Property PrismDev Hub

Audit Evidence Index

Where to find evidence for each SOC 2 control area. Single reference for auditors and internal reviewers.

Updated Apr 3, 2026

Owner: Backend Lead / Compliance Last Edited: March 26, 2026 Last Reviewed: March 26, 2026

How to Use This Index

Each section maps a control area to the evidence that demonstrates the control is operating. Evidence is either:

  • In-repo — a file, workflow, or test that can be read directly.
  • Operational — produced by running the system (logs, screenshots, records). These must be collected and stored separately.

For a SOC 2 Type I assessment, you need to show the controls are designed and in place. For Type II, you also need to show they operated consistently over the audit period.

1. Identity, Authentication, and Authorization

ControlEvidence locationType
Clerk JWT validation enforcedgo-backend/internal/middleware/auth.goIn-repo
Strict scope mode defaultgo-backend/cmd/api/main.go (STRICT_CLERK_SCOPES=true)In-repo
All protected routes require explicit scopego-backend/internal/handler/*_handler.go (each RequireScope(...) call)In-repo
Scope contract testsgo-backend/internal/handler/scope_contract_test.goIn-repo
API key management scope-gatedgo-backend/internal/handler/apikey_handler.goIn-repo
Role and permission mappingdocs/security/access-control-policy.mdIn-repo
Clerk MFA/SSO enforcementClerk dashboard screenshot / config exportOperational
Monthly access review recordsdocs/audit/access-reviews/Operational
Onboarding/offboarding checklistdocs/security/access-control-policy.md (Sections 4–6)In-repo
Sample terminated-user deprovision recorddocs/audit/access-reviews/Operational

2. Org Isolation and Data Authorization

ControlEvidence locationType
Org isolation architecturedocs/backend/go-backend-architecture.mdIn-repo
Org isolation enforced in mock reposgo-backend/internal/testutil/mocks.goIn-repo
Cross-org denial regression testsgo-backend/internal/handler/org_isolation_test.goIn-repo
Org isolation test results (CI)GitHub Actions run logs for Go Backend CIOperational
Buildings explicitly public (no org_id)go-backend/internal/handler/building_handler.go (comment line 22)In-repo

3. Network Security and Transport Encryption

ControlEvidence locationType
TLS architecture guidancedocs/ops/https-tls.mdIn-repo
Backend binds to loopback onlygo-backend/ops/deploy/docker-compose.ymlIn-repo
HSTS and security headers (frontend)frontend/public/_headersIn-repo
Production CORS origins env-drivengo-backend/cmd/api/main.goIn-repo
Cloudflare tunnel / LB configCloudflare dashboard screenshotOperational
Certificate inventoryCloudflare / LB console exportOperational
Firewall / security group rulesCloud provider console exportOperational

4. Secrets Management

ControlEvidence locationType
Secret management policydocs/security/secrets-management.mdIn-repo
Centralized secrets manager (Infisical)Infisical project audit log exportOperational
Infisical → Render sync (backend)Infisical integration config screenshotOperational
Infisical → Cloudflare Pages sync (frontend)Infisical integration config screenshotOperational
.env excluded from version control.gitignoreIn-repo
VITE_* documented as publicdocs/backend/go-backend-development.mdIn-repo
Secret scanning configured.github/secret_scanning.ymlIn-repo
Push protection enabledGitHub repo settings (screenshot)Operational
Rotation log (Infisical version history)Infisical secret version history exportOperational
RBAC on secretsInfisical project member list / role exportOperational

