Request Demo

TAC and SOC 2 Compliance Alignment Guide

Compliance Alignment Guide

TAC and SOC 2

How TAC’s architecture and capabilities map to the AICPA Trust Service Criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Overview

What is SOC 2?

SOC 2 is a compliance framework developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how organisations manage data based on five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Security is the only mandatory criterion. SOC 2 Type II audits evaluate whether controls operated effectively over a sustained period — not just at a single point in time.

Total Access Control (TAC) directly addresses the most critical SOC 2 control requirements through its unified zero-trust access platform.

Trust Service Criteria

SecurityRequired

Availability

Processing Integrity

Confidentiality

Privacy

Note: This guide describes how TAC’s capabilities map to SOC 2 Trust Service Criteria. SOC 2 compliance is determined by independent auditors based on your organisation’s complete control environment, of which TAC is one component.

Control Mapping

TAC vs. Each Trust Service Criterion

1. Security (Common Criteria) — Required

Logical and System Controls

SOC 2 Requirement How TAC Delivers
Restrict logical access to authorised users Reverse-proxy enforcement — no user connects directly to any application. TAC mediates every access request before traffic reaches the target resource.
Authenticate users before granting access Built-in MFA including FIDO2, SafeLogin MFA, TOTP, push notifications, SMS, OTP, and hardware tokens — plus integration with virtually any third-party MFA provider.
Require multi-factor authentication 7+ MFA methods included in the base TAC licence. No add-on purchases required to satisfy auditor MFA requirements.
Manage credentials and access rights Multi-directory identity federation connects simultaneously to Active Directory, LDAP, SAML, RADIUS, OIDC, SQL databases, and custom directories — governed by a single unified policy engine.
Revoke access when no longer authorised Real-time access revocation when device compliance lapses, policy conditions change, or identity status is modified — mid-session, not just at next login.
Implement role-based access control Unified policy engine enforces access decisions based on user identity, group membership, device posture, application, network location, time of day, and risk signals.
Monitor system components for anomalies Complete audit trail of every access request — who accessed what, when, from where, from which device, and what policy allowed or denied it.
Detect unauthorised access attempts Every request evaluated against policy in real time. Unauthorised attempts are logged and blocked at the proxy layer before reaching the target application.
Identify and mitigate risks to system security Attack surface reduction — close every inbound firewall port except one single encrypted channel supporting up to TLS 1.3.
Manage vulnerabilities in endpoints Continuous device posture validation checks OS patches, antivirus status, disk encryption, firewall status, domain join, and certificate validity on every request — not just at login.
2. Availability

High Availability and Business Continuity

SOC 2 Requirement How TAC Delivers
Ensure system availability and redundancy SVA Array architecture provides multiple load-balanced appliances for high availability. Global Array extends redundancy across worldwide data centre locations.
Support disaster recovery objectives Single-tenant deployment means your disaster recovery strategy is under your control — not dependent on a shared vendor cloud or subject to another organisation’s failover events.
Minimise unplanned downtime Deploy in hours, not months. Failover configurations, load balancing, and health monitoring managed from a single admin console.
Maintain business continuity Location-transparent SSO ensures applications can migrate between on-premises and cloud environments without user disruption or access interruption.
3. Confidentiality

Data Isolation and Access Control

SOC 2 Requirement How TAC Delivers
Protect confidential information from unauthorised access Single-tenant Secure Virtual Appliance (SVA) architecture ensures complete data isolation. No shared infrastructure. No data co-mingling with other organisations.
Limit access to authorised personnel only Unified policy engine restricts access by identity, device posture, network location, time of day, and application — down to individual resources and API endpoints.
Encrypt data in transit All traffic flows through a single port encrypted up to TLS 1.3. No unencrypted channels. No exposed application ports.
Classify and control access to sensitive data Differentiated access rules per application, resource, user group, and identity type — including separate policies for AI agents and automated workflows.
Protect legacy systems containing confidential data Reverse-proxy authentication injection adds MFA, device posture checks, and continuous validation to legacy applications — without modifying the application or its code.
4. Processing Integrity

Consistent and Auditable Policy Enforcement

SOC 2 Requirement How TAC Delivers
Ensure system performs intended functions without error Per-request policy evaluation ensures every access decision is consistent, auditable, and repeatable — driven by the same policy engine for every request.
Prevent unauthorised modification of data Reverse-proxy architecture ensures applications never process requests that have not passed identity verification, device posture validation, and policy evaluation.
Ensure complete and accurate processing Complete audit trail with timestamps, identity attribution, device details, and policy decision logging for every access transaction.
5. Privacy

Personal Data Protection

SOC 2 Requirement How TAC Delivers
Protect personal information Single-tenant isolation ensures personal data processed by your applications never co-mingles with other customers’ environments.
Control access to systems containing personal data Granular policy enforcement controls which users and AI agents can access systems containing PII, PHI, or other regulated data.
Monitor and log access to sensitive systems Complete logging of every access event — who accessed which application, when, from what device, and the policy decision that allowed or denied access.
Architectural Advantage

Why TAC is Uniquely Strong for SOC 2

Three architectural advantages set TAC apart in a SOC 2 audit context.

1

Single-Tenant Isolation

Auditors consistently flag multi-tenant architecture as a risk factor — shared infrastructure creates potential for cross-customer data exposure and shared-fate security incidents. TAC eliminates these concerns entirely. Every TAC deployment is a dedicated, isolated Secure Virtual Appliance. There is no shared infrastructure. Auditors can verify this directly.

2

One Console, One Audit Trail

Most organisations assemble SOC 2 evidence from 3–6 separate tools — identity provider logs, MFA provider logs, VPN logs, endpoint management logs, and application access logs. TAC provides a single, unified audit trail covering identity, MFA, device posture, and access decisions. Evidence collection during audit becomes dramatically simpler.

3

Continuous Validation, Not Point-in-Time

SOC 2 Type II audits evaluate whether controls operated effectively over time — not just at a single moment. TAC’s per-request device posture validation and continuous policy evaluation mean compliance is enforced on every access request throughout the audit period. If a device falls out of compliance mid-session, access is revoked immediately.

Summary

Control Coverage Summary

Trust Service Criterion Required? TAC Coverage
Security (Common Criteria) Required Comprehensive. Reverse-proxy enforcement, built-in MFA, continuous device posture, unified policy engine, full audit logging, attack surface reduction.
Availability Optional Strong. SVA Array and Global Array for HA. Single-tenant deployment for customer-controlled DR. Hours-not-months deployment.
Processing Integrity Optional Addressed. Per-request policy evaluation ensures consistent, auditable, repeatable access decisions with complete transaction logging.
Confidentiality Optional Comprehensive. Single-tenant isolation, TLS 1.3 encryption, granular access policies, legacy app security uplift, AI agent governance.
Privacy Optional Addressed. Dedicated infrastructure isolation, granular access control for systems containing personal data, complete access logging.

Preparing for a SOC 2 Audit?

Our compliance specialists can walk through your specific audit requirements and show you exactly how TAC satisfies each control.

Talk to a SpecialistBack to Resources

This website uses cookies

We use cookies to personalize content, provide social media features, and analyze our traffic. We also share information about your use of our site with our analytics partners. You can change your preferences at any time. For more information, please see our Privacy Policy and Cookie Policy. Privacy Policy Cookie Policy