Settings
Organization, notifications, audit periods, and framework currency.
SOC 2 Type II requires a defined observation window (typically 6–12 months). Create a period before your audit starts.
Create new period
Your Scorifya Controls license key. Check runs and attestations are paused when inactive.
Keys are validated against your LICENSE_VALIDATION_URL. Without a validation server, keys stay inactive unless LICENSE_DEV_MODE=1 is set for local development.
Generate a time-limited read-only link to share with your auditor or CPA firm. Each link shows all automated check results, manual control attestations, and RFC 3161 timestamps.
Generate new link
The framework versions your Controls instance is mapped against, when Scorifya last confirmed them, and where the canonical source lives.
AICPA Trust Services Criteria. Base is 2017; points of focus were revised in 2022 without a version bump (still referred to as TSC 2017).
Released June 2024. All future-dated 4.0 requirements have been enforceable since 31 March 2025.
Third edition. Annex A restructured to 93 controls in 4 themes (Organizational, People, Physical, Technological). Companion guidance is ISO/IEC 27002:2022.
When the authority publishes a new version, Scorifya updates the registry, refreshes the check mappings, and ships a Controls release. Upgrade with docker compose pull && docker compose up -d.
Checks should be reviewed against the current AICPA TSC 2017 (SOC 2), PCI DSS 4.0.1, and CIS Benchmarks at least quarterly.