SOC 2 Trust Service Criteria — Equivalence Map

Field Value
Document ID SOC2EM-1
Version v1.0
Effective date 2026-04-30
Owner Peter Sterkenburg, Founder & operator
Attesting entity NordScope (toiminimi / sole trader, Y-tunnus 3148476-5; Helsinki, Finland)
Root scope reference ISMS scope statement

Disclosure

This is an equivalence map, not a SOC 2 Type 1 or Type 2 attestation. NordScope has not engaged a CPA firm to perform a SOC 2 examination. This document maps the SOC 2 Trust Service Criteria (TSC 2017, with 2022 points-of-focus updates) to the controls PortalPilot actually operates, with explicit disclosure of every gap.

Procurement reviewers should treat this document as alignment evidence supporting "compensating controls" under CAIQ GRM-04 ("If a SOC 2 / SOC 3 / ISO 27001 report is unavailable, the cloud customer accepts compensating controls or alternative attestation") and SIG-Lite Question 2 ("If you do not have a SOC 2 Type 2 report, please describe your information-security framework alignment"). It is not, and does not represent itself as, a third-party-attested SOC 2 report.

Phase 2 third-party attestation is deferred until enterprise-customer demand justifies the audit cost; the deferral structure is documented in the public ISMS scope statement.


§1 Security (Common Criteria)

The Common Criteria apply to all five TSCs and are the largest section.

