SOC 2 Control Activities
Document ID: SOC-003
Document owner: Jan Marc Castlunger (ISO)
Classification: Confidential
Version: 1.0
Last updated: March 2026
Next review: June 2026
1. Purpose
This document describes the specific control activities CTW Data Solutions GmbH has implemented to meet SOC 2 Trust Services Criteria. Each control is linked to the relevant TSC criteria, responsible owner, and evidence source.
2. Control Activities by Domain
2.1 Governance & Organisation
ID
Control Activity
TSC Ref
Owner
Frequency
Evidence
GOV-01
Information Security Policy is approved and communicated
CC1.1
ISO
Annual review
Signed policy document
GOV-02
Roles and responsibilities are defined and assigned
CC1.3
ISO
Annual review
RACI in security policy
GOV-03
Management review of ISMS effectiveness
CC1.2
ISO
Annual
Management review minutes
GOV-04
Risk assessment performed and documented
CC3.2
ISO
Annual
Risk register
GOV-05
Internal audit programme executed
CC4.1
ISO
Annual
Audit reports
2.2 People & Training
ID
Control Activity
TSC Ref
Owner
Frequency
Evidence
PPL-01
Background checks performed for new hires
CC1.4
ISO
Per hire
🔄 Formalising Q2 2026; see HR Security Procedure
PPL-02
Security awareness training completed by all staff
CC1.4
ISO
Annual
Training completion records
PPL-03
Confidentiality agreements signed
CC1.4
ISO
Per hire
🔄 Gap: formal NDA process being implemented Q2 2026; employment contracts exist
PPL-04
Offboarding checklist executed on departure
CC6.3
ISO
Per departure
Completed checklists
2.3 Access Control
ID
Control Activity
TSC Ref
Owner
Frequency
Evidence
ACC-01
MFA enforced on all systems (Azure, GitHub, Google)
CC6.1
ISO
Continuous
Azure AD / Google admin console
ACC-02
RBAC implemented with least-privilege
CC6.1
ISO
Continuous
Role assignment records
ACC-03
User access rights reviewed
CC6.1
ISO
Quarterly
Access review records
ACC-04
Privileged access managed via standard RBAC (Azure PIM planned Q3 2026)
CC6.1
ISO
Continuous
RBAC role assignments; admin access limited to CEO + CTO
ACC-05
Access revoked within 24h of termination
CC6.3
ISO
Per event
Offboarding records; access logs
ACC-06
Shared accounts prohibited
CC6.1
ISO
Continuous
Account inventory
ACC-07
GitHub tokens and SSH keys audited
CC6.1
Sebastian Windeck (CTO)
Quarterly
Token audit results
2.4 Network & Infrastructure Security
ID
Control Activity
TSC Ref
Owner
Frequency
Evidence
NET-01
Azure VNet with NSGs and private endpoints
CC6.5, CC6.6
ISO
Continuous
Azure network config
NET-02
No public administrative access
CC6.6
ISO
Continuous
NSG rules; RBAC config
NET-03
TLS 1.3 enforced for external communications
CC6.7
ISO
Continuous
TLS configuration; SSL Labs report
NET-04
DDoS protection enabled
CC6.5
ISO
Continuous
Azure DDoS protection config
2.5 Data Protection
ID
Control Activity
TSC Ref
Owner
Frequency
Evidence
DAT-01
Data classified per 4-tier scheme
C1.1
ISO
Continuous
Asset register; classification labels
DAT-02
Encryption at rest (AES-256)
CC6.7
ISO
Continuous
Azure encryption settings
DAT-03
Encryption in transit (TLS 1.3)
CC6.7
ISO
Continuous
TLS config; cert records
DAT-04
Keys managed in Azure Key Vault
CC6.7
ISO
Continuous
Key Vault config; access logs
DAT-05
API key rotation: customer-managed (recommended 90-day cycle); SSL/TLS auto-rotation via Key Vault
CC6.7
ISO
Continuous
Key Vault auto-rotation config; customer communication
DAT-06
ID images processed transiently (no persistence)
C1.2, P4.3
ISO
Continuous
Architecture documentation
DAT-07
DLP policies active in Azure
C1.2
Sebastian Windeck (CTO)
Continuous
DLP policy config
DAT-08
Full-disk encryption on all devices
CC6.4
ISO
Continuous
Encryption verification records
2.6 System Operations & Monitoring
ID
Control Activity
TSC Ref
Owner
Frequency
Evidence
OPS-01
Azure Monitor and Log Analytics active
CC7.2
ISO
Continuous
Monitor config; dashboard
OPS-02
Security event alerts configured
CC7.3
ISO
Continuous
Alert rules
OPS-03
Logs retained for 30 days rolling (AKS + Caddy); Azure File Blob for archives; extension to 90+ days planned Q2 2026
CC7.2
ISO
Continuous
Retention policy config
OPS-04
Vulnerability scanning automated
CC7.1
Sebastian Windeck (CTO)
Continuous
Scan schedules; reports
OPS-05
Monthly patching cycle
CC7.1
Sebastian Windeck (CTO)
Monthly
Patch records
OPS-06
Azure Security Center enabled
CC7.2
ISO
Continuous
Security Center config
2.7 Incident Management
ID
Control Activity
TSC Ref
Owner
Frequency
Evidence
INC-01
Incident Response Plan documented and tested
CC7.3, CC7.4
ISO
Annual test
IRP document; tabletop records
INC-02
Incident classification and escalation matrix
CC7.3
ISO
Per incident
IRP; incident records
INC-03
72-hour GDPR breach notification process
CC7.4
DPO
Per incident
IRP; notification records
INC-04
Post-incident review within 5 business days
CC7.5
ISO
Per P1/P2
Review records
2.8 Change Management
ID
Control Activity
TSC Ref
Owner
Frequency
Evidence
CHG-01
Changes follow documented change process
CC8.1
Sebastian Windeck (CTO)
Per change
Change management policy; PR history
CHG-02
Code review required before merge
CC8.1
Sebastian Windeck (CTO)
Per change
GitHub PR records
CHG-03
CI/CD pipeline with automated testing
CC8.1
Sebastian Windeck (CTO)
Per change
Pipeline configs; test results
CHG-04
Emergency changes documented retroactively
CC8.1
ISO
Per event
Emergency change records
2.9 Business Continuity & Availability
ID
Control Activity
TSC Ref
Owner
Frequency
Evidence
BCP-01
Business Continuity Plan documented
A1.2
ISO
Annual review
BCP document
BCP-02
RTO/RPO defined for critical services
A1.1
ISO
Annual review
BIA in BCP
BCP-03
Azure geo-redundant backups configured
A1.2
ISO
Continuous
Backup config
BCP-04
Backup restore tested
A1.3
ISO
Semi-annual
Test records
BCP-05
Auto-scaling configured for Quick-ID API
A1.1
ISO
Continuous
Azure auto-scale config
2.10 Vendor Management
ID
Control Activity
TSC Ref
Owner
Frequency
Evidence
VEN-01
Suppliers assessed for security posture
CC9.2
DPO
Per onboarding
Security questionnaires
VEN-02
DPAs signed with all data processors
CC9.2
DPO
Per onboarding
Signed DPAs
VEN-03
Supplier certifications verified
CC9.2
DPO
Annual
Certification copies
VEN-04
Annual supplier review
CC9.2
DPO
Annual
Review records
March 9, 2026
March 9, 2026