Settings

Organization, notifications, audit periods, and framework currency.

Organization

Shown in the dashboard header, the printed report, and the auditor share link. Host the image on your own asset host; the URL must be HTTPS.

Notifications

Posted to when new check failures are detected after a run.

Email notifications require SMTP integration (coming soon).

Authentication

App password is set via APP_PASSWORD in .env. Edit and restart to change.

For Clerk managed auth, see src/lib/auth-providers/clerk.ts.

Audit Periods

SOC 2 Type II requires a defined observation window (typically 6–12 months). Create a period before your audit starts.

Create new period

License

Your Scorifya Controls license key. Check runs and attestations are paused when inactive.

Keys are validated against your LICENSE_VALIDATION_URL. Without a validation server, keys stay inactive unless LICENSE_DEV_MODE=1 is set for local development.

Audit Access

Generate a time-limited read-only link to share with your auditor or CPA firm. Each link shows all automated check results, manual control attestations, and RFC 3161 timestamps.

Generate new link

Framework versions in use

The framework versions your Controls instance is mapped against, when Scorifya last confirmed them, and where the canonical source lives.

SOC 2SOC 2 TSC (2017, revised 2022)TSC-2017

AICPA Trust Services Criteria. Base is 2017; points of focus were revised in 2022 without a version bump (still referred to as TSC 2017).

Effective: 2017-04-15Last reviewed: 2026-07-02 by ScorifyaNext review: 2027-01-02 (in 174d)
Canonical source
PCIPCI DSS 4.0.1DSS-4.0.1

Released June 2024. All future-dated 4.0 requirements have been enforceable since 31 March 2025.

Effective: 2025-03-31Last reviewed: 2026-07-02 by ScorifyaNext review: 2027-01-02 (in 174d)
Canonical source
ISO 27001ISO/IEC 27001:202227001-2022

Third edition. Annex A restructured to 93 controls in 4 themes (Organizational, People, Physical, Technological). Companion guidance is ISO/IEC 27002:2022.

Effective: 2022-10-25Last reviewed: 2026-07-10 by ScorifyaNext review: 2027-01-10 (in 182d)
Canonical source

When the authority publishes a new version, Scorifya updates the registry, refreshes the check mappings, and ships a Controls release. Upgrade with docker compose pull && docker compose up -d.

Framework Currency

Checks should be reviewed against the current AICPA TSC 2017 (SOC 2), PCI DSS 4.0.1, and CIS Benchmarks at least quarterly.