Common Criteria Description PortalPilot equivalent Annex A controls applied Evidence pointer Gap Compensating measure
CC1.1 Integrity & ethical values Documented values, code of conduct Single-founder operation under Finnish business law; no formal code-of-conduct document A.5.1, A.5.4 ISMS scope statement §6 No formal employee code of conduct Sole trader with no employees — code of conduct deferred until first hire
CC1.2 Board oversight Board independence, oversight Sole-trader entity; no board structure A.5.2, A.5.3 ISMS scope statement §1 No board Sole-trader form is recognised under Finnish company law; founder accountability sits with regulator (Tietosuojavaltuutettu)
CC1.3 Organisational structure Defined org structure, reporting lines Single-operator structure; all roles documented A.5.2 ISMS scope statement §6 None — sole-trader form is fully self-contained n/a
CC1.4 Commitment to competence Hiring, training, retention controls Founder is the sole technical operator; LLM-driven static review (Mistral AI) supplements code review A.6.1–A.6.4 portalpilot.io/dpa Annex II §5 No employee training programme No employees; founder maintains skills via continuous practice + adversarial sweep cadence
CC1.5 Accountability Performance evaluations, disciplinary action Sole-trader entity; quarterly internal audit holds founder operationally accountable A.5.4, A.6.4 ISMS scope statement §7 No external accountability mechanism Annual founder review + quarterly Claude-Code adversarial sweep + customer-facing DPA breach-notification commitments (72 h)
CC2.1 Information needed for control Quality, timely, accurate info Audit logging in production database; security audit log on the agent plane A.5.32, A.8.15, A.8.16 portalpilot.io/security §6 None n/a
CC2.2 Internal communication Roles, responsibilities communicated Sole-trader entity; all roles in ISMS scope statement §6 A.5.4, A.6.3 ISMS scope statement §6 None n/a
CC2.3 External communication Customer/sub-processor communication Public DPA with breach-notification clause; sub-processor list reconciliation A.5.14, A.5.34 portalpilot.io/dpa §7 None n/a
CC3.1 Risk identification Identifies risks; specifies relevant objectives Risk register documents identified risks cross-referenced to Annex A controls A.5.7, A.5.8 Risk register (available under NDA on request) None n/a
CC3.2 Risk analysis & response Likelihood/impact assessment H/M/L qualitative scoring per the risk register; founder-attested under NordScope's single-operator structure A.5.7 Risk register (available under NDA on request) Qualitative scoring only (vs NIST 800-30 5×5 quantitative) Qualitative scoring is appropriate for a sole-trader scope; quantitative scoring deferred to Phase 2 alongside the third-party attestation
CC3.3 Fraud risk Fraud risk assessment Customer self-DoS / billing-abuse risks identified in the risk register; payment-fraud detection delegated to Mollie A.5.7 Risk register (available under NDA on request) No NordScope-side fraud-prevention model Mitigated by Mollie's PCI-DSS-graded fraud detection + the encryption-key compromise row of the risk register
CC4.1 Internal monitoring Ongoing/periodic evaluations Quarterly internal audit (clause 9.2) + automated CI drift checks A.5.36, A.8.16 ISMS scope statement §7 + Q2 internal audit report None n/a
CC4.2 Deficiencies & remediation Communicate, remediate, follow-up Findings register in each internal audit; status tracked in GitHub Issues A.5.36 Q2 internal audit report Remediation not third-party-verified External attestation deferred to Phase 2
CC5.1 Selects/develops control activities Selects controls aligned to risk This document; ISO/IEC 27001:2022 Annex A register A.5.32, A.8.32 Annex A control register (planned — see Trust Center evidence library) None n/a
CC5.2 Selects/develops technology controls Technology-specific control selection RLS, JWT, OAuth, AES-256-GCM, two-layer firewall, four-layer agent-security model A.8.2–A.8.5, A.8.24 ISMS scope statement §4–§5 None n/a
CC5.3 Policies/procedures Policies + monitoring of policy adherence Public Privacy/DPA/Security pages; ADR architecture documents; internal runbooks A.5.1 portalpilot.io/privacy, /dpa, /security No formal policy review board Sole-trader entity; founder approves all policies; quarterly review cadence in §7 of the scope statement
CC6.1 Logical & physical access controls Restricts logical access; enforces least privilege Two-layer firewall + Traefik reverse proxy + Supabase Auth + JWT + per-edge-function ownership verification + RLS on every customer table A.5.15, A.5.18, A.8.2, A.8.3, A.8.5 ISMS scope statement §4 None n/a
CC6.2 Authorisation & registration Provisioning, modifying access OAuth 2.0 for HubSpot integration; Supabase Auth for customer accounts; founder TOTP for orchestration plane A.5.16, A.5.17, A.5.18 portalpilot.io/security §3 (Authentication) None n/a
CC6.3 Removal of access Timely removal on termination/change Account-delete cascade in customer Postgres; OAuth token revocation on portal disconnect A.5.18, A.8.10 portalpilot.io/privacy §5 No employee offboarding (no employees) n/a
CC6.4 Physical access Datacenter physical controls Fully transferred to Hetzner under their ISO 27001 / 27017 / 27018 certifications A.7.1–A.7.14 Hetzner certifications None n/a
CC6.5 System hardening OS hardening, vulnerability management Hetzner-managed Ubuntu LTS; UFW default-deny; sshd key-only auth; Coolify-managed container updates A.8.7, A.8.8, A.8.9 ISMS scope statement §4 No formal vulnerability scanning programme Dependabot for npm + GitHub Actions; Hetzner-managed kernel; Coolify-managed images
CC6.6 Restrictions on portable devices Mobile/laptop encryption Founder's laptop is FileVault-encrypted (Apple Silicon); production secrets are not loaded onto the laptop A.7.10, A.8.1 ISMS scope statement §3 No MDM Single-laptop entity; founder is the only operator; FileVault + auto-lock
CC6.7 Restrictions on data transmission Encrypted data transmission TLS 1.3 enforced at Traefik; HTTP redirected to HTTPS; HSTS in production browser response A.5.14, A.8.20, A.8.24 portalpilot.io/security §1 (Encryption) None n/a
CC6.8 Prevents/detects malicious software Malware prevention Container images sourced only from official registries; CI scans for known-vulnerable npm dependencies A.8.7 GitHub Actions CI workflow No EDR on the production VM Container-based deployment + read-only container filesystems where supported + immutable infrastructure
CC7.1 System monitoring Detect anomalies, security events Application audit log (Postgres) + agent-security audit log + Coolify deployment log + Plausible analytics A.8.15, A.8.16 portalpilot.io/security §6 No 24/7 SOC Quarterly Claude-Code adversarial sweep + automated CI checks; founder has 24/7 mobile alerting via Coolify health webhooks
CC7.2 Anomaly response Respond to security events Incident-responder role documented in scope statement §6 A.5.24, A.5.25, A.5.26, A.5.27 ISMS scope statement §6 No formal IR playbook for non-founder responders Sole-trader entity; founder is the only responder; all responsibilities documented
CC7.3 Communicates incidents Communicate to affected parties 72-hour breach notification per the public DPA A.5.24, A.5.25 portalpilot.io/dpa §7 None n/a
CC7.4 Recovery from incidents Recover from security incidents Daily Hetzner snapshot backups; documented restore procedure A.5.30, A.8.13, A.8.14 Available under NDA on request No annual DR exercise Backup restoration procedure documented; manual restore tested during the March 2026 internal audit
CC7.5 System development life-cycle SDLC controls Git + GitHub Pull Requests + automated CI + Mistral chunk review + Claude Code review A.8.25, A.8.27–A.8.29, A.8.32 GitHub repository + CI workflow None n/a
CC8.1 Change management Authorise, develop, document changes Plan-driven workflow with chunk-level pull requests; squash-merge to main; deploy on merge A.8.32 GitHub repository (PR history) None n/a
CC9.1 Risk mitigation — business continuity Mitigate risks from business disruption Daily snapshots; documented restore procedure; sub-processor redundancy where the supplier offers it A.5.29, A.5.30 Available under NDA on request Single-server topology — no active-active redundancy Acknowledged in risk register; mitigated by Hetzner's snapshot mechanism + restore-time-objective ≤4 h
CC9.2 Risk mitigation — vendor management Vendor risk programme Public DPA with sub-processor list + 30-day prior-notice for changes A.5.19–A.5.23 portalpilot.io/dpa §4.1 No formal vendor-risk-assessment programme All current sub-processors are EU-based and bound by DPAs at-least-equivalent to the customer-facing DPA

