SOC 2 (AICPA Trust Services Criteria)

AICPA audit standard for service organizations. Enterprise buyers increasingly require SOC 2 Type II. Five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy.

SaaS providers, cloud services, B2B service organizations

14

control domains mapped

32

products applicable

6

other frameworks cross-mapped

Official doc

SOC 2 (AICPA Trust Services Criteria)

CC6.1 Logical and physical access controls — authentication

Phishing-resistant MFA using hardware security keys. Software TOTP and SMS are explicitly excluded from "phishing-resistant" in NIST 800-63B and most modern framework guidance.

CC6.6 Logical access security measures against threats outside the boundaries

VM-level compartmentalization means a compromise of one domain (e.g. browser) cannot reach another (e.g. keys, vault). No other consumer laptop provides this by default.

CC6.7 Restrict and monitor transmission of information

Stateful firewall with IPS at the network perimeter. All inbound/outbound traffic inspected with Suricata rule sets. VPN gateway replaces consumer VPN dependency.

Products that satisfy this control:

CC6.8 Prevent or detect unauthorized or malicious software

Intel Management Engine disabled at the firmware level across every open-firmware machine we carry (NitroPad, NitroPC, PrivacyGuard, SecurityTitan); SecurityTitan models go further — camera and microphone physically removed, anti-tamper seals verified by Heads + Nitrokey attestation. Least functionality, enforced in hardware.

CC6.4 Physical access to the defined system is restricted

Rated safes and vaults protect physical assets, documents, and hardware backups with UL-certified burglary ratings — from UL 1037 RSC (residential) up to UL 687 TL-15/TL-30 vault-grade for insurance-mandated or enterprise specialty storage (the tier insurers and auditors recognize; see the ratings ladder on /safe). SecurityTitan laptops extend physical protection to devices in transit: glitter-sealed tamper-evident screws with photographic verification make case intrusion detectable.

A1.2 Environmental protections and backup processes (Availability)

UL 72 fire-rated safes keep interiors under 350°F through 30-minute to 4-hour furnace exposure — plus explosion and 30-foot drop tests — so original records, storage media, seed-phrase plates, and offline backups survive a facility fire. Distinct from burglary protection: enterprises with records-retention or continuity obligations typically need BOTH ratings on one unit (dual-rated Gardall UL line or TL-rated composite safes — see /safe).

Products that satisfy this control:

A1.3 Recovery plan procedures supporting system recovery (Availability)

Encrypted LoRa mesh radios (Meshtastic / MeshCore / Reticulum) move text and GPS with no cellular, WiFi, internet, or subscription — every node relays for every other, on FCC Part 15 unlicensed 915 MHz spectrum. The out-of-band channel for disaster response, incident communications when primary networks are down or untrusted, remote sites, and executive contingency plans.

Products that satisfy this control:

CC6.7 Restrict and monitor transmission and movement of information

MIL-STD 188-125 / IEEE 299-tested Faraday shielding (80+ dB) physically severs every radio — cellular/5G, WiFi, Bluetooth, GPS, RFID, NFC — so devices cannot be tracked, remotely wiped, or exfiltrated over RF. Covers executive travel through hostile networks, forensic chain-of-custody transport (a seized phone that must not phone home), and anti-relay protection for keyless-entry fobs.

Products that satisfy this control: