Loading...
Skip to main content
Security Documentation
SOC 2 Trust Services Criteria — Controls Mapping
This document maps TrueNorth WCI platform controls to the AICPA SOC 2 Trust Services Criteria. It is provided to support enterprise vendor risk assessments and procurement due diligence.
Disclosure: TrueNorth WCI has not undergone a formal SOC 2 Type I or Type II audit. This document describes how our platform controls align with the SOC 2 Trust Services Criteria. The term “Aligned” indicates that controls are designed to meet the intent of the criteria. “Implemented” indicates the control is actively enforced in production. This mapping is provided for transparency and to assist in vendor risk evaluation.
Common Criteria
CC1 — Control Environment
The control environment sets the tone for the organization, influencing the control consciousness of its people.
| Control ID | SOC 2 Control | TrueNorth WCI Implementation | Status |
|---|---|---|---|
| CC1.1 | Demonstrates commitment to integrity and ethical values | Security policies documented and communicated. Code of conduct established. All employees complete security awareness training. | Implemented |
| CC1.2 | Board exercises oversight responsibility | Management provides oversight of security initiatives. Regular security reviews conducted. Risk register maintained and reviewed quarterly. | Aligned |
| CC1.3 | Establishes structure, authority, and responsibility | Six distinct RBAC roles with documented responsibilities. Platform admin, organizational, and employee role tiers with clear separation of duties. | Implemented |
| CC1.4 | Demonstrates commitment to competence | Engineering team follows secure development lifecycle. Code reviews required for all production changes. Automated testing and CI/CD pipeline enforced. | Implemented |
| CC1.5 | Enforces accountability | Comprehensive audit logging of all user actions. Timestamped, immutable logs with user ID, IP address, and action details. Exportable for regulatory review. | Implemented |
CC2 — Communication and Information
The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.
| Control ID | SOC 2 Control | TrueNorth WCI Implementation | Status |
|---|---|---|---|
| CC2.1 | Obtains or generates relevant information | Platform generates real-time compliance data: training completion rates, quiz scores, certificate status, incident reports. All data timestamped and auditable. | Implemented |
| CC2.2 | Communicates internal control information | Employer dashboards surface compliance metrics. Automated email notifications for training reminders, certificate expiry, and security alerts via Resend. | Implemented |
| CC2.3 | Communicates with external parties | Public security page, procurement package, SLA, and this controls mapping document. Privacy policy and terms of service publicly available. | Implemented |
CC3 — Risk Assessment
The entity identifies and assesses risks to the achievement of its objectives.
| Control ID | SOC 2 Control | TrueNorth WCI Implementation | Status |
|---|---|---|---|
| CC3.1 | Specifies suitable objectives | Platform security objectives documented: data confidentiality, service availability, access control integrity. Objectives reviewed and updated regularly. | Aligned |
| CC3.2 | Identifies and analyzes risks | Regular vulnerability scanning and dependency audits. Automated security alerts every 6 hours. Data classification policy (Public, Internal, Confidential, Restricted). | Implemented |
| CC3.3 | Considers potential for fraud | Rate limiting on authentication endpoints. Brute force detection with temporary lockouts. Webhook signature verification for payment processing. | Implemented |
| CC3.4 | Identifies and assesses significant change | Formal change management via GitHub pull requests with peer review. All production deployments tracked. Automated CI/CD with testing gates. | Implemented |
CC5 — Control Activities
The entity selects and develops control activities that contribute to the mitigation of risks.
| Control ID | SOC 2 Control | TrueNorth WCI Implementation | Status |
|---|---|---|---|
| CC5.1 | Selects and develops control activities | Multi-layered security: middleware-level security headers (CSP, HSTS, X-Frame-Options), application-level RBAC, database-level row isolation, encryption at rest and in transit. | Implemented |
| CC5.2 | Selects and develops general controls over technology | Automated dependency updates. Infrastructure managed by Vercel (SOC 2 Type II certified). Database managed by Neon (SOC 2 Type II certified). Redis caching with key namespacing. | Implemented |
| CC5.3 | Deploys through policies and procedures | All code changes require pull request review. Automated build and test pipeline. No direct production access. Environment variables managed securely. | Implemented |
CC6 — Logical and Physical Access Controls
The entity restricts logical and physical access to information assets.
