Tech Demo

This is a tech demo. Some functions may be missing or not working.

Zurück zum Blog

SOC2 Compliance Checklist for SaaS Startups

· Logproof Team · 10 Min. Lesezeit · soc2 compliance checklist

If you are building a B2B SaaS product, the question is not whether you will need SOC2 compliance — it is when. For most startups, that moment arrives with the first enterprise prospect who asks for your SOC2 report during procurement. This guide breaks down the specific SOC2 controls that relate to audit logging and gives you a practical roadmap for implementation.

What SOC2 Actually Is

SOC2 (System and Organization Controls 2) is an auditing framework developed by the AICPA (American Institute of Certified Public Accountants). It evaluates how a service organization manages data based on five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Unlike ISO 27001, SOC2 is not a certification — it is an attestation. A licensed CPA firm examines your controls and issues a report. There are two types:

  • Type I: Evaluates the design of your controls at a specific point in time. Think of it as a snapshot.
  • Type II: Evaluates the design and operating effectiveness of your controls over a period (usually 6-12 months). This is what enterprise customers actually want.

The key insight for engineering teams: SOC2 is not primarily about having the right policies on paper. It is about demonstrating that your technical controls work consistently over time. And audit logs are the primary evidence that proves this.

The Trust Service Criteria That Matter for Logging

Not every SOC2 criterion directly requires audit logging, but a surprising number do. Let us walk through the most relevant ones.

Security (Common Criteria)

The Security category is mandatory for all SOC2 reports and contains the controls most relevant to audit logging. These are often referred to as the "Common Criteria" (CC) because they apply across all Trust Service Categories.

Availability

If you include Availability in your SOC2 scope, you will need to demonstrate monitoring and incident response capabilities. Audit logs that capture system-level events (deployments, configuration changes, infrastructure access) support this.

Processing Integrity

This criterion is relevant if your SaaS processes transactions or calculations. Audit logs that capture data processing events demonstrate that operations execute as intended.

Specific Controls Requiring Audit Logs

Here is where it gets concrete. These are the SOC2 Common Criteria controls where audit logging is either explicitly required or strongly implied.

CC6.1 — Logical Access Security

What it requires: The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events.

What this means for you: You need to log all authentication and authorization events. Specifically:

  • Successful and failed login attempts
  • Multi-factor authentication events
  • Password resets and changes
  • Session creation and termination
  • OAuth token grants and revocations
  • API key creation, usage, and deletion

Implementation checklist:

  • [ ] Log every authentication attempt with timestamp, user identifier, IP address, and outcome (success/failure)
  • [ ] Log all authorization decisions for sensitive operations
  • [ ] Log API key lifecycle events (created, used, rotated, revoked)
  • [ ] Capture the authentication method used (password, MFA, SSO, API key)
  • [ ] Ensure logs include enough context to reconstruct the access event

CC7.2 — Monitoring of System Components

What it requires: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

What this means for you: You need comprehensive monitoring that includes both infrastructure metrics and application-level audit trails. The audit component specifically requires:

  • Logging of all administrative actions (user management, permission changes, configuration updates)
  • Monitoring of data access patterns, especially for sensitive data
  • Detection and logging of anomalous behavior (unusual access patterns, bulk data exports, privilege escalation)
  • Regular review processes for logged events

Implementation checklist:

  • [ ] Log all CRUD operations on user accounts and permissions
  • [ ] Log configuration changes to your application and infrastructure
  • [ ] Log data export and bulk access operations
  • [ ] Implement alerting for anomalous patterns (e.g., failed login spikes, unusual data access volumes)
  • [ ] Establish a regular log review cadence (weekly or monthly)
  • [ ] Document your monitoring and alerting procedures

CC8.1 — Change Management

What it requires: The entity authorizes, designs, develops, configures, documents, tests, approves, and implements changes to infrastructure and software.

What this means for you: Every change to your production environment should be traceable. This includes:

  • Code deployments (who deployed what, when)
  • Infrastructure changes (scaling events, configuration modifications)
  • Database schema migrations
  • Feature flag changes
  • Third-party integration configuration updates

Implementation checklist:

  • [ ] Log all deployment events with deployer identity, commit hash, and timestamp
  • [ ] Log infrastructure configuration changes
  • [ ] Log database migration execution
  • [ ] Log feature flag state changes
  • [ ] Maintain a change approval trail (e.g., PR approvals linked to deployments)
  • [ ] Ensure changes can be correlated with their authorization

CC6.2 — Credential Management

What it requires: Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users.

What this means for you: You need a complete audit trail for the user lifecycle:

  • [ ] Log user registration and account creation events
  • [ ] Log invitation sends and acceptances
  • [ ] Log role assignments and changes
  • [ ] Log account deactivation and deletion
  • [ ] Log credential rotation events

CC6.3 — Access Removal

What it requires: The entity removes access to protected information assets when appropriate.

What this means for you: When access is revoked, it needs to be logged with enough detail to prove it happened:

  • [ ] Log user deprovisioning events
  • [ ] Log permission revocations
  • [ ] Log API key revocations
  • [ ] Log session invalidations after access removal
  • [ ] Demonstrate timeliness of access removal

CC7.3 — Evaluation of Security Events

What it requires: The entity evaluates security events to determine whether they could or have resulted in a failure to meet objectives.

