SOC 2 — Trust Services Criteria · vTSC 2017 (revised 2022)
SOC 2 — Trust Services Criteria
SOC 2 — Trust Services Criteria — 92% covered.
61 requirements · 54 enforced · 2 designed · 5 advisory · 0 deferred.
Source: AICPA Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (2017, points-of-focus revised 2022). Deep-mapping expanded 2026-05-29 (Wave-Ralph-B) from CC1-CC9 (33) to the full TSC surface — Common Criteria CC1-CC9 + Availability A1 + Confidentiality C1 + Processing Integrity PI1 + Privacy P1-P8. · License: AICPA — Trust Services Criteria are copyrighted; KYE registry paraphrases each criterion's intent and cites the criterion identifier for control-mapping purposes only.
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| A1 Availability | 3 | 3 | 0 | 0 | 0 | 100% |
| C1 Confidentiality | 2 | 2 | 0 | 0 | 0 | 100% |
| CC1 Control Environment | 5 | 2 | 0 | 3 | 0 | 55% |
| CC2 Communication & Information | 3 | 3 | 0 | 0 | 0 | 100% |
| CC3 Risk Assessment | 4 | 4 | 0 | 0 | 0 | 100% |
| CC4 Monitoring Activities | 2 | 2 | 0 | 0 | 0 | 100% |
| CC5 Control Activities | 3 | 3 | 0 | 0 | 0 | 100% |
| CC6 Logical & Physical Access Controls | 8 | 6 | 1 | 1 | 0 | 84% |
| CC7 System Operations | 5 | 5 | 0 | 0 | 0 | 100% |
| CC8 Change Management | 1 | 1 | 0 | 0 | 0 | 100% |
| CC9 Risk Mitigation | 2 | 2 | 0 | 0 | 0 | 100% |
| P1 Notice & Communication | 1 | 1 | 0 | 0 | 0 | 100% |
| P2 Choice & Consent | 1 | 1 | 0 | 0 | 0 | 100% |
| P3 Collection | 2 | 2 | 0 | 0 | 0 | 100% |
| P4 Use, Retention & Disposal | 3 | 3 | 0 | 0 | 0 | 100% |
| P5 Access | 2 | 2 | 0 | 0 | 0 | 100% |
| P6 Disclosure & Notification | 7 | 5 | 1 | 1 | 0 | 82% |
| P7 Quality | 1 | 1 | 0 | 0 | 0 | 100% |
| P8 Monitoring & Enforcement | 1 | 1 | 0 | 0 | 0 | 100% |
| PI1 Processing Integrity | 5 | 5 | 0 | 0 | 0 | 100% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
soc2.A1.1 |
The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. | enforced | audit_events: kye.signal.drift.detected.v1, kye.compliance.attestation.v1, kye.spof.path_to_full.v1engines: internal, internalregistries: internalconstitution_refs: constitution/51-NO-SPOF.md, constitution/34-RECONCILIATION-ENGINE.md |
soc2.A1.2 |
The entity authorises, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. | enforced | audit_events: kye.audit_retention_policy.v1, kye.compliance.attestation.v1, kye.spof.path_to_full.v1engines: internal, internal, internalworkers: kye-d1-backup-worker, kye-dr-orchestratorconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/51-NO-SPOF.md |
soc2.A1.3 |
The entity tests recovery plan procedures supporting system recovery to meet its objectives. | enforced | audit_events: kye.compliance.attestation.v1, kye.assurance.audit_replay_report.v1, kye.signal.scenario_run.completed.v1engines: internal, internal, internalworkers: kye-dr-orchestratorconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/51-NO-SPOF.md |
soc2.C1.1 |
The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. | enforced | audit_events: kye.evidence.decision_map.v1, kye.purpose.permission.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md, constitution/12-PURPOSE-PERMISSION.md |
soc2.C1.2 |
The entity disposes of confidential information to meet the entity's objectives related to confidentiality. | enforced | audit_events: kye.audit_retention_policy.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
soc2.CC1.1 |
The entity demonstrates a commitment to integrity and ethical values. | advisory | constitution_refs: constitution/00-INDEX.md, constitution/12-PURPOSE-PERMISSION.md |
soc2.CC1.2 |
The board of directors demonstrates independence from management and exercises oversight of internal control. | advisory | constitution_refs: constitution/36-GOVERNEDUI.md |
soc2.CC1.3 |
Management establishes, with board oversight, structures, reporting lines, and authorities and responsibilities for objectives. | enforced | audit_events: kye.authority.grant.v1, kye.risk.authority_register.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
soc2.CC1.4 |
The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. | advisory | constitution_refs: constitution/10-PARTNER.md |
soc2.CC1.5 |
The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
soc2.CC2.1 |
The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. | enforced | audit_events: kye.evidence.decision_map.v1, kye.evidence.pack.v1, kye.audit.event.appended.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
soc2.CC2.2 |
The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. | enforced | audit_events: kye.comms.dispatch.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md |
soc2.CC2.3 |
The entity communicates with external parties regarding matters affecting the functioning of internal control. | enforced | audit_events: kye.transparency.statement.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md, constitution/21-DELEGATED-AUDITABILITY.md |
soc2.CC3.1 |
The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. | enforced | audit_events: kye.purpose.permission.v1, kye.risk.score.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/13-RESILIENCE-LOOP.md |
soc2.CC3.2 |
The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. | enforced | audit_events: kye.risk.score.v1, kye.risk.authority_register.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
soc2.CC3.3 |
The entity considers the potential for fraud in assessing risks to the achievement of objectives. | enforced | audit_events: kye.signal.stress_test.high_risk_detected.v1, kye.risk.score.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
soc2.CC3.4 |
The entity identifies and assesses changes that could significantly impact the system of internal control. | enforced | audit_events: kye.signal.drift.detected.v1, kye.signal.stable_drift.detected.v1, kye.risk.score.v1engines: internal, internalworkers: kye-drift-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
soc2.CC4.1 |
The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. | enforced | audit_events: kye.assurance.audit_pilot.v1, kye.assurance.audit_replay_report.v1, kye.compliance.attestation.v1engines: internalagents: internalworkers: kye-audit-pilot-agent, kye-audit-replay-orchestratorconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
soc2.CC4.2 |
The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board, as appropriate. | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1, kye.signal.drift.detected.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/38-COMMS-RAIL.md |
soc2.CC5.1 |
The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. | enforced | audit_events: kye.evidence.decision_map.v1, kye.purpose.permission.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/40-IMPLEMENTATION-CANONICAL.md |
soc2.CC5.2 |
The entity selects and develops general control activities over technology to support the achievement of objectives. | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1, kye.audit.event.appended.v1engines: internal, internalworkers: kye-gateway, kye-pdpconstitution_refs: constitution/16-EDGE-RUNTIME.md, constitution/25-EDGE-GOVERNANCE.md |
soc2.CC5.3 |
The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action. | enforced | audit_events: kye.signal.tool.compiled.v1engines: internalworkers: kye-rules-gateway-workerconstitution_refs: constitution/29-PROFILES-LITE.md |
soc2.CC6.1 |
The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives. | enforced | audit_events: kye.authority.grant.v1, kye.purpose.permission.v1, kye.evidence.decision_map.v1engines: internal, internal, internal, internalworkers: kye-pdp, kye-gatewayconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/25-EDGE-GOVERNANCE.md |
soc2.CC6.2 |
Prior to issuing system credentials and granting system access, the entity registers and authorises new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorised. | enforced | audit_events: kye.authority.grant.v1, kye.revocation.event.v1, kye.signal.revocation.cascaded.v1, kye.admin.tenant.revoked.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
soc2.CC6.3 |
The entity authorises, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties. | enforced | audit_events: kye.authority.grant.v1, kye.purpose.permission.v1, kye.risk.authority_register.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
soc2.CC6.4 |
The entity restricts physical access to facilities and protected information assets (for example, data centre facilities, back-up media storage, and other sensitive locations) to authorised personnel to meet the entity's objectives. | advisory | constitution_refs: constitution/16-EDGE-RUNTIME.md |
soc2.CC6.5 |
The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity's objectives. | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
soc2.CC6.6 |
The entity implements logical access security measures to protect against threats from sources outside its system boundaries. | enforced | audit_events: kye.signal.decision.denied.v1, kye.evidence.decision_map.v1engines: internal, internalworkers: kye-gatewayconstitution_refs: constitution/25-EDGE-GOVERNANCE.md |
soc2.CC6.7 |
The entity restricts the transmission, movement, and removal of information to authorised internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives. | enforced | audit_events: kye.evidence.decision_map.v1, kye.federation.cross_org_delegation.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
soc2.CC6.8 |
The entity implements controls to prevent or detect and act upon the introduction of unauthorised or malicious software to meet the entity's objectives. | designed | audit_events: kye.evidence.tool_call_pin.v1, kye.signal.tool.compiled.v1constitution_refs: constitution/52-DELEGATED-AGENT-BINDING.md |
soc2.CC7.1 |
To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. | enforced | audit_events: kye.signal.drift.detected.v1, kye.signal.stable_drift.detected.v1engines: internalworkers: kye-drift-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/34-RECONCILIATION-ENGINE.md |
