_private/qwestly-private-docs/SOC2/CLAUDE.md

Table of Contents

CLAUDE.md — SOC2 Compliance Documentation

Context

This directory is the canonical collection of SOC2 Type II compliance documents and evidence for Qwestly, an early-stage pre-seed startup with fewer than 10 employees. Documents are uploaded into Vanta for audit evidence collection, tracking, and auditor access.

  • Company: Qwestly
  • Stage: Pre-seed, < 10 employees
  • CTO / System Owner: Dominick Pham (dominick@qwestly.com)
  • CEO / Compliance Sponsor: Adam Boender (adam@qwestly.com)
  • Compliance Platform: Vanta

Tech Stack & Systems In Scope

System Purpose Auth Method
Supabase Database, auth, API logs MFA (TOTP)
Vercel Hosting, deployment Google Workspace SSO
AWS S3 Log archival storage IAM + MFA
Auth0 User authentication SAML SSO
GitHub (Actions) CI/CD, log shipping automation MFA
MongoDB (Atlas) Primary application database
Asana Task tracking, security issue tracking SSO
Google Workspace Identity provider, email SSO (IdP)
LangSmith LLM observability SSO
1Password Credential management MFA
Slack Team communication SSO

Directory Structure

SOC2/
├── index.md
├── CLAUDE.md
├── browser-automation.md
├── access-control/
│   └── Authentication-SSO-MFA-Evidence.md
├── log-management/
│   ├── Audit Quick Reference.md
│   ├── Log Management Control Matrix.md
│   └── Log Management Retention.md
├── network/
│   ├── Network Architecture Diagram.md
│   └── Network Segregation.md
├── data-management/
│   └── user-deletion/
│       ├── index.md
│       ├── flow.md
│       ├── test.md
│       └── *.png
└── evidence/
    ├── access-list/
    │   ├── vercel.md
    │   └── supabase.md
    ├── table-top-IR/
    └── *.pdf, *.png

Document Conventions

When creating or editing documents in this directory, follow these patterns:

Structure

  • Header block with version, date, owner, classification
  • Executive Summary (2-3 sentences of what this document proves)
  • SOC2 TSC Mapping Table — always map to specific criteria (CC6.1, CC7.1, etc.)
  • Implementation Details — concrete, specific, with code/config snippets where applicable
  • Evidence Locations — file paths or URLs auditors can verify
  • Testing & Validation — what was tested, when, by whom, what the result was
  • Continuous Improvement — review cadence (monthly/quarterly/annual)

Tone & Detail Level

  • Auditor-friendly but not padded. Every paragraph should answer "what control is in place, how do we know it works, where is the proof?"
  • Use checkmarks and tables liberally — auditors scan for them
  • Be honest about gaps. An early-stage startup won't have every enterprise control. Frame mitigations clearly (e.g., "compensating control: all production access is pair-programmed, no solo deploys").
  • Dates matter. Every document needs a date. Evidence screenshots should have visible timestamps.
  • Avoid enterprise cosplay. Don't write policies for a 500-person company. The processes should be appropriate for <10 people — lightweight, automated where possible, manual where reasonable.

SOC2 Trust Services Criteria Commonly Addressed

Documents in this folder typically map to these TSCs:

  • CC6.1 — Logical and physical access controls
  • CC6.2 — System boundaries and data classification
  • CC6.3 — Access control systems and procedures
  • CC6.4 — Authentication and authorization controls
  • CC6.6 — Data processing integrity
  • CC6.7 — Data transmission security
  • CC7.1 — System monitoring capabilities
  • CC7.2 — Detection and analysis of security events
  • A1.2 — Availability monitoring and management

Vanta Integration

Vanta is the system of record for compliance. Documents here are uploaded as evidence in Vanta. When creating new evidence:

  1. Write the narrative document in this directory (Markdown)
  2. Gather screenshots/PDFs into evidence/ or a subdirectory
  3. Cross-reference between narrative docs and evidence files
  4. Upload to Vanta; the document in this repo is the canonical source

