SOC 2 Type II Aligned
SOC 2 Compliance Alignment
PumaGate infrastructure is designed, built, and operated to meet every Trust Services Criteria defined by the AICPA. This page provides a transparent, criterion-by-criterion breakdown of how we align with SOC 2.
5
Trust Categories
61+
Criteria Addressed
100%
Alignment
Trust Services Criteria
SOC 2 is built on five Trust Services Categories (TSCs) defined by the AICPA. PumaGate addresses every category with purpose-built controls across our infrastructure.
Security (CC)
Protection of information and systems against unauthorized access, both physical and logical, through identity verification, encryption, and intrusion safeguards.
Availability (A)
Systems and infrastructure are available for operation and use as committed, backed by SLAs, redundancy, disaster recovery, and continuous monitoring.
Processing Integrity (PI)
System processing is complete, valid, accurate, timely, and authorized — ensuring data is processed correctly without corruption or unauthorized modification.
Confidentiality (C)
Information designated as confidential is protected as committed, using encryption at rest and in transit, strict access controls, and data classification policies.
Privacy (P)
Personal information is collected, used, retained, disclosed, and disposed of in conformity with the organization’s privacy notice and applicable regulations.
Security (Common Criteria)
Protection against unauthorized access through logical and physical safeguards
| Criterion | PumaGate Implementation | Status |
|---|---|---|
| CC1.1 Control Environment — Integrity & Ethics | Organizational code of conduct, security-first culture, mandatory security awareness training for all personnel. Documented acceptable use policy enforced across the organization. | Met |
| CC1.2 Board Oversight | Leadership team exercises oversight of security controls with quarterly security reviews, risk assessments, and compliance reporting. Dedicated security steering committee. | Met |
| CC1.3 Management Authority & Responsibility | Clearly defined roles and responsibilities for security operations. Segregation of duties between development, operations, and security teams with RBAC enforcement. | Met |
| CC1.4 Competence & Accountability | All engineers undergo background checks and complete security training. Performance evaluations include security competence metrics. Documented incident accountability procedures. | Met |
| CC1.5 Accountability Enforcement | Immutable audit logs capture every administrative and access action. Full session recordings with tamper-proof storage. Accountability enforced via RBAC and team-based permissions. | Met |
| CC2.1 Information & Communication — Internal | Real-time alert notifications via Slack, Teams, PagerDuty, email, and webhooks. Dashboard provides live system health, audit trails, and security event feeds for all stakeholders. | Met |
| CC2.2 Communication — External Parties | Published Trust Center, SLA commitments, incident status page, and transparent security documentation. Customers receive proactive notifications for security-relevant events. | Met |
| CC2.3 Communication of Objectives & Changes | Change events tracked and communicated via built-in change management system. All infrastructure changes generate audit log entries with full attribution and diffing. | Met |
| CC3.1 Risk Assessment — Objectives | Regular threat modeling against all access paths (SSH, RDP, VNC, databases, web). Attack surface analysis built into the platform as a free tool. Risk objectives reviewed quarterly. | Met |
| CC3.2 Risk Identification & Analysis | Continuous vulnerability scanning, penetration testing, and automated health checks across all managed endpoints. Smart alerting system detects anomalies and unauthorized access patterns. | Met |
| CC3.3 Fraud Risk Assessment | Session recording captures full terminal and desktop activity to detect insider threats. Behavioral anomaly detection identifies unauthorized privilege escalation or data exfiltration attempts. | Met |
| CC3.4 Change Impact Assessment | All system changes go through documented change management with pre/post diff tracking. Change events are correlated with health check results to detect regressions automatically. | Met |
| CC4.1 Monitoring Controls | Continuous health check monitoring with configurable intervals (HTTP, TCP, ICMP, DNS, certificate expiry). Smart alerting with escalation policies and maintenance windows to reduce noise. | Met |
| CC4.2 Remediation of Deficiencies | Incident response playbooks built into the platform. Escalation policies route alerts to on-call teams. Post-incident review process with documented corrective actions and follow-up verification. | Met |
