Skip to main content

SOC 2 Evidence Export

Igris maps your audit events to SOC 2 Trust Services Criteria and exports evidence packages for your auditor. Evidence is auto-populated from real system data, and exports include HMAC-SHA256 integrity hashes.

Supported Controls

Igris provides evidence for the following Common Criteria:
ControlNameEvidence Source
CC6.1Logical and Physical Access ControlsPolicy enforcement events (allow/deny), authentication events
CC6.7Restriction of Data TransmissionProxy-intercepted tool calls, denied transmissions
CC7.2Monitoring of System ComponentsAudit event coverage, anomaly detection alerts
CC7.3Detection of Unauthorized ChangesDenied tool calls, destructive pattern anomalies

Generating an Export

  1. Go to Compliance → SOC 2 Evidence
  2. Select a date range (minimum 90 days for Type II)
  3. Choose export format (CSV or JSON)
  4. Click Export

Type II Validation

SOC 2 Type II requires evidence over a minimum 90-day observation period. Igris validates this automatically:
  • If your date range is less than 90 days, the export includes a typeII: false flag and a warning
  • If 90 days or more, typeII: true is set and the export includes the observation period summary
  • The validation checks that audit events exist consistently throughout the period (not just at the start and end)
{
  "validation": {
    "typeII": true,
    "observationDays": 109,
    "startDate": "2025-12-01",
    "endDate": "2026-03-19",
    "coverageGaps": []
  }
}

Evidence Structure

Each export contains: 
{
  "meta": {
    "orgId": "org_xyz",
    "generatedAt": "2026-03-19T15:00:00.000Z",
    "startDate": "2025-12-01",
    "endDate": "2026-03-19",
    "integrityHash": "sha256:abc123..."
  },
  "validation": { ... },
  "controls": {
    "CC6.1": {
      "description": "Logical and Physical Access Controls",
      "evidenceCount": 4521,
      "summary": "4521 access control events: 4200 allowed, 321 denied",
      "events": [ ... ]
    },
    "CC6.7": { ... },
    "CC7.2": { ... },
    "CC7.3": { ... }
  }
}

Evidence Integrity

Every export includes an integrityHash — an HMAC-SHA256 hash of the entire evidence payload computed with your organization’s secret. This allows your auditor to verify the export hasn’t been modified after generation. Verifying integrity: The hash covers the controls and validation objects. Your auditor can verify the export using the Verify button on the SOC 2 Evidence page in the dashboard.

Best Practices

  1. Start early — begin routing tool calls through Igris at least 90 days before your SOC 2 audit
  2. Use deny policies — CC6.1 and CC7.3 evidence is strongest when you actively enforce access controls
  3. Enable anomaly detection — CC7.2 requires evidence of monitoring, which anomaly alerts provide
  4. Export regularly — generate monthly exports to track coverage and identify gaps before the audit