# SOC2 compliance {% hint style="info" %} This page is a first draft and will be updated in a future revision. {% endhint %} ## The challenge SOC 2 Type II audits evaluate whether your security controls are operating effectively over time. One of the most commonly examined areas is access control — specifically: * Can only authorised individuals access company systems? * Is access scoped to what is needed (least privilege)? * Is there an audit trail of who accessed what, and when? * Are joiners, movers, and leavers handled in a controlled way? For companies with remote teams, BYOD environments, or contractors, this is often where auditors find gaps. The traditional answer — managed, corporate-owned devices — is expensive, slow to deploy, and often impractical for the way modern teams work. *** ## Peig as the system boundary Peig operates at the access layer. When Peig is defined as the system boundary — the point at which access to company resources is controlled and enforced — the audit question shifts. Instead of "are all devices managed?", the question becomes "is access to your systems controlled, verified, and auditable?" Peig answers that clearly: * Access requires an explicitly registered, admin-approved device * Each device is individually authorised and can be individually revoked * Access rights are scoped per user, per device, per service * All access events and administrative actions are logged * Onboarding requires admin approval and identity verification This means that for companies that define their system boundary at Peig, traditional device management is not necessarily required for all devices accessing company resources. The access layer is controlled — and that is what auditors need to see. *** ## SOC 2 criteria Peig addresses | Criteria | How Peig addresses it | | ---------------------------------------------------------- | ------------------------------------------------------------------------------ | | **CC6.1** Logical access restricted to authorised users | Access requires a registered, admin-approved device | | **CC6.2** Access credentials are managed | Passwords are eliminated — device-bound cryptographic identity is used instead | | **CC6.3** Access is revoked when no longer needed | Suspending a user or device immediately revokes all access | | **CC6.6** Logical access security measures address threats | Device binding eliminates credential-based attack vectors | | **CC6.8** Authorisation required for access changes | Admin approval is required for all onboarding and device registration | | **CC7.2** System components are monitored | Access events are logged and admins are notified of all changes | *** ## What to document for your auditor Auditors need evidence that controls are operating — not just configured. Here is what Peig provides: **Access control evidence** * Users & Access dashboard showing users and their assigned services * Demonstration that access is scoped per user — not blanket access * Record of the admin approval workflow for new users and devices **Audit trail evidence** * Access logs showing which users accessed which services and when * Log of admin actions — access granted, revoked, devices added or removed * Email notifications to Access Admins as a timestamped secondary record **Onboarding and offboarding evidence** * Record of the onboarding workflow — request, identity proofing, approval * Demonstration that departing users are suspended promptly * Device records showing registered devices per user *** ## Recommended practices for SOC 2 readiness **Use admin-initiated onboarding.** This creates a clear record that each user was deliberately added with specific access rights assigned. **Conduct periodic access reviews.** Review all active users and their access rights quarterly. Document the review and any changes made — this is a common auditor request. **Maintain a joiner / mover / leaver process.** When someone joins: create their account before their start date. When someone changes roles: adjust their access immediately. When someone leaves: suspend their account on their last day. **Keep Access Admin contact details current.** All Peig notifications go to the Access Admin email. Make sure this is a monitored address and update it when admin responsibilities change. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.peig.io/welcome-to-peig-documentation/use-cases/soc2-compliance.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.