§2 Availability

Common Criteria Description PortalPilot equivalent Annex A controls applied Evidence pointer Gap Compensating measure
A1.1 Capacity Capacity to meet processing requirements Single Hetzner CPX31 server provisioned with capacity headroom for current customer base A.5.30 portalpilot.io/security §4 (Availability) Single-server topology Vertical-scale path documented; horizontal-scale would require an architectural change tracked separately
A1.2 System backup System backup, restoration Daily encrypted Hetzner snapshot backups; 7-day retention A.5.30, A.8.13 Available under NDA on request None n/a
A1.3 Recovery Recovery operations Documented restore procedure tested manually during the March 2026 internal audit; restore-time objective ≤4 h A.5.29, A.8.14 Q2 internal audit report No annual DR exercise Restore tested during the most recent quarterly internal audit; cadence to be reaffirmed each quarter

§3 Processing Integrity

Common Criteria Description PortalPilot equivalent Annex A controls applied Evidence pointer Gap Compensating measure
PI1.1 Quality of inputs Input validation, error handling Input validation in edge functions (Zod schema); OAuth scope verification before any HubSpot API call; rate limiting A.8.27, A.8.28 portalpilot.io/security §5 (Application security) None n/a
PI1.2 Definitions of inputs/outputs Documented data definitions Public PII inventory + per-field classification; type contracts between frontend and edge functions A.5.13 portalpilot.io/trust/pii-inventory.pdf None n/a
PI1.3 Processing accuracy Transactions are completely, accurately processed Atomic Postgres transactions; idempotency cache for analysis runs; type-checked TypeScript end-to-end A.8.27, A.8.32 GitHub repository (CI) No formal data-integrity-monitoring dashboard Quarterly internal audit reviews recent analysis runs for data-integrity anomalies
PI1.4 Output controls Output review, quality Analysis report regeneration is deterministic given the same inputs; CI guards on the compliance pack ensure generated artefacts match their JSON sources A.8.27 Compliance pack regeneration procedure (available under NDA on request) None n/a
PI1.5 Storage of input/output Data retention, integrity at rest Retention policies documented per PII field; AES-256 at-rest encryption (LUKS) on the database disk A.5.34, A.8.10, A.8.13 portalpilot.io/trust/pii-inventory.pdf None n/a