soc2.CC7.2 |
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.stress_test.high_risk_detected.v1, kye.agency_drift.event.v1engines: internal, internalworkers: kye-incident-detector, kye-drift-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
soc2.CC7.3 |
The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures. | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1, kye.signal.revocation.cascaded.v1engines: internal, internalworkers: kye-incident-detector, kye-authority-revocation-orchestratorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
soc2.CC7.4 |
The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate. | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1, kye.signal.evidence.sealed.v1engines: internal, internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
soc2.CC7.5 |
The entity identifies, develops, and implements activities to recover from identified security incidents. | enforced | audit_events: kye.signal.incident.closed.v1, kye.assurance.audit_replay_report.v1engines: internalworkers: kye-audit-replay-orchestratorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
soc2.CC8.1 |
The entity authorises, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. | enforced | audit_events: kye.governedui.approval.v1, kye.evidence.pack.v1engines: internal, internalgovernedui_modules: kye.governedui.module.action_approval.v1, kye.governedui.module.approval_queue.v1constitution_refs: constitution/36-GOVERNEDUI.md, constitution/40-IMPLEMENTATION-CANONICAL.md |
soc2.CC9.1 |
The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. | enforced | audit_events: kye.risk.score.v1, kye.spof.path_to_full.v1constitution_refs: constitution/51-NO-SPOF.md, constitution/13-RESILIENCE-LOOP.mdregistries: internalengines: internal, internalworkers: kye-gateway |
soc2.CC9.2 |
The entity assesses and manages risks associated with vendors and business partners. | enforced | audit_events: kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
soc2.P1.1 |
The entity provides notice to data subjects about its privacy practices to meet the entity's objectives related to privacy. The notice is updated and communicated to data subjects in a timely manner. | enforced | audit_events: kye.consent.acceptance.v1, kye.comms.dispatch.v1engines: internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md, constitution/38-COMMS-RAIL.md |
soc2.P2.1 |
The entity communicates choices available regarding the collection, use, retention, disclosure, and disposal of personal information to data subjects and the consequences, if any, of each choice. | enforced | audit_events: kye.consent.acceptance.v1, kye.purpose.permission.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/31-DATA-GOVERNANCE-PACK.md |
soc2.P3.1 |
Personal information is collected consistent with the entity's objectives related to privacy. | enforced | audit_events: kye.purpose.admissibility.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/31-DATA-GOVERNANCE-PACK.md |
soc2.P3.2 |
For information requiring explicit consent, the entity communicates the need for such consent as well as the consequences of a failure to provide consent for the request for personal information, and obtains the consent prior to the collection of the information to meet the entity's objectives related to privacy. | enforced | audit_events: kye.consent.acceptance.v1, kye.purpose.permission.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
soc2.P4.1 |
The entity limits the use of personal information to the purposes identified in the entity's objectives related to privacy. | enforced | audit_events: kye.purpose.permission.v1, kye.evidence.decision_map.v1, kye.evidence.tool_call_pin.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
soc2.P4.2 |
The entity retains personal information consistent with the entity's objectives related to privacy. | enforced | audit_events: kye.audit_retention_policy.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
soc2.P4.3 |
The entity securely disposes of personal information to meet the entity's objectives related to privacy. | enforced | audit_events: kye.audit_retention_policy.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
soc2.P5.1 |
The entity grants identified and authenticated data subjects the ability to access their stored personal information for review and, upon request, provides physical or electronic copies of that information to data subjects to meet the entity's objectives related to privacy. | enforced | audit_events: kye.signal.dsar.requested.v1, kye.signal.dsar.fulfilled.v1, kye.dsar_evidence_pack.v1engines: internal, internalworkers: kye-dsar-evidence-agentconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
soc2.P5.2 |
The entity corrects, amends, or appends personal information based on information provided by data subjects and communicates such information to third parties, as committed or required, to meet the entity's objectives related to privacy. | enforced | audit_events: kye.signal.dsar.requested.v1, kye.signal.entity.updated.v1, kye.federation.cross_org_delegation.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
