pathway to soc 2

Security & Compliance Overview

Operated by Centinel Trust • Product: DocupletionForms.com
Last updated: • Contact:
james@docupletionforms.com

Overview

DocupletionForms.com, operated by Centinel Trust, follows SOC 2 Trust Services Criteria covering Security, Availability, Confidentiality, and Processing Integrity. Administrative and developer access is restricted through VPN and multi-factor authentication to safeguard all system and client data.

Privileged Access Gateway: Administrative access to AWS, WHM, and the cPanel environment is restricted through the
Outline VPN with MFA. No public administrative endpoints are exposed.

Key Technical Controls

Encryption

  • TLS 1.2+ enforced for all data in transit
  • JetBackup 5 performs AES-256 encrypted daily backups

Access Security

  • Outline VPN required for all administrative logins (AWS/WHM/cPanel)
  • MFA via Google Authenticator enforced on application, WHM, and cPanel

Monitoring

  • Imunify360 provides malware detection
  • AIDE checks the integrity of the system

Backups

  • Daily encrypted backups using JetBackup 5
  • Weekly S3 integrity validation
  • Monthly restore tests documented in backup logs

Policy Summaries

1) Information Security Policy

All systems enforce HTTPS/TLS encryption and VPN-restricted access. Imunify360 continuously monitors for anomalies. JetBackup 5 provides encrypted daily backups. Logs and alerts are reviewed monthly, and policies are reviewed annually by the Compliance Officer.

2) Access Control Policy

Least-privilege access is applied to all accounts. Administrative access requires VPN authentication and MFA. Access is reviewed quarterly, and inactive accounts are deprovisioned within 24 hours.

3) Data Retention & Disposal Policy

Customer data from DocupletionForms applications (hosted in cPanel) is retained for up to three (3) years unless required longer by law or contract. Backups rotate every 30 days and are securely deleted thereafter. No production data is stored on unmanaged devices.

4) Incident Response Policy

Alerts from Imunify360 or system logs are reviewed within 24 hours. Confirmed incidents are logged, remediated immediately, and affected clients are notified within 72 hours where applicable.

5) Vendor Risk Management Policy

All critical vendors publish security documentation and undergo annual reviews for posture and compliance alignment.

Operational Practices

Review Cadence

  • Backup restore test – Monthly
  • Log and anomaly review – Monthly
  • Access control review – Quarterly
  • Policy updates – Annually

Account Hygiene

  • Passwords ≥ 12 characters
  • Bitwarden / 1Password used for credential storage
  • MFA enforced across all administrative systems

Change Control

  • All service changes logged in changelog
  • Pre-update backup snapshots required for production systems

Approved Vendors & Systems

  • AWS – Infrastructure & S3 storage
  • cPanel / WHM – Server & application management
  • JetBackup 5 – Encrypted backups
  • Imunify360 – Malware detection
  • AIDE – File integrity monitoring
  • Outline VPN – Secure admin access gateway
  • Google Workspace – Identity management & MFA

Logs & Review Records

  • Access Review Log – Internal (Google Drive)
  • Incident Log – Internal (Google Drive)
  • Policy Review Log – Internal (Google Drive)
  • Backup Restore Test Notes – Internal (Google Drive)

Each record includes date, reviewer, and summary result for audit consistency.

Readiness & Disclosure

DocupletionForms.com, operated by Centinel Trust, maintains a SOC 2-aligned control set appropriate for small-team operations. As customer and institutional volume increases, Centinel Trust plans to engage Vanta and an independent auditor for SOC 2 Type I / II certification. Additional documentation is available under NDA upon request.

Pathway to SOC 2 — Current Status Updated

This section reflects the latest implementation milestones completed during the security-hardening phase.

✅ Implemented

  • Daily System Report managed by logrotate with 90-day retention.
    • Report generated daily at daily_report.txt.
    • Logrotate compresses as daily_report_YYYY-MM-DD.txt.gz.
    • Files older than 90 days auto-deleted.
  • Backups: /scripts/ and /logs/ explicitly included in JetBackup.
  • File Integrity Monitoring (FIM): AIDE installed, scheduled daily at 04:05 (tunable bi-weekly/monthly).
  • Access Control & MFA:
    • SSH key-based access (id_docupletionforms)
    • MFA (Google Authenticator) enforced for WHM / cPanel logins.

Key Operational Details

  • Cron: daily_sys_report.sh scheduled (15 11 * * *) → /logs/daily_report.txt.
  • Logrotate: handles compression & 90-day retention.
  • AIDE: baseline initialized; runs 04:05 AM; findings logged.
  • JetBackup: includes /scripts/ & /logs/ in S3 destination.
  • MFA Setup: WHM/cPanel admins import Google Authenticator QR profile.

Evidence Available

  • Daily report archives: /logs/daily_report_YYYY-MM-DD.txt.gz (90 days)
  • JetBackup job proof (screenshot or CLI export)
  • AIDE config/output: /aide.conf, /aide.db*, cron logs
  • Access control proof: MFA screenshots, SSH keys, sshd_config snippet

What’s Next (Recommended)

  • Implement alerting (email/SMS/webhook) for failures in:
    • daily_sys_report.sh non-zero exits, AIDE diffs, backup failures, auth anomalies.
  • Develop an operator runbook:
    • AIDE baseline rotation, report interpretation, MFA/SSH response procedures.
  • Maintain version-controlled config snapshots (redacted):
    • /scripts/daily_sys_report.sh, logrotate config, AIDE rules, sshd_config.

Changelog

  • 2025-10-15: Added logrotate (90-day retention), JetBackup scope, AIDE FIM, MFA/SSH hardening.

© 2025 Centinel Trust • DocupletionForms.com • All rights reserved.