§4 Confidentiality

Common Criteria Description PortalPilot equivalent Annex A controls applied Evidence pointer Gap Compensating measure
C1.1 Identifies and maintains confidential information Inventory of confidential data, classification, handling Three-tier information classification (Public / Customer-confidential / Secret) per the public ISMS scope; per-field PII inventory A.5.12, A.5.13, A.5.14 ISMS scope statement §5 + portalpilot.io/trust/pii-inventory.pdf None n/a
C1.2 Disposes of confidential information Disposal at end of retention OAuth tokens deleted on portal disconnect; account data + audit logs deleted on account-delete cascade (with 30-day grace period); LUKS at-rest encryption renders disposed disk-blocks unrecoverable A.5.10, A.7.14, A.8.10, A.8.11 portalpilot.io/privacy §5 No certified-shredding for end-of-life disks Hetzner provides certified-disposal evidence under their ISO 27001 / 27017 / 27018 certifications

§5 Privacy

Common Criteria Description PortalPilot equivalent Annex A controls applied Evidence pointer Gap Compensating measure
P1 Notice & communication Notice of privacy practices Public Privacy Policy; in-app consent flows for cookies + analytics A.5.34 portalpilot.io/privacy None n/a
P2 Choice & consent Mechanism for consent OAuth-based opt-in for HubSpot access; cookie-consent banner; sub-processor change 30-day notice with right of objection A.5.34 portalpilot.io/privacy §3, portalpilot.io/dpa §4 None n/a
P3 Collection Limit collection to identified purpose Data minimisation rationale recorded per PII field; only required HubSpot scopes requested A.5.34, A.8.10 portalpilot.io/trust/pii-inventory.pdf None n/a
P4 Use, retention, disposal Limited use; retention; disposal Per-field retention policies; data-subject-deletion workflows A.5.34, A.8.10 portalpilot.io/trust/pii-inventory.pdf + /privacy §5 None n/a
P5 Access Subject right of access Art 15 GDPR fulfilment via privacy@portalpilot.io; full export available on request A.5.34 portalpilot.io/privacy §6 None n/a
P6 Disclosure Disclosure to third parties only with consent or legal basis Sub-processor list with regions + purposes; no data leaves EU A.5.14, A.5.34 portalpilot.io/dpa §4.1 + Annex I None n/a
P7 Quality Personal data is accurate, complete, current Customer-controlled data through HubSpot OAuth; account profile editable by data subject A.5.34, A.8.27 portalpilot.io/privacy §6 NordScope cannot independently verify accuracy of HubSpot-side data NordScope is the processor for HubSpot-side data; the customer is the controller with primary accuracy responsibility
P8 Monitoring & enforcement Monitor compliance with privacy policy Quarterly internal audit reviews privacy-related incidents and PII inventory drift A.5.36 ISMS scope statement §7 No external privacy audit Quarterly internal audit + automated PII inventory drift check

Cross-reference summary


Document history

Version Date Author Change
v1.0 2026-04-30 Peter Sterkenburg Initial publication

This document is the canonical SOC 2 TSC equivalence map for PortalPilot. It is reviewed annually and on every material control change. Procurement reviewers may request updates or clarifications via privacy@portalpilot.io.