| CC5.1 Control Activities — Risk Mitigation | Zero Trust architecture enforces verify-then-trust for every connection. Multi-layered access policies with IP restrictions, time-based access, approval workflows, and just-in-time provisioning. | Met |
| CC5.2 Technology General Controls | Infrastructure-as-code deployments with Terraform, Ansible, and Puppet support. Automated security hardening scripts. All gateway configurations version-controlled and auditable. | Met |
| CC5.3 Policy-Based Controls | Fine-grained access policies per resource with RBAC, team-based permissions, and data masking. Policies enforce protocol-level restrictions, command filtering, and connection time limits. | Met |
| CC6.1 Logical Access — Security Software | MFA enforcement (TOTP, WebAuthn/passkeys) for all users. SSO via SAML 2.0, OIDC, and OAuth 2.0 with leading identity providers. Session re-authentication policies configurable per-org. | Met |
| CC6.2 Logical Access — New Users | Domain-verified SSO auto-provisioning with admin approval workflows. Users assigned to teams with pre-defined RBAC roles. Pending user queue ensures no unauthorized access on signup. | Met |
| CC6.3 Logical Access — Role-Based | Granular RBAC with roles (SuperAdmin, Admin, Operator, Viewer) and team-based permission scoping. Access policies restrict visibility and actions per resource, group, and protocol. | Met |
| CC6.4 Logical Access — Physical | Customer-hosted gateways run in the customer’s own data center or VPC — PumaGate never stores credentials or has standing access to customer infrastructure. | Met |
| CC6.5 Logical Access — Removal | Instant access revocation via user deactivation or SSO deprovision. Active sessions terminated immediately on revocation. Automated offboarding through IdP integration removes all access. | Met |
| CC6.6 Logical Access — System Boundaries | Network micro-segmentation via gateway-level firewall rules. Each gateway enforces its own access boundary. Secure network access with WireGuard creates isolated network segments per team or environment. | Met |
| CC6.7 Transmission Security | All data encrypted in transit using TLS 1.3 and WireGuard tunnels. AES-256 encryption for data at rest. Zero-knowledge secrets vault ensures credentials never leave the gateway. | Met |
| CC6.8 Unauthorized or Malicious Software | Agent software verified via cryptographic signatures. Automatic agent update channels with rollback capability. SSH key auditing and hardening tools detect unauthorized keys or misconfigurations. | Met |
| CC7.1 Detection of Vulnerabilities | Continuous health checks monitor endpoint health, certificate expiry, DNS resolution, and service availability. Smart alerting correlates events to surface emerging threats and anomalies. | Met |
| CC7.2 Monitoring for Anomalies | Comprehensive audit logging of every access event, configuration change, and administrative action. Log forwarding to external SIEM (Splunk, Datadog, Elastic) for advanced correlation and analysis. | Met |
| CC7.3 Incident Response | Built-in incident response playbook generator. Escalation policies with multi-channel alerting (Slack, Teams, PagerDuty, email, SMS). Documented response procedures with SLA-bound response times. | Met |
| CC7.4 Incident Recovery | Session recordings provide forensic evidence for post-incident analysis. Automated health check verification confirms service recovery. Maintenance windows prevent false alarms during planned recovery. | Met |
| CC7.5 Incident Communication | Real-time notifications to stakeholders via configured channels. Public status page for service availability. Post-incident reports shared with affected customers within committed timeframes. | Met |
| CC8.1 Change Management | All infrastructure changes tracked via built-in change event system with before/after diffs, attribution, and timestamps. Changes correlated with health check results for regression detection. | Met |
| CC9.1 Risk Mitigation — Vendor Management | Customer-hosted gateway model eliminates third-party data exposure. Zero-knowledge architecture means PumaGate never accesses customer credentials. Third-party dependencies minimized and audited. | Met |
| CC9.2 Risk Mitigation — Business Disruption | Multi-gateway redundancy with automatic failover helps maintain service continuity during network disruptions. Disaster recovery procedures documented and tested. | Met |
Availability
Systems are available for operation and use as committed or agreed
| Criterion | PumaGate Implementation | Status |
|---|---|---|
| A1.1 Capacity Management | Lightweight Go-based gateway with minimal resource footprint. Customer controls infrastructure sizing. Health checks monitor resource utilization and alert before capacity thresholds are reached. | Met |
