Zum Inhalt springen

Trust Center

SOC 2 Audit

Service Organization Control 2 — Trust Service Criteria. Geprüft am 05.07.2026.

🟢 93%

SOC 2 Trust Service Criteria — Gesamterfüllungsgrad

Security 🟢 96% Availability 🟢 95% Processing Integrity 🟢 95% Confidentiality 🟢 88% Privacy 🟢 90%

0

Critical Gaps

0

High Gaps

5

Medium/Low Gaps

38

Controls Verified

5/5

TSC Covered

1. Security

96 %

The system is protected against unauthorized access

Access Control (Fortify + Filament Policies)
Password Policy (mixed case, length, special chars)
Session Management (encrypted, HttpOnly, SameSite)
TLS 1.3 + HSTS + CSP Level 3
2FA/MFA (Fortify Two-Factor)
Audit Logging (AuditLogObserver + ChronicleEntry)
Vulnerability Management (composer/npm audit, SecurityScan)
File Upload Security (OwaspUploadSecurity Middleware)
Tenant Isolation (EnsureTenantSelected + Spatie Permission)
Rate Limiting (Fortify 5/min + CSRF 419)
Imunify360 Real-Time Malware Scan

2. Availability

95 %

The system is available for operation and use

HealthGuardianService (15-min health checks)
AutoHealMiddleware + AutoHealService
Paperclip Heartbeat Monitoring (16 agents, 30s tick)
DB Backups (10 Retention, 60min Interval, 30d)
Staging 1:1 Clone (staging.amartens.com)
deploy-hook.php (auto-recover + maintenance-mode fix)
DeployRollback Command + full-deploy.sh
Lokale + off-site Backups

3. Processing Integrity

95 %

System processing is complete, valid, accurate, timely, and authorized

Input Validation (22 FormRequest classes)
Audit Trail (AuditLog Model + Chronicle immutable chain)
Data Quality (DataQualityReport + AuditDataQuality)
Approval Workflow (HumanGate + DecisionLog)
QualityGates Test Suite (35 Tests, 2218 Assertions)

4. Confidentiality

88 %

Information designated as confidential is protected

TLS 1.3 + HSTS (Data in Transit)
Session Encryption (SESSION_ENCRYPT=true)
API Key Hashing (Hash::make + key_hash column)
Admin Middleware (EnsureIsAdmin)
API Key Auth Middleware
SQLite file-based encryption⚠️

5. Privacy

90 %

Personal information is collected, used, retained, disclosed, and disposed in conformity with commitments

Account Deletion (AccountDeletionController + Fortify)
Cookie Consent (CookieNoticeMiddleware)
CSRF Protection (Token on all POST/PUT/DELETE)
DPIA Views (3 Data Protection Impact Assessments)
Newsletter Double-Opt-In + Consent Tracking
Data Retention (PruneErrors, CleanupOldLogs, HealthPruneHistory)

SOC 2 Audit durchgeführt am 05.07.2026 06:59 · Resilience Platform · Nächste Überprüfung: 05.10.2026

Trust Service Criteria basierend auf AICPA SOC 2 Framework · Automatisierte Kontrollprüfung