Skip to main content

Governance intelligence for access, cloud, and SaaS. Now in early access

Nuxari
Compliance & Readiness

SOC 2 readiness in Nuxari

How Nuxari maps its controls to the SOC 2 Trust Services Criteria, what customers need for their own SOC 2 program, and how evidence collection supports audit preparation.

Last updated: June 2026

Nuxari is building its own SOC 2 readiness program. External auditors are required for formal SOC 2 reports. This page describes how customers can use Nuxari to build their own SOC 2 program, and documents Nuxari's own approach.

What SOC 2 is

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA). It evaluates whether an organization's controls adequately address the Trust Services Criteria (TSC):

  • Security (CC). Logical and physical access controls, change management, risk management, monitoring, and incident response. This is the only required category for SOC 2.
  • Availability (A). System availability commitments and performance monitoring.
  • Confidentiality (C). Protection of confidential information throughout its lifecycle.
  • Processing integrity (PI). System processing is complete, valid, accurate, timely, and authorized.
  • Privacy (P). Collection, use, retention, disclosure, and disposal of personal information.

Type I vs Type II

SOC 2 reports come in two variants:

  • Type I. A point-in-time assessment that evaluates whether controls are designed appropriately as of a specific date. It does not assess whether controls operate effectively over time. Type I is typically the first milestone for an organization beginning its SOC 2 journey.
  • Type II. Covers a defined observation period (commonly 6 or 12 months) and evaluates both design and operating effectiveness. Type II is the standard report requested by enterprise customers and regulators. It requires continuous evidence that controls were operating throughout the period.

How Nuxari maps to SOC 2

Nuxari's built-in control library includes controls mapped to the SOC 2 Common Criteria (CC). Key mappings:

  • CC6 (Logical access). Covered by access request workflows, RBAC enforcement, access reviews, and audit logs.
  • CC7 (System operations). Supported by connector monitoring, anomaly detection, and finding workflows.
  • CC9 (Risk mitigation). Covered by the risk register, vendor risk management, and treatment tracking.
  • A1 (Availability). Supported by scheduled job monitoring, edge agent health, and connector status tracking.

Control mappings are visible in the built-in control library. Each control shows which TSC category it maps to and which evidence is required to advance its status.

What customers need for a SOC 2 program

A successful SOC 2 audit requires:

  • Defined scope: which systems, services, and data types are in scope.
  • Approved policies covering each control area (security, access, incident response, etc.).
  • Evidence collected continuously — access reviews, audit logs, vulnerability scans, training records.
  • A treated risk register demonstrating risk awareness and mitigation decisions.
  • Vendor and subprocessor management records including DPA status and periodic reviews.
  • An external CPA firm to conduct the audit and issue the formal report.

Evidence collection and audit preparation

Nuxari structures evidence collection around your control library. Each control specifies the evidence types required (for example: access review completed, policy approved, connector health log). As evidence is collected and accepted, control status advances automatically. When you are ready for audit, you can generate an audit package containing all accepted evidence mapped to controls.

Related docs

Compliance readiness overview

What readiness means and workspace types

ISO 27001 readiness

ISMS and Annex A mapping

Control library

Built-in controls mapped to SOC 2

Evidence collection

How evidence is collected and accepted

Audit packages

Export packages for external auditors

Was this page helpful?