pathway to soc 2
Security & Compliance Overview
Overview
DocupletionForms.com, operated by Centinel Trust, follows SOC 2 Trust Services Criteria covering Security, Availability, Confidentiality, and Processing Integrity. Administrative and developer access is restricted through VPN and multi-factor authentication to safeguard all system and client data.
Outline VPN with MFA. No public administrative endpoints are exposed.
Key Technical Controls
Encryption
- TLS 1.2+ enforced for all data in transit
- JetBackup 5 performs AES-256 encrypted daily backups
Access Security
- Outline VPN required for all administrative logins (AWS/WHM/cPanel)
- MFA via Google Authenticator enforced on application, WHM, and cPanel
Monitoring
- Imunify360 provides malware detection
- AIDE checks the integrity of the system
Backups
- Daily encrypted backups using JetBackup 5
- Weekly S3 integrity validation
- Monthly restore tests documented in backup logs
Policy Summaries
1) Information Security Policy
All systems enforce HTTPS/TLS encryption and VPN-restricted access. Imunify360 continuously monitors for anomalies. JetBackup 5 provides encrypted daily backups. Logs and alerts are reviewed monthly, and policies are reviewed annually by the Compliance Officer.
2) Access Control Policy
Least-privilege access is applied to all accounts. Administrative access requires VPN authentication and MFA. Access is reviewed quarterly, and inactive accounts are deprovisioned within 24 hours.
3) Data Retention & Disposal Policy
Customer data from DocupletionForms applications (hosted in cPanel) is retained for up to three (3) years unless required longer by law or contract. Backups rotate every 30 days and are securely deleted thereafter. No production data is stored on unmanaged devices.
4) Incident Response Policy
Alerts from Imunify360 or system logs are reviewed within 24 hours. Confirmed incidents are logged, remediated immediately, and affected clients are notified within 72 hours where applicable.
5) Vendor Risk Management Policy
All critical vendors publish security documentation and undergo annual reviews for posture and compliance alignment.
Operational Practices
Review Cadence
- Backup restore test – Monthly
- Log and anomaly review – Monthly
- Access control review – Quarterly
- Policy updates – Annually
Account Hygiene
- Passwords ≥ 12 characters
- Bitwarden / 1Password used for credential storage
- MFA enforced across all administrative systems
Change Control
- All service changes logged in changelog
- Pre-update backup snapshots required for production systems
Approved Vendors & Systems
- AWS – Infrastructure & S3 storage
- cPanel / WHM – Server & application management
- JetBackup 5 – Encrypted backups
- Imunify360 – Malware detection
- AIDE – File integrity monitoring
- Outline VPN – Secure admin access gateway
- Google Workspace – Identity management & MFA
Logs & Review Records
- Access Review Log – Internal (Google Drive)
- Incident Log – Internal (Google Drive)
- Policy Review Log – Internal (Google Drive)
- Backup Restore Test Notes – Internal (Google Drive)
Each record includes date, reviewer, and summary result for audit consistency.
Readiness & Disclosure
DocupletionForms.com, operated by Centinel Trust, maintains a SOC 2-aligned control set appropriate for small-team operations. As customer and institutional volume increases, Centinel Trust plans to engage Vanta and an independent auditor for SOC 2 Type I / II certification. Additional documentation is available under NDA upon request.
Pathway to SOC 2 — Current Status Updated
This section reflects the latest implementation milestones completed during the security-hardening phase.
✅ Implemented
- Daily System Report managed by logrotate with 90-day retention.
- Report generated daily at
daily_report.txt. - Logrotate compresses as
daily_report_YYYY-MM-DD.txt.gz. - Files older than 90 days auto-deleted.
- Report generated daily at
- Backups:
/scripts/and/logs/explicitly included in JetBackup. - File Integrity Monitoring (FIM): AIDE installed, scheduled daily at 04:05 (tunable bi-weekly/monthly).
- Access Control & MFA:
- SSH key-based access (
id_docupletionforms) - MFA (Google Authenticator) enforced for WHM / cPanel logins.
- SSH key-based access (
Key Operational Details
- Cron:
daily_sys_report.shscheduled (15 11 * * *) →/logs/daily_report.txt. - Logrotate: handles compression & 90-day retention.
- AIDE: baseline initialized; runs 04:05 AM; findings logged.
- JetBackup: includes
/scripts/&/logs/in S3 destination. - MFA Setup: WHM/cPanel admins import Google Authenticator QR profile.
Evidence Available
- Daily report archives:
/logs/daily_report_YYYY-MM-DD.txt.gz(90 days) - JetBackup job proof (screenshot or CLI export)
- AIDE config/output:
/aide.conf,/aide.db*, cron logs - Access control proof: MFA screenshots, SSH keys,
sshd_configsnippet
What’s Next (Recommended)
- Implement alerting (email/SMS/webhook) for failures in:
daily_sys_report.shnon-zero exits, AIDE diffs, backup failures, auth anomalies.
- Develop an operator runbook:
- AIDE baseline rotation, report interpretation, MFA/SSH response procedures.
- Maintain version-controlled config snapshots (redacted):
/scripts/daily_sys_report.sh, logrotate config, AIDE rules,sshd_config.
Changelog
- 2025-10-15: Added logrotate (90-day retention), JetBackup scope, AIDE FIM, MFA/SSH hardening.
© 2025 Centinel Trust • DocupletionForms.com • All rights reserved.