| Control ID | SOC 2 Control | TrueNorth WCI Implementation | Status |
|---|---|---|---|
| CC6.1 | Implements logical access security | Six-role RBAC hierarchy (Super Admin, Content Admin, Support Admin, Org Owner, Manager/HR, Employee). Multi-tenant isolation ensures organizations cannot access each other's data. | Implemented |
| CC6.2 | Prior to issuing system credentials | User registration requires email verification. Employer accounts require payment before dashboard access. Employee accounts provisioned via employer invitation with seat enforcement. | Implemented |
| CC6.3 | Authorizes access based on need | Principle of least privilege enforced. Employees see only their own progress and assigned training. Employers see only their organization's data. Seat limits prevent over-provisioning. | Implemented |
| CC6.5 | Discontinues access when no longer needed | Access automatically expires when subscriptions end. Employers can revoke employee access. Account deactivation removes all active sessions. | Implemented |
| CC6.6 | Manages credentials for infrastructure | Infrastructure secrets and API keys stored in Vercel environment variables. Application-level tenant encryption keys managed via Hardware Security Module (HSM), FIPS 140-3 Level 2 aligned. Key rotation service implemented (SOC 2 CC6.1 / ISO 27001 A.10.1.2). No credentials in source code. SBOM generated per release. | Implemented |
| CC6.7 | Restricts data transmission | All data in transit encrypted via TLS 1.3 exclusively — no fallback to TLS 1.2 or weaker protocols. HSTS headers enforced with max-age 1 year. Security headers prevent clickjacking, MIME sniffing, and XSS. ChaCha20-Poly1305 cipher support for TLS agility. | Implemented |
| CC6.8 | Controls against unauthorized software | Automated dependency auditing. No user-uploaded executable code. Content uploads restricted to safe file types with size limits. | Implemented |
CC7 — System Operations
The entity manages the operation of systems and detects and mitigates processing deviations.
| Control ID | SOC 2 Control | TrueNorth WCI Implementation | Status |
|---|---|---|---|
| CC7.1 | Detects and monitors security events | Automated security alert cron job runs every 6 hours. Audit logs capture all authentication attempts, access changes, and administrative actions. Error sanitization prevents information leakage. | Implemented |
| CC7.2 | Monitors system components for anomalies | Vercel platform monitoring for uptime and performance. Application-level health checks. Rate limiting detects and blocks anomalous request patterns. | Implemented |
| CC7.3 | Evaluates security events | Security incidents tracked through dedicated incident management module. Incidents classified by severity with defined escalation procedures and resolution timelines. | Implemented |
| CC7.4 | Responds to identified security incidents | Documented incident response plan covering identification, containment, eradication, recovery, and post-incident review. Response timelines defined in published SLA. | Implemented |
| CC7.5 | Identifies and develops activities for recovery | Disaster recovery plan documented. Database point-in-time recovery available. Multi-region hosting with automatic failover. | Implemented |
CC8 — Change Management
The entity authorizes, designs, develops, configures, documents, tests, approves, and implements changes.
| Control ID | SOC 2 Control | TrueNorth WCI Implementation | Status |
|---|---|---|---|
| CC8.1 | Authorizes, designs, and implements changes | All changes follow GitHub pull request workflow with mandatory peer review. Automated CI/CD pipeline with build and test gates. No direct production modifications. | Implemented |
CC9 — Risk Mitigation
The entity identifies, selects, and develops risk mitigation activities.
| Control ID | SOC 2 Control | TrueNorth WCI Implementation | Status |
|---|---|---|---|
| CC9.1 | Identifies and assesses risk mitigation | Risk mitigation through defense-in-depth: network (TLS, security headers), application (RBAC, input validation, rate limiting), data (encryption, isolation), and operational (audit logs, incident response) layers. | Implemented |
| CC9.2 | Assesses and manages risks from vendors | Sub-processors limited to SOC 2-certified providers: Vercel (hosting), Neon (database), Stripe (payments), Resend (email). Sub-processor list maintained and available on request. | Implemented |
Availability
A1 — Availability Controls
The entity maintains availability of its information and systems as committed or agreed.