| A1.2 Environmental Protections | Customer-hosted gateways leverage the customer’s existing physical and environmental controls. PumaGate control plane runs on SOC 2 certified cloud infrastructure with geographic redundancy. | Met |
| A1.3 Recovery & Continuity | Gateways operate independently of the control plane — existing sessions persist even during control plane outages. Automated backup, restore, and disaster recovery procedures. 99.9% SLA commitment. | Met |
Processing Integrity
System processing is complete, valid, accurate, timely, and authorized
| Criterion | PumaGate Implementation | Status |
|---|---|---|
| PI1.1 Processing Definitions | All data flows and processing pipelines are documented. Access policy engine evaluates rules deterministically with complete audit trail of every decision (allow/deny) and the criteria applied. | Met |
| PI1.2 Input Validation | Strict input validation at every layer — API, CLI, and web UI. UUID validation middleware, parameter sanitization, and request size limits prevent injection attacks and malformed data processing. | Met |
| PI1.3 Processing Accuracy | Data masking rules applied accurately at the gateway level without modifying source data. Session recordings faithfully capture all terminal I/O. Health check results include precise timestamps and response metrics. | Met |
| PI1.4 Output Completeness | Audit logs capture complete event data including actor, action, target, timestamp, IP address, and outcome. API responses include pagination metadata ensuring no data is silently truncated. | Met |
| PI1.5 Error Handling | Graceful error handling with structured error responses. Failed operations logged with full context for debugging. Circuit-breaker patterns prevent cascading failures across gateway fleet. | Met |
Confidentiality
Information designated as confidential is protected as committed
| Criterion | PumaGate Implementation | Status |
|---|---|---|
| C1.1 Confidential Information Identification | Data classification system distinguishes credentials, session data, audit logs, and customer metadata. Zero-knowledge secrets vault ensures credentials are encrypted at the gateway and never transmitted to the control plane. | Met |
| C1.2 Confidential Information Disposal | Session recordings stored with configurable retention policies. Customer-managed recording storage allows organizations to control data lifecycle. Secure deletion procedures for all sensitive data on offboarding. | Met |
Privacy
Personal information is collected, used, retained, and disclosed in conformity with commitments
| Criterion | PumaGate Implementation | Status |
|---|---|---|
| P1.1 Privacy Notice | Comprehensive Privacy Policy published and accessible from every page. Clearly states what personal data is collected, purposes, retention periods, and third-party sharing practices. | Met |
| P2.1 Consent & Choice | Explicit consent obtained during signup. Users can manage notification preferences and data sharing settings. SSO provisioning requires domain verification and admin approval before user creation. | Met |
| P3.1 Collection Limitation | Only minimum necessary personal data collected (email, name, organization). No tracking cookies beyond session management. Customer infrastructure data stays on customer-hosted gateways — never collected by PumaGate. | Met |
| P4.1 Use & Retention | Personal data used solely for service delivery and security operations. Configurable data retention policies. Audit logs retained per customer-defined windows. Account data deleted upon verified request. | Met |
| P5.1 Access & Correction | Users can view and update their profile information at any time. Organization admins can export audit logs and user data. Data access requests handled within published response timeframes. | Met |
| P5.2 Disclosure & Notification | No personal data sold or shared with third parties for marketing. Data processing agreements available for enterprise customers. Breach notification procedures comply with GDPR and applicable regulations. | Met |
| P6.1 Quality | User profile data validated at input. Automated deduplication prevents orphaned accounts. Regular data integrity checks ensure accuracy of user records, team memberships, and permission assignments. | Met |
| P7.1 Monitoring & Enforcement | Privacy controls audited as part of quarterly security reviews. Automated compliance mapper tool validates alignment with privacy regulations. Privacy incidents tracked through the same alerting and escalation framework. | Met |
| P8.1 Data Disposal | Automated data lifecycle management with configurable retention windows. Secure erasure procedures for deprovisioned accounts. Customer-managed recording storage allows full control over data disposal timelines. | Met |
Ready to secure your infrastructure?
Deploy PumaGate and achieve SOC 2 alignment with a Zero Trust access layer that you control.