Key Processes Already Documented

  • Log Management — Supabase → GitHub Actions → AWS S3, 90-day retention, daily collection
  • Authentication — Google Workspace SSO for most systems, TOTP MFA for everything else
  • Network Architecture — Environment isolation (dev/staging/prod), VPC boundaries, encrypted transport
  • User Data Deletion — Public request form → Asana ticket → Admin review → MongoDB + Auth0 deletion, 30-day SLA
  • Vulnerability Scanning — Quarterly Nessus scans, remediation tracking
  • Incident Response — Tabletop exercises conducted, documented
  • Penetration Testing — External pentest report (May 2025)
  • Access Control — Access lists per system, quarterly reviews

Guidance for This Project

When I help you with this directory:

  • I'll match the existing document style and depth — not too enterprise, not too hand-wavy
  • I'll always map to specific SOC2 criteria
  • I'll flag where additional evidence (screenshots, logs) is needed vs. where narrative alone suffices
  • I'll keep processes appropriate for a <10-person startup — automation over bureaucracy
  • I won't invent policies or controls that don't exist — I'll ask what's actually in place

Browser Automation via Playwright MCP

For detailed automation patterns including the security review upload workflow and troubleshooting, see browser-automation.md. The sections below are a quick reference — the standalone file has the complete reference.

When interacting with Vanta or other web UIs using the Playwright MCP, follow these patterns:

Unresponsive Browser

The Playwright MCP server can be controlled by another session (e.g., a different Claude Code tab or a prior conversation). If browser_navigate or other Playwright tools fail with "Browser is already in use", kill the lingering process:

pkill -f "mcp-chrome"

Then retry the operation.

Snapshot Navigation

  • Use browser_snapshot without arguments to get the full accessibility tree of the current page.
  • The snapshot uses accessibility references like [ref=e19], but these refs cannot be used directly as CSS selectors in any Playwright tool — they will fail with "Unexpected token while parsing CSS selector".

Most Reliable: browser_run_code_unsafe

Use browser_run_code_unsafe with raw Playwright API for all interactions — it bypasses the broken ref-based target parsing:

async (page) => {
  // Fill text fields
  await page.getByRole('textbox', { name: 'Identifier' }).fill('Item Name');
  
  // Click radio buttons — use .first() to avoid strict mode conflicts
  await page.getByRole('radio', { name: 'Yes' }).first().click();
  
  // Wait briefly for conditional fields to appear
  await page.waitForTimeout(300);
  
  // Open combobox
  await page.getByRole('combobox').click();
  await page.waitForTimeout(300);
  
  // Select from dropdown
  await page.getByRole('option', { name: 'Option Name' }).click();
  
  // Click button
  await page.getByRole('button', { name: 'Add' }).click();
}

Dialog Scoping

Vanta uses modals/dialogs. Always scope locators to the dialog to avoid matching background elements with the same label:

const dialog = page.getByRole('dialog', { name: 'Add custom item' });
await dialog.getByRole('button', { name: 'Add' }).click();

Common Vanta Element Patterns

Element Selector Notes
Textbox getByRole('textbox', { name: 'Identifier' }) Works for all <input> fields
Radio "Yes"/"No" getByRole('radio', { name: 'Yes' }).first() Always resolves 2 matches — use .first()
Combobox (owner picker) getByRole('combobox') Must be scoped inside dialog
Dropdown option getByRole('option', { name: 'Dominick Pham Dominick Pham Admin' }) Use the full label text shown in snapshot
Button in dialog getByRole('button', { name: 'Add' }) scoped to dialog Prevents matching the "Add item" page-level button
Table row getByRole('row', { name: /pattern/ }) Name is a concatenation of all cell text

Workflow: Adding Custom Inventory Items in Vanta

  1. Navigate to https://app.vanta.com/c/qwestly.com/inventory#other
  2. Click Add item button → opens a dropdown menu with "Add custom item" and "Import custom items"
  3. Click menuitem Add custom item → opens the dialog form
  4. Fill Identifier, select "Yes" for user data, fill Details about stored data and Description
  5. Open the owner combobox and select the appropriate user
  6. Click "Add" (scoped within the dialog)
  7. Repeat from step 2 for each additional item

Referenced by