SOC 2 Mapping
How hummbl-governance primitives produce evidence for SOC 2 Trust
Service Criteria. Generated via
compliance_mapper.generate_soc2_report() — stdlib-only,
zero dependencies.
Control Mappings
CC6.1 — Logical Access Security
Maps DelegationTokenManager (DCT tuples) to access control evidence. Each delegation token binds an issuer to a subject with scoped operations and resources.
DelegationTokenManager DCT tuplestest_compliance_mapper.py → test_dct_maps_to_cc61
CC6.3 — Identity & Authentication
Maps AgentRegistry identity records (subject/issuer in DCTs) to identity and authentication controls. Canonicalization and trust-tier resolution ensure consistent agent identities.
AgentRegistry DelegationTokenManagertest_compliance_mapper.py → test_dct_maps_to_cc63
CC7.2 — Monitoring & Logging
Every signed governance bus entry produces monitoring evidence. The append-only, tamper-evident bus provides the continuous monitoring trail required by CC7.2.
AuditLog BusWritertest_compliance_mapper.py → test_signed_maps_to_cc72
Boundary Disclaimer
- HUMMBL is not a SOC 2 auditor. A SOC 2 Type II examination requires an accredited CPA firm.
- HUMMBL evidence artifacts can support that examination by producing auditable logs, identity records, and access control traces.
- The three controls mapped (CC6.1, CC6.3, CC7.2) represent the subset of SOC 2 criteria directly addressable by code-level governance primitives. Additional controls (e.g., CC5.x governance, CC8.x change management) require organizational process evidence beyond a software library.
- This mapping covers the v0.8.0 public snapshot. Re-verify after any major version upgrade.
Evaluated: hummbl-governance v0.8.0 | Last updated: 2026-05-14 | CLI:
python -m hummbl_governance.compliance_mapper --framework
soc2