> ## Documentation Index
> Fetch the complete documentation index at: https://docs.useanima.sh/llms.txt
> Use this file to discover all available pages before exploring further.

# SOC 2 Controls

> SOC 2 Type II compliance framework for AI agent operations. Control mappings, evidence collection, and continuous monitoring.

# SOC 2 Controls

Anima provides built-in SOC 2 Type II controls and automated evidence collection for AI agent operations. The platform maps its security features to Trust Service Criteria, making audit preparation straightforward.

## Trust Service Criteria Mapping

Anima covers controls across all five Trust Service Categories:

### Security (Common Criteria)

| Control ID | Control                           | Anima Feature                             |
| ---------- | --------------------------------- | ----------------------------------------- |
| CC6.1      | Logical access security           | Pod isolation, API key scoping            |
| CC6.2      | Authentication mechanisms         | DID-based auth, API key rotation          |
| CC6.3      | Authorization and access controls | Role-based permissions, budget guards     |
| CC6.6      | System boundary protections       | Pod network isolation, MCC controls       |
| CC7.1      | Monitoring for anomalies          | Anomaly detection, behavioral baselines   |
| CC7.2      | Activity monitoring and alerting  | Audit log, SIEM integration               |
| CC7.3      | Evaluating security events        | Quarantine, incident response workflows   |
| CC8.1      | Change management                 | API versioning, configuration audit trail |

### Availability

| Control ID | Control             | Anima Feature                        |
| ---------- | ------------------- | ------------------------------------ |
| A1.1       | Capacity management | Pod resource limits, rate limiting   |
| A1.2       | Recovery procedures | Automated backups, disaster recovery |

### Confidentiality

| Control ID | Control                             | Anima Feature                            |
| ---------- | ----------------------------------- | ---------------------------------------- |
| C1.1       | Identification of confidential data | Vault encryption, secret classification  |
| C1.2       | Disposal of confidential data       | Vault secret expiration, secure deletion |

## Viewing Controls Status

<Tabs items={["Node.js", "Python", "Go"]}>
  <Tab value="Node.js">
    ```ts theme={null}
    import { Anima } from "@anima-labs/sdk";

    const anima = new Anima({ apiKey: "ak_..." });

    // Get SOC 2 controls status
    const controls = await useanima.shpliance.soc2.listControls();

    for (const control of controls.data) {
      console.log(`${control.id}: ${control.name}`);
      console.log(`  Status: ${control.status}`);        // "passing" | "failing" | "not_evaluated"
      console.log(`  Evidence: ${control.evidenceCount} items`);
      console.log(`  Last evaluated: ${control.lastEvaluatedAt}`);
    }
    ```
  </Tab>

  <Tab value="Python">
    ```python theme={null}
    from anima import Anima

    anima = Anima(api_key="ak_...")

    controls = useanima.shpliance.soc2.list_controls()

    for control in controls.data:
        print(f"{control.id}: {control.name}")
        print(f"  Status: {control.status}")
        print(f"  Evidence: {control.evidence_count} items")
    ```
  </Tab>

  <Tab value="Go">
    ```go theme={null}
    import "github.com/anima-labs-ai/go"

    client := anima.NewClient("ak_...")

    controls, err := client.Compliance.SOC2.ListControls(ctx)
    for _, c := range controls.Data {
        fmt.Printf("%s: %s -- %s\n", c.ID, c.Name, c.Status)
    }
    ```
  </Tab>
</Tabs>

## Evidence Collection

Anima automatically collects evidence for each control from audit logs, configurations, and system state:

```ts theme={null}
// Get evidence for a specific control
const evidence = await useanima.shpliance.soc2.getEvidence("CC6.1", {
  startDate: "2026-01-01",
  endDate: "2026-03-31",
});

for (const item of evidence.data) {
  console.log(`[${item.timestamp}] ${item.type}: ${item.description}`);
  console.log(`  Source: ${item.source}`);
  console.log(`  Artifact: ${item.artifactUrl}`);
}
```

### Evidence Types

| Type              | Description                                          |
| ----------------- | ---------------------------------------------------- |
| `configuration`   | System configuration snapshots proving control state |
| `audit_event`     | Audit log entries demonstrating control enforcement  |
| `policy_document` | Automatically generated policy documentation         |
| `test_result`     | Results of automated control tests                   |
| `access_review`   | Periodic access review records                       |

## Continuous Monitoring

Controls are continuously evaluated, not just at audit time:

```ts theme={null}
// Configure continuous monitoring
await useanima.shpliance.soc2.configureMonitoring({
  evaluationInterval: "1h",  // How often to re-evaluate controls
  alertOnFailure: true,
  alertChannels: [
    { type: "email", address: "compliance@acme.com" },
    { type: "slack", webhookUrl: "https://hooks.slack.com/..." },
  ],
});

// Get monitoring dashboard data
const dashboard = await useanima.shpliance.soc2.getDashboard();
console.log(`Controls passing: ${dashboard.passing}/${dashboard.total}`);
console.log(`Last full evaluation: ${dashboard.lastFullEvaluation}`);
console.log(`Audit readiness score: ${dashboard.readinessScore}%`);
```

## API Reference

| Endpoint                                                      | Method | Description                        |
| ------------------------------------------------------------- | ------ | ---------------------------------- |
| `https://api.useanima.sh/api/compliance/soc2/controls`        | GET    | List all SOC 2 controls and status |
| `https://api.useanima.sh/api/compliance/soc2/controls/:id`    | GET    | Get a specific control             |
| `https://api.useanima.sh/api/compliance/soc2/evidence`        | GET    | Query evidence by control and date |
| `https://api.useanima.sh/api/compliance/soc2/evidence/export` | POST   | Export evidence package            |
| `https://api.useanima.sh/api/compliance/soc2/monitoring`      | PUT    | Configure continuous monitoring    |
| `https://api.useanima.sh/api/compliance/soc2/dashboard`       | GET    | Get compliance dashboard data      |

## Configuration

| Variable                             | Default | Description                         |
| ------------------------------------ | ------- | ----------------------------------- |
| `ANIMA_SOC2_EVALUATION_INTERVAL`     | `1h`    | Control evaluation frequency        |
| `ANIMA_SOC2_EVIDENCE_RETENTION_DAYS` | `730`   | Evidence retention period (2 years) |
| `ANIMA_SOC2_ALERT_ON_FAILURE`        | `true`  | Alert when a control starts failing |

## Next Steps

* [Compliance Reporting](/compliance/reporting) -- Generate audit-ready reports
* [Audit Log](/security/audit-log) -- Underlying event data for evidence
* [Anomaly Detection](/security/anomaly-detection) -- CC7.x control implementation
