.L1-3.10.5Not Started

Keys, badges, access cards, and other physical access devices for areas housing Federal Contract Information are inventoried, issued against named individuals, and recovered or deactivated when no longer needed.

Visitors escorted and activity logged

CMMC L1PE.L1-3.10.3Not Started

Visitors to facilities housing systems with Federal Contract Information are escorted, their activity is monitored, and physical access is logged. For fully cloud-hosted environments, the provider's physical-access responsibility and any office areas where FCI is handled are both addressed.

Workstation use and security policy

HIPAA164.310(b)Compliant

Policies specify the proper functions, manner of use, and physical safeguards for workstations that can access ePHI: screen locking, disk encryption on laptops, clean-desk expectations for PHI, and restrictions on public or shared devices.

Owner: Sarah ChenNext review: 7/2/2027

"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."

/uploads/demo/manual-hipaa-workstation_security-evidence.pdf

DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 7/2/2026, 11:15:16 PM

SHA-256: 6d616e75616c2e68697061612e776f726b73746174696f6e5f73656375726974

Download .tsr token ↓
Verify with OpenSSL ▾
# 1. Download the .tsr file above
# 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA):
#    curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem
# 3. Verify:
openssl ts -verify \
  -in tsr-manual.hipaa.workstation_security-*.tsr \
  -digest 6d616e75616c2e68697061612e776f726b73746174696f6e5f73656375726974 \
  -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem)
# Expected: Verification: OK

Risk Management

Annual risk assessment completed

SOC 2CC3.1PCI12.3.1ISO 27001Cl. 6.1.2HIPAA164.308(a)(1)(ii)(B)Not Started

An information security risk assessment covering the in-scope environment has been completed in the current year.

Fraud risk assessment

SOC 2CC3.3ISO 270015.7Not Started

Fraud risks have been identified and controls are in place and monitored to mitigate them.

Risk treatment plan approved

ISO 27001Cl. 6.1.3Not Started

A risk treatment plan is documented showing selected treatment options, necessary controls (from Annex A and elsewhere), residual risk, and risk-owner approvals. Reviewed after the annual risk assessment or upon significant change.

ePHI-scoped risk analysis completed

HIPAA164.308(a)(1)(ii)(A)Compliant

An accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI has been completed, is documented, and is updated when the environment or threat landscape changes materially. Scope explicitly identifies where ePHI is created, received, maintained, and transmitted.

Owner: Sarah ChenNext review: 7/2/2027

"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."

/uploads/demo/manual-hipaa-risk_analysis-evidence.pdf

DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 7/2/2026, 11:15:16 PM

SHA-256: 6d616e75616c2e68697061612e7269736b5f616e616c797369733a64656d6f

Download .tsr token ↓
Verify with OpenSSL ▾
# 1. Download the .tsr file above
# 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA):
#    curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem
# 3. Verify:
openssl ts -verify \
  -in tsr-manual.hipaa.risk_analysis-*.tsr \
  -digest 6d616e75616c2e68697061612e7269736b5f616e616c797369733a64656d6f \
  -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem)
# Expected: Verification: OK

Vendor Management

Annual vendor security review

SOC 2CC9.2PCI12.8.4ISO 270015.19HIPAA164.308(b)(1)Compliant

All vendors with access to production data or systems have been assessed for security controls annually.

Owner: Sarah ChenNext review: 6/18/2027

"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."

/uploads/demo/manual-vendor-annual_review-evidence.pdf

DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 6/18/2026, 11:15:16 PM

SHA-256: 6d616e75616c2e76656e646f722e616e6e75616c5f7265766965773a64656d6f

Download .tsr token ↓
Verify with OpenSSL ▾
# 1. Download the .tsr file above
# 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA):
#    curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem
# 3. Verify:
openssl ts -verify \
  -in tsr-manual.vendor.annual_review-*.tsr \
  -digest 6d616e75616c2e76656e646f722e616e6e75616c5f7265766965773a64656d6f \
  -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem)
# Expected: Verification: OK

Business associate inventory maintained

HIPAA164.308(b)(1)Compliant

A current inventory lists every business associate and subcontractor that creates, receives, maintains, or transmits ePHI on the organization's behalf, with the BAA status and date for each. Reviewed at least annually.

Owner: Sarah ChenNext review: 7/2/2027

"Reviewed by demo admin. Evidence file uploaded; placeholder for demo purposes."

/uploads/demo/manual-hipaa-baa_inventory-evidence.pdf

DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA verified· 7/2/2026, 11:15:16 PM

SHA-256: 6d616e75616c2e68697061612e6261615f696e76656e746f72793a64656d6f

Download .tsr token ↓
Verify with OpenSSL ▾
# 1. Download the .tsr file above
# 2. Get the TSA root certificate (DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA):
#    curl -O https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem
# 3. Verify:
openssl ts -verify \
  -in tsr-manual.hipaa.baa_inventory-*.tsr \
  -digest 6d616e75616c2e68697061612e6261615f696e76656e746f72793a64656d6f \
  -CAfile $(basename https://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt.pem)
# Expected: Verification: OK

Third-party service provider (TPSP) list

PCI12.8.1Not Started

A maintained list of all TPSPs with which cardholder data is shared or that could affect the security of the CDE (payment processor, cloud host, ASV, WAF, tag manager) including each party's PCI DSS AoC status and responsibility matrix.

Vendor DPAs / BAAs in place

SOC 2CC9.2PCI12.8.2ISO 270015.20HIPAA164.314(a)(1)Not Started

Data Processing Agreements or Business Associate Agreements are signed with all vendors handling customer or sensitive data.

Written PCI responsibility agreements with TPSPs

PCI12.8.2Not Started

Signed written agreements are in place with each TPSP in scope that explicitly acknowledge which PCI DSS requirements they are responsible for on your behalf.