SOC 2 Type II
SOC 2 mapping is included on every plan. Vertical compliance modules (healthcare, insurance, etc.) require the Enterprise plan.
Scope
Behavry ships a SOC 2 Type II mapping covering 8 requirements across the Common Criteria (CC) categories. The mapping is aimed at two audiences:
- Customers pursuing their own SOC 2 who want to claim Behavry as a subprocessor control for AI agent activity
- Security teams who want continuous evidence, not a point-in-time snapshot
The mapping lives in backend/behavry/compliance/soc2.py and renders on Compliance → SOC 2.
The eight requirements
| CC | Requirement | Behavry control |
|---|---|---|
| CC2.1 | System description, classification, and labeling | AI Surface Mapping, Decision Trace classification tags |
| CC5.2 | Logical access — authorized users only | Agent Identity JWT, SSO (OIDC / SAML), Role hierarchy |
| CC6.1 | Logical access — credentials and keys | Workflow tokens (wf_token, d_token), Clerk session sync, credential encryption in SIEM destinations |
| CC6.6 | Logical access — least privilege | Policy Engine allow/deny, Context Gate tool visibility, Restricted Mode |
| CC7.2 | System monitoring and anomaly detection | Behavioral Monitor, Intent Drift Detection, Alerts & Escalations |
| CC7.3 | System operations — incident handling | HITL Escalation queue, Global Kill Switch |
| CC7.4 | Change management | Policy Writer version history, Change Requests workflow |
| CC8.1 | Monitoring — audit log integrity | Decision Trace hash chain, Public Evidence Verification |
Live evidence
Each requirement row shows a live status:
- Green — evidence exists in the last 30 days and meets the expected cadence
- Amber — evidence exists but is sparse or intermittent
- Red — no evidence in the expected window
Clicking a row opens the drawer with:
- The exact audit-event query used to compute status
- The last 10 supporting events
- A "download supporting set" link that exports CSV / JSON for evidence folders
Export
| Format | Use |
|---|---|
| CSV | Paste into an auditor's evidence spreadsheet |
| JSON | Ingest into GRC tools (Vanta, Drata, SecureFrame) |
| Formatted report with cover letter and signatures block for auditor hand-off |
GET /api/v1/compliance/soc2/export?format=pdf|csv|json
Continuous posture
The SOC 2 module runs a daily job that computes the per-requirement status and writes the history. The posture trend chart shows how long each requirement has been green; a dip to amber or red triggers an alert the same way a behavioral anomaly would.
What Behavry does not cover
Behavry covers the AI-agent-specific CCs. It does not replace your overall SOC 2 program — you still need controls for change management of your own systems, physical security, HR, and so on. The map from Behavry to your full CC matrix is additive: Behavry provides evidence for the AI-agent risk, and your existing controls provide the rest.