Skip to content

SOC 2 control summary

Production deployments are designed for SOC 2 diligence with controls across identity, segregation, secrets, audit, supply chain, and availability. Use this page as a questionnaire index (control matrix and Trust Service Criteria map). For question-and-answer copy you can paste into vendor forms, see Vendor diligence FAQ. Detailed narratives and evidence exports are available on Security and governance and under NDA from Fontana.

TopicApproachDeep dive
AuthenticationSelf-hosted Zitadel per workspace: OIDC, SSO federation, MFA (TOTP + WebAuthn)Identity providers
ProvisioningInbound SCIM v2 through workspace Zitadel; role assignment via Zitadel project rolesIdentity providers, Roles and RBAC
AuthorizationApplication RBAC in Convex with team scoping and permission registryRoles and RBAC
Service authenticationDedicated OAuth clients for workflow-engine and observability-api; RFC 7662 token introspectionNetwork and hardening
SecretsPer-workspace in-cluster Vault (KV fontana); BYOK for AI; connector secrets via Vault at runtimeSecrets and encryption
Encryption in transitTLS at public edge; documented transmission boundary; in-cluster HTTP with NetworkPolicy compensating controlsNetwork and hardening
Encryption at restEncrypted data volume backing all workspace PVCsSecrets and encryption
Workspace isolationCluster-per-tenant control plane, data, secrets, and identityWorkspace isolation
NetworkHost security group: 80 + 443 only (shell via SSM Session Manager); k8s API localhost-only; NetworkPolicy default-denyNetwork and hardening
Cloud account perimeterOrganization CloudTrail, AWS Config rules, GuardDuty + Security Hub with findings routing, SSO-only operator identityNetwork and hardening
Pod and workload hardeningPer-workload ServiceAccounts; Pod Security baseline; limits; Vault Agent sidecarsNetwork and hardening
Audit (identity and cluster)WORM ImmuDB: Zitadel identity events and Kubernetes API audit (automated ingest)Immutable audit trail
Security alertingBundled HyperDX alert rules on Kubernetes audit events (auth failures, secret access, destructive verbs, ClusterRoleBinding changes) with WORM evidence per alertOperational telemetry
Audit (application admin)WORM via Convex audit_log log stream (ingest shipped; mutation producers rolling out by release)Immutable audit trail
Audit (workflow, WORM target)Privileged runs and security-tagged connector access → Convex audit_log (target path)Immutable audit trail
Audit (workflow lineage)Lineage sidecars and port audit items on workflow file store only; answers calculation provenance, not platform WORMData lineage, Compliance evidence
Operational telemetryHyperDX search and dashboards; mirror only for audit events; ImmuDB is WORM system of record; collector-side redaction of credentials in log bodiesOperational telemetry, Data retention
Backup and recoveryAutomatic snapshot before tenant upgrade; fontana rollback; daily volume snapshots on managed cloud; Vault Raft for secrets DRBackup and restore
Supply chainImmutable GHCR sha-<git> tags, bundle SHA256SUMS, Trivy CRITICAL gate, dependency audit + CodeQL gates in CISupply chain
Change controlRelease artifacts built from the protected release branch only; manual pinned releases; Terraform for host provisioning; SSM read/debug only on prodSupply chain, Fontana CLI
Availability monitoringIn-cluster Gatus probes for platform and tenant services; status page behind HTTP basic auth with Vault-stored credentialsOperational telemetry
AI governanceBYOK, approved gateways/models, ZDR where supported, tool-call auditBYOK, Zero Data Retention
Data retentionSeparate retention for workflow file store, HyperDX operational logs, and ImmuDB WORM ledgerData retention
Deployment environmentsProduction-class hosts in SOC 2 scope; integration/local for engineering onlyDeployment environments
Operator accessNarrow host perimeter; localhost-bound cluster API; CLI-driven durable changes; Kubernetes operator roles versioned in git and applied at bootstrap; authenticated operator dashboards (Gatus, HyperDX, Convex)Network and hardening
Secret rotationVault-backed rotation for BYOK, connectors, SCIM tokens, and service credentialsSecrets and encryption

Trust Service Criteria mapping (high level)

Section titled “Trust Service Criteria mapping (high level)”

Auditors often map evidence to AICPA Trust Service Criteria. Fontana’s deployment model supports review across common areas:

TSC areaHow Fontana addresses it
Security (CC)Identity, RBAC, network segmentation, secrets, vulnerability scanning
Availability (A)Gatus health checks, snapshots, rollback, durable PVCs
Processing integrity (PI)Deterministic workflow execution, lineage, validation audit items
Confidentiality (C)Tenant isolation, encryption, write-only secrets, BYOK
Privacy (P)Customer-controlled retention and egress; separate workflow, HyperDX, and WORM stores. See Data retention.

Your auditor may require operating effectiveness testing on your deployment instance, not only design documentation.

The control matrix uses separate rows because not every audit path is at the same maturity. Questionnaires often ask whether controls operate in production, not only whether the architecture supports them.

Evidence typeWORM ledger?Status
Zitadel identity (sign-in, MFA, role changes, SCIM lifecycle)YesAutomated - observability-api polls Zitadel Events API
Kubernetes API (auth failures, secret access, destructive verbs)YesAutomated - cluster audit log → audit-ingest
Convex admin mutations (RBAC, BYOK, team membership, deployment settings)YesIngest shipped; individual mutation producers roll out by release
Workflow engine (privileged runs, sensitive connector access)TargetTarget path - engine → Convex audit_log (not direct ImmuDB)
Workflow lineage and port audit itemsNo (workflow file store)Not WORM - .lineage.json / .audit.json sidecars and canvas port audit items; calculation provenance only
HyperDX (including audit mirror)No (search plane)Not system of record - operational search and shorter TTL; ImmuDB holds compliance evidence
Audit logs → Chat (LLM debug in Flow)NoProduct feature; RBAC-gated, not compliance ledger

Full producer map: Immutable audit trail.

SOC 2 evidence collection targets production-class hosts only. Integration and local developer environments are out of scope for regulated customer data and formal change control.

See Deployment environments for environment classes, what production-class means, and why integration/local boxes must not host regulated tenants.

For architecture diagrams, subprocessors, DPA terms, penetration test summaries, and exported control snapshots, use Security and governance or contact Fontana for the diligence pack under NDA.

Fontana maintains a structured auditor evidence index that maps each control row above to dated artifacts: control snapshots (fontana soc2 snapshot), committed operator RBAC manifests, Kubernetes audit dashboards and alert history, WORM integrity-scan records, and backup drill results. Auditors receive this index with the diligence pack.