5. Logging, Audit, and Monitoring

ControlEvidence locationType
Audit middleware with DB persistencego-backend/internal/middleware/audit.goIn-repo
Sensitive route coveragego-backend/internal/middleware/audit.go (sensitiveRoutes map)In-repo
Sensitive field redactiongo-backend/internal/middleware/audit.go (sanitizeRequestBody)In-repo
Structured request logginggo-backend/cmd/api/main.go (loggingMiddleware)In-repo
Sentry error tracking and performance monitoringSentry project dashboardOperational
Prometheus metrics configs (local/dev only)go-backend/ops/prometheus/, go-backend/ops/alertmanager/In-repo
Grafana dashboard (local/dev only)go-backend/ops/grafana/dashboards/prism-api-overview.jsonIn-repo
Alert playbooksdocs/ops/go-backend-runbook.md (Sections 6, 14)In-repo
Sample audit log recordsAPI: GET /api/v1/audit-logs exportOperational
Log retention settingsRender log retention / Sentry retention settingsOperational
Alert firing historySentry alert historyOperational

6. Change Management and SDLC

ControlEvidence locationType
Backend CI workflow.github/workflows/go-backend-ci.ymlIn-repo
Frontend CI workflow.github/workflows/frontend-ci.ymlIn-repo
CodeQL SAST.github/workflows/codeql.ymlIn-repo
Dependency review on PRs.github/workflows/dependency-review.ymlIn-repo
Dependabot auto-updates.github/dependabot.ymlIn-repo
Swagger drift check.github/scripts/check-swagger-drift.shIn-repo
Branch protection rulesdocs/ops/go-backend-runbook.md (Section 13)In-repo
Branch protection configGitHub repo settings (screenshot or API export)Operational
PR approval historyGitHub pull request listOperational
CI run logsGitHub Actions historyOperational
Deployment approval recordsGitHub merge history / deployment logOperational

7. Vulnerability Management

ControlEvidence locationType
Vulnerability management policydocs/security/vulnerability-management.mdIn-repo
Dependabot alert historyGitHub → Security → DependabotOperational
CodeQL finding historyGitHub → Security → Code scanningOperational
Vulnerability logdocs/security/vulnerability-management.md (Section 6)Operational
Patch SLA evidenceVulnerability log + PR timestampsOperational

8. Availability, Backup, and DR

ControlEvidence locationType
Backup and DR policydocs/security/backup-restore-and-dr.mdIn-repo
Production runbook (deploy, rollback)docs/ops/production-runbook.mdIn-repo
Restore proceduredocs/security/backup-restore-and-dr.md (Section 4)In-repo
Backup job recordsManaged DB console (Supabase / RDS) exportOperational
Restore drill resultsdocs/audit/restore-drills/Operational
Pre-migration snapshot recordsdocs/ops/production-runbook.md (Section 5)Operational
Uptime / availability metricsRender metrics / external uptime monitor exportOperational

9. Incident Response

ControlEvidence locationType
Incident response policydocs/security/incident-response.mdIn-repo
Severity definitionsdocs/security/incident-response.md (Section 1)In-repo
Incident records / postmortemsdocs/audit/incidents/Operational
Tabletop exercise notesdocs/audit/incidents/tabletop-YYYY-MM-DD.mdOperational

10. Governance and Policy

ControlEvidence locationType
Access control policydocs/security/access-control-policy.mdIn-repo
Incident response policydocs/security/incident-response.mdIn-repo
Vulnerability management policydocs/security/vulnerability-management.mdIn-repo
Secrets management policydocs/security/secrets-management.mdIn-repo
Backup / DR policydocs/security/backup-restore-and-dr.mdIn-repo
SOC 2 readiness assessmentdocs/audit/soc2-readiness-assessment-2026-03-26.mdIn-repo
Risk backlogdocs/audit/risk-backlog-2026-03-26.mdIn-repo

11. Operational Evidence Store

Operational evidence that must be collected and retained outside the repo:

docs/audit/
  access-reviews/          # Monthly access review exports
  incidents/               # Postmortems and tabletop exercise notes
  restore-drills/          # Quarterly restore drill results
  vuln-exceptions/         # Vulnerability exception approvals
  ci-reports/              # Archived CI run exports (if required by auditor)

These directories should be created and populated as evidence is generated.