_private/qwestly-private-docs/SOC2/README.md
Table of Contents
SOC2 Compliance Documentation — Qwestly
Canonical collection of SOC2 Type II compliance documents and evidence for Qwestly, a pre-seed startup (<10 employees). These documents are uploaded to Vanta (app.vanta.com/c/qwestly.com) for auditor access.
Audit windows: Previous — July 2, 2025 – Oct 3, 2025. Upcoming — July 2, 2026 – Oct 2, 2026.
Key contacts: Dominick Pham (CTO, dominick@qwestly.com), Adam Boender (CEO, adam@qwestly.com)
Vanta integrations
These systems are connected to Vanta and feed evidence automatically.
| Integration | Capabilities |
|---|---|
| Asana | Access, task creation, task tracking |
| Checkr | Access, people |
| GitHub | Access, inventory, task creation, task tracking, vulnerabilities |
| Google Drive | Documents, policies |
| Google Workspace | Access, groups, people, single sign-on, vendor discovery |
| Gusto | People |
| Slack | Notifications |
| MongoDB Atlas | Access, inventory |
| Supabase | Access, inventory |
| Vercel | Access, inventory |
See vanta-integrations.md for connection details and credentials.
What's here
| Area | Folder | What it covers |
|---|---|---|
| Access Control | access-control/ |
SSO, MFA, authentication controls |
| Log Management | log-management/ |
Log collection, retention, monitoring |
| Network Security | network/ |
Architecture diagrams, environment isolation |
| Data Management | data-management/ |
User data deletion process & testing |
| Raw Evidence | evidence/ |
Screenshots, PDFs, scan reports, access lists |
SOC2 Trust Services Criteria in scope
| Criteria | Area |
|---|---|
| CC6.1–6.4 | Access controls, system boundaries, authentication |
| CC6.6 | Data processing integrity |
| CC6.7 | Data transmission security |
| CC7.1–7.2 | System monitoring, security event detection |
| A1.2 | Availability monitoring |
Adding new evidence
- Write the narrative document in the appropriate functional area folder
- Save screenshots, PDFs, or export files into
evidence/ - Cross-reference the evidence file in the narrative doc
- Upload to Vanta — the Markdown doc in this repo is the canonical source
Documents follow a consistent structure (version header, executive summary, TSC mapping, implementation details, evidence locations, testing, review cadence). See CLAUDE.md for the full convention.
Related docs elsewhere
- Engineering:
../Engineering/log-shipping-implementation.md - CI/CD:
../CI-CD/soc2-evidence-documentation.md - Policies:
../Policies/