What this means for you: It is not enough to collect logs. You need to show that you actively review and act on them:

  • [ ] Establish documented procedures for security event evaluation
  • [ ] Maintain evidence of regular log reviews
  • [ ] Document incident response actions taken based on log analysis
  • [ ] Retain logs long enough to support post-incident investigation (minimum 1 year recommended)

The Logging Architecture SOC2 Auditors Expect

SOC2 auditors are not prescriptive about technology choices, but they evaluate several properties of your logging system.

Completeness

Can you demonstrate that every significant event is captured? Gaps in logging are a common finding. Auditors will look for coverage across authentication, authorization, data access, administrative actions, and configuration changes.

Integrity

Can you prove that logs have not been modified after the fact? This is where many startups struggle. Writing to a regular database table does not provide integrity guarantees because anyone with database access can modify records.

Cryptographic hash chaining is the strongest approach here. Each log entry incorporates a hash of the previous entry, creating a verifiable chain. If any entry is modified or deleted, the chain breaks.

Retention

Do you retain logs for a sufficient period? SOC2 Type II audits cover a period of 6-12 months, so at minimum you need logs covering that entire window. In practice, most auditors expect at least one year of retention.

Access Control

Who can access your audit logs? The logs themselves need protection. If the same database credentials that run your application can also modify audit records, that is a control weakness.

Availability

Can you retrieve specific log entries when the auditor asks for them? Auditors will sample events and ask you to produce the corresponding log entries. If your logs are buried in an unindexed blob store, you will have trouble.

Practical Implementation Steps

Here is a phased approach to building SOC2-ready audit logging.

Phase 1: Identify Your Logging Scope (Week 1)

Before writing code, map out what needs to be logged. Walk through your application and list every action that falls under the controls described above. Common categories:

  1. Authentication events: Login, logout, MFA, password changes, session management
  2. Authorization events: Permission checks, access denials, privilege changes
  3. Data lifecycle events: Create, read, update, delete operations on sensitive resources
  4. Administrative events: User management, configuration changes, billing changes
  5. System events: Deployments, migrations, infrastructure changes

Phase 2: Implement Structured Event Logging (Weeks 2-3)

Each audit event should have a consistent structure:

{
  "action": "user.role.updated",
  "actor_id": "user_123",
  "actor_email": "admin@company.com",
  "target_type": "user",
  "target_id": "user_456",
  "metadata": {
    "old_role": "member",
    "new_role": "admin",
    "ip": "203.0.113.42",
    "user_agent": "Mozilla/5.0..."
  },
  "timestamp": "2026-02-20T14:30:00Z"
}

Use a consistent taxonomy for action names. A good convention is resource.sub_resource.verb (e.g., user.role.updated, api_key.created, project.deleted).

Phase 3: Add Integrity Guarantees (Week 3-4)

This is where most DIY solutions fall short. You need to ensure that logged events cannot be silently modified. Options include:

  • Cryptographic hash chaining: Each event includes a hash of the previous event, creating a verifiable chain.
  • Write-once storage: Using append-only storage backends that prevent modification.
  • External anchoring: Periodically publishing hash digests to an external, immutable source.

Phase 4: Build Query and Export (Week 4-5)

Your auditor will ask you to produce specific records. Build query capabilities that support filtering by:

  • Time range
  • Actor (user ID or email)
  • Action type
  • Target resource
  • Metadata fields

Export to CSV and JSON at minimum.

Phase 5: Set Up Monitoring and Review (Week 5-6)

Implement the CC7.2 and CC7.3 requirements:

  • Configure alerts for security-relevant patterns
  • Establish a weekly or monthly log review process
  • Document your review procedures and findings

How Logproof Maps to SOC2 Controls

Logproof was designed with SOC2 compliance in mind. Here is how it maps:

| SOC2 Control | Logproof Feature | |---|---| | CC6.1 (Logical Access) | Structured event logging with actor, action, target schema | | CC6.2 (Credentials) | Full lifecycle tracking through events API | | CC6.3 (Access Removal) | Timestamped event capture with metadata | | CC7.2 (Monitoring) | Webhook notifications, query API, alerting | | CC7.3 (Evaluation) | Query and export API for log review | | CC8.1 (Change Management) | Deployment and configuration change logging | | Integrity | SHA-256 hash chaining with verification API | | Retention | Configurable retention from 30 days to 3+ years | | Access Control | Role-based access, separate API keys per environment |

Instead of spending five to six weeks building this infrastructure yourself, you can integrate Logproof in under an hour and immediately satisfy the audit logging requirements across all of these controls.

Key Takeaways

  1. SOC2 is not optional for B2B SaaS — enterprise customers will require it during procurement.
  2. Audit logging is the technical backbone of SOC2 compliance — at least six Common Criteria controls depend on comprehensive logging.
  3. Log integrity is non-negotiable — a regular database table is not sufficient. You need cryptographic guarantees.
  4. Start before your audit — SOC2 Type II requires evidence over a 6-12 month period. You cannot retroactively generate this evidence.
  5. Use a consistent event schema — structured events with actor, action, target, and metadata make auditor sampling straightforward.
  6. Review your logs regularly — collection without review is a control gap that auditors will flag.

Begin your SOC2 audit logging today. The longer you wait, the larger the gap in your audit evidence becomes, and the harder your first SOC2 report will be to achieve.

Artikel teilen

Auf X posten Auf LinkedIn teilen

Bereit für manipulationssichere Audit-Logs?

Starte in Minuten mit einem einzigen API-Call. Kostenloser Plan verfügbar.

Kostenlos starten →