Security (CC)
| Control | Arx Feature | Evidence |
|---|---|---|
| CC6.2: Logical access to systems | Policy & Guardrails, RBAC | Agents can only call approved connectors; policy enforcement at runtime |
| CC7.2: System monitoring | Audit Trail, comprehensive logging | Every action logged, immutable, searchable, exported to SIEM |
| CC8.1: Change management | Approval gates, policy versioning | High-risk agent actions require human approval; all policy changes tracked |
| CC9.1: Logical access controls | Agent ownership, approval routing | Approvals routed to agent owner; access controlled by registry |
Availability (A)
| Control | Arx Feature | Evidence |
|---|---|---|
| A1.1: System availability | SLA monitoring, uptime guarantees | 99.99% uptime SLA; health checks on all connectors |
| A1.2: Disaster recovery | Backup & restore, failover | Hourly backups; automatic failover to secondary region |
Confidentiality (C)
| Control | Arx Feature | Evidence |
|---|---|---|
| C1.1: Data classification | Connector permissions, data governance | Agents classified by blast radius and risk level |
| C1.2: Encryption in transit | TLS 1.3 for all connections | All API calls encrypted; connector credentials never logged in plaintext |
| C1.3: Encryption at rest | AES-256 encryption, key management | Connector credentials encrypted in database; audit logs stored encrypted |
Integrity (I)
| Control | Arx Feature | Evidence |
|---|---|---|
| I1.1: Data accuracy | Policy validation, approval verification | Agents cannot modify data outside declared blast radius |
| I1.2: System integrity | Immutable audit trail, cryptographic signing | All audit entries signed; chain breaks if any entry is modified |
Getting SOC 2 certified with Arx
To demonstrate your agents meet SOC 2 requirements:
- Define policies — declare blast radius and approval gates for each agent
- Map controls — match each agent policy to SOC 2 control categories
- Generate evidence — Arx produces audit reports that auditors can verify
- Share with auditors — provide read-only access to audit trail and control mappings
Arx integrates with SOC 2 questionnaires. Many of your vendor security questions are answered by Arx's controls, not your agent code.