| Control ID | SOC 2 Control | TrueNorth WCI Implementation | Status |
|---|---|---|---|
| A1.1 | Manages capacity to meet availability commitments | Hosted on Vercel with automatic scaling. No manual capacity management required. Published SLA commits to 99.9% uptime. | Implemented |
| A1.2 | Provides for environmental protections | Infrastructure managed by Vercel (Montreal yul1 region). Physical security, power, cooling, and network managed by cloud provider with SOC 2 Type II certification. | Implemented |
| A1.3 | Provides for recovery of infrastructure | Disaster recovery plan documented. Database point-in-time recovery. Automated deployments enable rapid rollback. Multi-region failover capability. | Implemented |
Confidentiality
C1 — Confidentiality Controls
The entity protects confidential information from unauthorized disclosure.
| Control ID | SOC 2 Control | TrueNorth WCI Implementation | Status |
|---|---|---|---|
| C1.1 | Identifies and maintains confidential information | Data classification policy with four levels: Public, Internal, Confidential, Restricted. Classification determines access controls, encryption requirements, and retention policies. | Implemented |
| C1.2 | Disposes of confidential information | Configurable data retention policies aligned with Canadian employment law. Right-to-be-forgotten implementation deletes personal data within 30 days of request. Audit trail preserved for legal obligations. | Implemented |
Processing Integrity
PI1 — Processing Integrity Controls
System processing is complete, valid, accurate, timely, and authorized.
| Control ID | SOC 2 Control | TrueNorth WCI Implementation | Status |
|---|---|---|---|
| PI1.1 | Obtains or generates accurate data | Training completion, quiz scores, and certificate issuance are system-generated with tamper-evident timestamps. Certificate numbers are cryptographically unique. Public verification portal available. | Implemented |
| PI1.2 | Implements processing activities | Automated workflows: seat provisioning on payment, access expiry on subscription end, certificate generation on exam pass, compliance report generation on schedule. | Implemented |
| PI1.3 | Detects and corrects processing errors | Error sanitization middleware prevents information leakage. Application-level error handling with structured logging. Automated alerts for processing failures. | Implemented |
Privacy
P1 — Privacy Controls
Personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments and applicable regulations.
| Control ID | SOC 2 Control | TrueNorth WCI Implementation | Status |
|---|---|---|---|
| P1.1 | Provides notice regarding privacy practices | Comprehensive privacy policy publicly available. Consent collected at registration. Cookie consent management implemented. Data processing purposes clearly stated. | Implemented |
| P2.1 | Obtains consent for data collection | Explicit consent collected at registration and for each data processing purpose. Consent records stored and auditable. Consent can be withdrawn at any time. | Implemented |
| P3.1 | Collects personal information for identified purposes | Data collection limited to what is necessary for service delivery. No data sold to third parties. Sub-processors limited to service delivery requirements. | Implemented |
| P4.1 | Uses personal information for identified purposes | Personal data used only for training delivery, compliance tracking, and employer reporting. No advertising or profiling use. PIPEDA Principle 4 (Limiting Use) enforced. | Implemented |
| P5.1 | Retains personal information as needed | Configurable retention policies. Automated retention enforcement. Data deleted when no longer needed for identified purpose or upon user request (within 30 days). | Implemented |
| P6.1 | Discloses personal information only as committed | Data shared only with employer (for their employees) and sub-processors (for service delivery). No third-party data sharing. Cross-border transfers require explicit consent. | Implemented |
| P7.1 | Maintains quality of personal information | Users can view and update their personal information. Employers can correct employee records. Data accuracy maintained through system-generated records. | Implemented |
| P8.1 | Provides data subject access | GDPR Art. 15 / PIPEDA right of access implemented. Users can export all personal data in machine-readable format. Right to be forgotten implemented with 30-day processing window. | Implemented |
Need More Detail?
Enterprise procurement teams can request our full security documentation package, including architecture diagrams, data flow documentation, sub-processor list, and data processing agreements.
This document describes platform security controls and their alignment with SOC 2 Trust Services Criteria. It does not constitute a formal SOC 2 audit report. Organizations should conduct their own security due diligence appropriate to their risk profile. Last updated: March 2026.