SOC 2 Mapping

How hummbl-governance primitives produce evidence for SOC 2 Trust Service Criteria. Generated via compliance_mapper.generate_soc2_report() — stdlib-only, zero dependencies.

Control Mappings

CC6.1 — Logical Access Security

Maps DelegationTokenManager (DCT tuples) to access control evidence. Each delegation token binds an issuer to a subject with scoped operations and resources.

DelegationTokenManager DCT tuples

test_compliance_mapper.py → test_dct_maps_to_cc61

CC6.3 — Identity & Authentication

Maps AgentRegistry identity records (subject/issuer in DCTs) to identity and authentication controls. Canonicalization and trust-tier resolution ensure consistent agent identities.

AgentRegistry DelegationTokenManager

test_compliance_mapper.py → test_dct_maps_to_cc63

CC7.2 — Monitoring & Logging

Every signed governance bus entry produces monitoring evidence. The append-only, tamper-evident bus provides the continuous monitoring trail required by CC7.2.

AuditLog BusWriter

test_compliance_mapper.py → test_signed_maps_to_cc72

Boundary Disclaimer

  • HUMMBL is not a SOC 2 auditor. A SOC 2 Type II examination requires an accredited CPA firm.
  • HUMMBL evidence artifacts can support that examination by producing auditable logs, identity records, and access control traces.
  • The three controls mapped (CC6.1, CC6.3, CC7.2) represent the subset of SOC 2 criteria directly addressable by code-level governance primitives. Additional controls (e.g., CC5.x governance, CC8.x change management) require organizational process evidence beyond a software library.
  • This mapping covers the v0.8.0 public snapshot. Re-verify after any major version upgrade.

Evaluated: hummbl-governance v0.8.0 | Last updated: 2026-05-14 | CLI: python -m hummbl_governance.compliance_mapper --framework soc2