soc2.P6.1 |
The entity discloses personal information to third parties with the explicit consent of data subjects, and such consent is obtained prior to disclosure to meet the entity's objectives related to privacy. | enforced | audit_events: kye.consent.acceptance.v1, kye.federation.cross_org_delegation.v1, kye.subprocessor.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/31-DATA-GOVERNANCE-PACK.md |
soc2.P6.2 |
The entity creates and retains a complete, accurate, and timely record of authorised disclosures of personal information to meet the entity's objectives related to privacy. | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.audit.event.v1, kye.evidence.tool_call_pin.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/21-DELEGATED-AUDITABILITY.md |
soc2.P6.3 |
The entity creates and retains a complete, accurate, and timely record of detected or reported unauthorised disclosures (including breaches) of personal information to meet the entity's objectives related to privacy. | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1, kye.audit.event.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/30-AUDIT-WORM-RETENTION.md |
soc2.P6.4 |
The entity obtains privacy commitments from vendors and other third parties who have access to personal information to meet the entity's objectives related to privacy. | designed | audit_events: kye.subprocessor.v1, kye.compliance.attestation.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md, constitution/52-DELEGATED-AGENT-BINDING.md |
soc2.P6.5 |
The entity obtains commitments from vendors and other third parties with access to personal information to notify the entity in the event of actual or suspected unauthorised disclosures of personal information. | advisory | audit_events: kye.subprocessor.v1, kye.signal.incident.opened.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
soc2.P6.6 |
The entity provides notification of breaches and incidents to affected data subjects, regulators, and others to meet the entity's objectives related to privacy. | enforced | audit_events: kye.signal.incident.opened.v1, kye.comms.dispatch.v1engines: internal, internalworkers: kye-comms-engine-workerconstitution_refs: constitution/38-COMMS-RAIL.md |
soc2.P6.7 |
The entity provides data subjects with an accounting of the personal information held and disclosure of the data subjects' personal information, upon the data subjects' request, to meet the entity's objectives related to privacy. | enforced | audit_events: kye.dsar_evidence_pack.v1, kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
soc2.P7.1 |
The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity's objectives related to privacy. | enforced | audit_events: kye.signal.entity.created.v1, kye.signal.entity.updated.v1, kye.reconciliation.verdict.v1engines: internal, internalconstitution_refs: constitution/34-RECONCILIATION-ENGINE.md |
soc2.P8.1 |
The entity implements a process for receiving, addressing, resolving, and communicating the resolution of inquiries, complaints, and disputes from data subjects and others and periodically monitors compliance to meet the entity's objectives related to privacy. | enforced | audit_events: kye.signal.incident.opened.v1, kye.comms.dispatch.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/38-COMMS-RAIL.md |
soc2.PI1.1 |
The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services. | enforced | audit_events: kye.evidence.decision_map.v1, kye.evidence.observed_action.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/43-MACHINE-READABLE-BY-DEFAULT.md |
soc2.PI1.2 |
The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity's objectives. | enforced | audit_events: kye.purpose.admissibility.v1, kye.evidence.decision_map.v1engines: internal, internal, internalworkers: kye-pdp, kye-gatewayconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/25-EDGE-GOVERNANCE.md |
soc2.PI1.3 |
The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity's objectives. | enforced | audit_events: kye.evidence.decision_map.v1, kye.reconciliation.verdict.v1engines: internal, internalreconcilers: registry-manifest-alive, openapi-worker-routesconstitution_refs: constitution/34-RECONCILIATION-ENGINE.md, constitution/40-IMPLEMENTATION-CANONICAL.md |
soc2.PI1.4 |
The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity's objectives. | enforced | audit_events: kye.evidence.pack.v1, kye.signal.evidence.sealed.v1, kye.comms.dispatch.v1engines: internal, internalworkers: kye-comms-engine-workerconstitution_refs: constitution/35-STREAMING-LOGS.md, constitution/38-COMMS-RAIL.md |
soc2.PI1.5 |
The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity's objectives. | enforced | audit_events: kye.audit.event.v1, kye.audit_retention_policy.v1engines: internal, internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |