Security
SOC 2 controls map Every Common Criteria control (CC1.x–CC9.x) plus Availability, Processing Integrity, Confidentiality, and Privacy categories, each linked to a codepath, test, or process document that demonstrates operating effectiveness.
Last updated Jun 14, 2026
This page is the authoritative map between Matter's SOC 2 control universe and the artefacts that demonstrate each control is designed , implemented , and operating . Every row carries (a) a control description, (b) one or more evidence pointers into the repo, (c) the owner, and (d) the last review date. Auditors traverse this map at evidence-collection time.
The same control universe is reused for ISO 27001 (see ISO 27001 control map ). Shared rows link to the same artefacts to keep the evidence pool unified.
Drift between this page and the repo is detected by the contract test at apps/api/__contracts__/soc2-evidence-coverage.test.ts. Adding a row here without an existing evidence target fails CI.
CC — Common Criteria. Required for every SOC 2 audit.A — Availability. Required.PI — Processing Integrity. Required.C — Confidentiality. Required.P — Privacy. Added from Type II year onward.
Control Description Evidence Owner Last review CC1.1 Integrity and ethics policy; documented organisational values evidence: apps/docs/content/docs/security/threat-model.mdx CISO 2026-05-18 CC1.2 Board oversight of internal controls evidence: apps/docs/content/docs/security/certification-roadmap.mdx CTO 2026-05-18 CC1.3 Management establishes structures, reporting lines, authorities evidence: apps/api/__gates__/p0/status.md CTO 2026-05-18 CC1.4 Commitment to attract, develop, retain competent personnel evidence: apps/docs/content/docs/security/engagement-soc2.mdx CTO 2026-05-18 CC1.5 Individuals held accountable for internal control responsibilities evidence: apps/api/__gates__/REMAINING_WORK.md CTO 2026-05-18
Control Description Evidence Owner Last review CC2.1 Quality information generated to support internal control evidence: apps/api/__gates__/p0/status.md CTO 2026-05-18 CC2.2 Internal communication of control responsibilities evidence: apps/docs/content/docs/security/threat-model.mdx CISO 2026-05-18 CC2.3 External communication relevant to internal control evidence: apps/docs/content/docs/security/bug-bounty-policy.mdx CISO 2026-05-18
Control Description Evidence Owner Last review CC3.1 Specifies objectives sufficient to enable identification of risks evidence: apps/docs/content/docs/security/threat-model.mdx CISO 2026-05-18 CC3.2 Identifies and analyses risks to achievement of objectives evidence: apps/docs/content/docs/security/pentest-template.mdx CISO 2026-05-18 CC3.3 Considers potential for fraud in risk assessment evidence: apps/docs/content/docs/security/threat-model.mdx CISO 2026-05-18 CC3.4 Identifies and assesses changes that could impact the system evidence: apps/api/__gates__/p0/architecture.md CTO 2026-05-18
Control Description Evidence Owner Last review CC4.1 Ongoing and separate evaluations to ascertain operating effectiveness evidence: apps/api/__contracts__/architecture/services-are-pure.test.ts CTO 2026-05-18 CC4.2 Communicates internal control deficiencies for corrective action evidence: apps/docs/content/docs/security/pentest-findings/2026-q2-internal-purple-team.md CISO 2026-05-18
Control Description Evidence Owner Last review CC5.1 Selects and develops control activities to mitigate risk evidence: apps/api/__contracts__/architecture/allowed-imports.test.ts CTO 2026-05-18 CC5.2 Selects and develops general control activities over technology evidence: apps/api/__contracts__/architecture/no-cross-context-imports.test.ts CTO 2026-05-18 CC5.3 Deploys control activities through policies and procedures evidence: apps/api/__contracts__/architecture/middleware-composition.test.ts CTO 2026-05-18
Control Description Evidence Owner Last review CC6.1 Logical access security (auth, scope, RBAC) evidence: apps/api/__tests__/scope-policy.test.ts CISO 2026-05-18 CC6.2 Authorisation for new internal and external users evidence: apps/api/__tests__/tenant-isolation/baseline.test.ts CISO 2026-05-18 CC6.3 Logical access removed when no longer required evidence: apps/api/__tests__/tenant-isolation/p1-resources.test.ts CISO 2026-05-18 CC6.4 Physical access restrictions (cloud provider responsibility) evidence: apps/docs/content/docs/security/certification-roadmap.mdx CISO 2026-05-18 CC6.5 Logical and physical protections against data loss evidence: packages/audit/src/record-audit.ts CISO 2026-05-18 CC6.6 Cryptographic controls over data at rest and in transit evidence: apps/api/__gates__/p0/security.md CISO 2026-05-18 CC6.7 Restricts transmission of confidential information evidence: apps/docs/content/docs/security/data-classification.mdx CISO 2026-05-18 CC6.8 Prevents and detects unauthorised software evidence: apps/docs/content/docs/security/supply-chain-runbook.mdx CISO 2026-05-18
Control Description Evidence Owner Last review CC7.1 Detection and monitoring of system events evidence: packages/audit/src/record-audit.ts CTO 2026-05-18 CC7.2 Anomaly detection and response evidence: apps/api/__gates__/p0/security.md CISO 2026-05-18 CC7.3 Evaluates and communicates security events evidence: apps/docs/content/docs/security/pentest-findings/2026-q2-internal-purple-team.md CISO 2026-05-18 CC7.4 Incident response programme evidence: apps/docs/content/docs/security/pentest-template.mdx CISO 2026-05-18 CC7.5 Recovery from identified security incidents evidence: apps/api/__gates__/p0/architecture.md CTO 2026-05-18
Control Description Evidence Owner Last review CC8.1 Authorises, develops, tests, approves, implements changes evidence: apps/api/__contracts__/architecture/no-next-in-services.test.ts CTO 2026-05-18
Control Description Evidence Owner Last review CC9.1 Identifies, selects, develops risk mitigation activities evidence: apps/docs/content/docs/security/bug-bounty-policy.mdx CISO 2026-05-18 CC9.2 Vendor and business partner risk management evidence: apps/docs/content/docs/security/supply-chain-runbook.mdx CISO 2026-05-18
Control Description Evidence Owner Last review A1.1 Maintains and monitors current processing capacity evidence: apps/api/__gates__/p0/architecture.md CTO 2026-05-18 A1.2 Authorises, designs, and operates environmental protections, software, and recovery infrastructure evidence: apps/docs/content/docs/security/certification-roadmap.mdx CTO 2026-05-18 A1.3 Tests recovery plans evidence: apps/docs/content/docs/security/pentest-template.mdx CTO 2026-05-18
Control Description Evidence Owner Last review PI1.1 Obtains, generates, uses, communicates data inputs accurately evidence: apps/api/__contracts__/architecture/no-raw-sql-outside-db.test.ts CTO 2026-05-18 PI1.2 Implements policies and procedures over system inputs evidence: apps/api/__contracts__/architecture/services-are-pure.test.ts CTO 2026-05-18 PI1.3 Implements policies and procedures over system processing evidence: apps/api/__contracts__/architecture/middleware-composition.test.ts CTO 2026-05-18 PI1.4 Implements policies and procedures over system outputs evidence: apps/api/__gates__/p0/testing.md CTO 2026-05-18 PI1.5 Stores inputs and outputs completely and accurately evidence: packages/audit/src/record-audit.ts CTO 2026-05-18
Control Description Evidence Owner Last review C1.1 Identifies and maintains confidential information evidence: apps/docs/content/docs/security/data-classification.mdx CISO 2026-05-18 C1.2 Disposes of confidential information evidence: apps/docs/content/docs/security/retention.mdx CISO 2026-05-18
Control Description Evidence Owner Last review P1.1 Notice and communication about objectives related to privacy evidence: apps/docs/content/docs/security/retention.mdx CISO 2026-05-18 P1.2 Choice and consent evidence: apps/docs/content/docs/security/certification-roadmap.mdx CISO 2026-05-18 P1.3 Collection, use, retention, disclosure, disposal of personal information evidence: apps/docs/content/docs/security/data-classification.mdx CISO 2026-05-18
Quarterly — CISO walks the table, verifies each evidence pointer still resolves, refreshes the last-review date.Pre-audit — full re-validation of every row before fieldwork starts.Post-incident — any row whose evidence pointer was touched during incident response gets an extra review pass.