SOC 2 Compliance - AI Recruiting Admin

SOC 2 Compliance Dashboard

Trust Services Criteria compliance status and audit management

87%

Overall Score

Compliant

Needs Attention

Not Implemented

Security (CC) 7 controls

6/7 compliant

ID	Control	Description	Status	Evidence
`S1`	Encryption at Rest	Database and file storage encryption using industry-standard algorithms	Needs Attention	Database connection SSL configuration
	PostgreSQL with SSL/TLS connection encryption. Data at rest encrypted via storage-level encryption.
`S2`	Encryption in Transit	All data transmitted over HTTPS/TLS 1.2+	Compliant	Helmet HSTS configuration, Nginx TLS termination
	HSTS header with 1-year max-age, includeSubDomains, and preload. TLS 1.2+ enforced via Nginx.
`S3`	Access Controls (RBAC)	5-tier role-based access control with least-privilege enforcement	Compliant	src/middleware/rbac.ts - Role hierarchy enforcement on all routes
	SUPER_ADMIN > COMPANY_ADMIN > MANAGER > SUPERVISOR > CANDIDATE. Each route validates minimum role.
`S4`	Password Policies	Bcrypt password hashing with configurable complexity requirements	Compliant	src/routes/auth.ts - bcrypt hashing with salt rounds
	Passwords hashed with bcrypt (10+ salt rounds). Minimum length enforced at registration.
`S5`	Session Management	JWT-based session tokens with expiration and secure cookie settings	Compliant	JWT token configuration with expiration, httpOnly cookies
	JWT tokens with configurable expiration. HttpOnly, Secure, SameSite cookie flags.
`S6`	Rate Limiting	Request rate limiting on all endpoints to prevent brute-force attacks	Compliant	src/middleware/security.ts - express-rate-limit on auth, API, and admin routes
	Auth: 10 req/15min, API: 200 req/15min, Admin: 50 req/15min, Password reset: 5 req/hour.
`S7`	Security Headers	Helmet.js security headers (CSP, HSTS, X-Frame-Options, etc.)	Compliant	src/middleware/security.ts - helmet() configuration
	Content-Security-Policy, HSTS, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, X-Frame-Options.

Availability (A) 4 controls

3/4 compliant

ID	Control	Description	Status	Evidence
`A1`	Health Check Endpoints	Application health check endpoints for monitoring	Compliant	/healthz and /health endpoints configured
	Health check endpoints return application status. Rate limiter skips health check paths.
`A2`	Error Handling	Centralized error handling with structured logging	Compliant	src/utils/logger.ts - Pino structured logging
	Pino logger with JSON output in production. Error boundaries prevent unhandled crashes.
`A3`	Uptime Monitoring	External uptime monitoring and alerting configured	Needs Attention	External monitoring service configuration
	No external uptime monitoring detected. Recommend configuring an external service.
`A4`	Container Orchestration	Docker-based deployment with automatic restart policies	Compliant	docker-compose.yml - restart policies and health checks
	Docker Compose with restart: unless-stopped. Database and app containers managed together.

Processing Integrity (PI) 4 controls

3/4 compliant

ID	Control	Description	Status	Evidence
`PI1`	Input Validation	Content-type validation and request body sanitization	Compliant	src/middleware/security.ts - contentTypeValidation middleware
	Content-Type validation on POST/PUT/PATCH. JSON and form-data validation enforced.
`PI2`	Data Consistency	Database transactions for multi-step operations	Compliant	Prisma $transaction usage in critical operations (GDPR erasure, etc.)
	Prisma ORM with PostgreSQL transactions. Foreign key constraints and cascading deletes.
`PI3`	Audit Logging	Comprehensive audit trail for all security-relevant operations	Needs Attention	src/services/audit.service.ts - 0 audit log entries recorded
	Authentication events, CRUD operations, role changes, data access, and security events are logged.
`PI4`	Request Tracing	Unique request IDs for end-to-end tracing	Compliant	src/middleware/security.ts - requestIdMiddleware
	X-Request-ID header generated for each request. Propagated through audit logs.

Confidentiality (C) 4 controls

4/4 compliant

ID	Control	Description	Status	Evidence
`C1`	Data Classification	PII and sensitive data identified and protected	Compliant	GDPR service data export/deletion handles PII fields explicitly
	Candidate PII (email, name, phone) identified. Anonymization applied for audit exports.
`C2`	Multi-Tenant Data Isolation	Company-level data isolation enforced at database query level	Compliant	companyId filter on all data queries, Prisma schema relations
	All data queries scoped to companyId. Users can only access data within their company.
`C3`	Sensitive Data Encryption	Payment data, credentials, and API keys encrypted or tokenized	Compliant	Payment gateway tokens, bcrypt password hashes, JWT secrets
	Payment card data tokenized via gateway. Passwords bcrypt-hashed. API keys stored as environment variables.
`C4`	Data Access Logging	All data access operations logged with user attribution	Compliant	src/services/audit.service.ts - DATA_EXPORTED and resource access events
	Export operations, bulk operations, and sensitive data access are logged with user ID and timestamp.

Privacy (P) 4 controls

4/4 compliant

ID	Control	Description	Status	Evidence
`P1`	GDPR Compliance	Data subject rights implemented (access, rectification, erasure, portability, objection)	Compliant	src/services/gdpr.service.ts - Articles 15-21 implementation
	Right to Access, Rectification, Erasure, Portability, and Objection fully implemented.
`P2`	Data Retention Policies	Configurable data retention periods with automated cleanup	Compliant	src/services/audit.service.ts - cleanupOldAuditLogs()
	Audit log retention configurable. Interview data, transcripts, and session data have defined retention periods.
`P3`	Consent Management	AI interview consent collection with jurisdiction-specific language	Compliant	src/services/compliance.service.ts - recordConsent(), hasValidConsent(), withdrawConsent()
	Consent recorded for AI interviews, video recording, data processing. Withdrawal supported. State-specific text (IL, NY, MD).
`P4`	Privacy Notice & Transparency	Clear disclosure of AI usage, data collection, and processing purposes	Compliant	Consent text generation in compliance.service.ts
	Candidate-facing disclosure covers AI analysis, recording, data processing, human review, and no automated decisions.

User Email

Action

Severity

Start Date

End Date

Timestamp	Severity	Action	User	Description	IP Address
Click "Apply Filters" to load audit logs

Showing 0-0 of 0

Data Retention Settings

Configure how long different types of data are retained before automated cleanup. SOC 2 recommends retaining audit logs for at least 7 years.

Interview Recordings

days

Video and audio recordings from interviews

Transcripts

days

Interview transcripts and AI-generated summaries

Candidate Data

days

Candidate profiles, resumes, and contact information

Audit Logs

days

Security and compliance audit trail (SOC 2 minimum: 7 years)

Session Data

days

WebSocket session logs and connection data