HATS / SOC 2 Crosswalk
1. Scope
This crosswalk maps HATS capabilities to SOC 2 Trust Service Criteria (TSC) as defined by the AICPA. SOC 2 Type II evaluates the operating effectiveness of controls over a defined period. HATS continuous attestation directly addresses the "over a period of time" requirement by producing cryptographically bound, timestamped evidence of control effectiveness at every attestation event.
This crosswalk is a technical mapping. It does not constitute a SOC 2 audit opinion or replace the assessment of an independent CPA firm.
2. CC1 -- Control Environment
| TSC Control | HATS Capability | Evidence Type | Verification Method |
|---|
CC1.1 Integrity and ethical values | Governance Replay | Policy attestation receipts recording active governance policies | Replay governance decisions to verify policy enforcement was consistent with stated values |
CC1.2 Board independence and oversight | Independent Verification | Governance decision receipts verifiable by third parties | Board delegates verify governance receipts using public keys without system access |
CC1.3 Management structure and authority | Agent Attestation | Per-action attestation receipts binding actions to authenticated identities and roles | Verify tenant_id and role fields against organizational authority matrix |
CC1.4 Competence commitment | Evidence Chains | Training and qualification attestation chains | Verify chain integrity and temporal coverage of competence attestations |
CC1.5 Accountability | Continuous Attestation | Complete attestation receipt chain attributing every operation to an identity | Traverse evidence chain to confirm no un-attributed operations exist |
3. CC2 -- Communication and Information
| TSC Control | HATS Capability | Evidence Type | Verification Method |
|---|
CC2.1 Information quality for internal control | Evidence Chains | Cryptographically linked attestation chains with predecessor hashes | Verify chain integrity; confirm no receipts modified, inserted, or removed |
CC2.2 Internal communication of objectives | Governance Replay | Policy distribution attestation receipts | Replay policy distribution events; verify each policy version attested at distribution time |
CC2.3 External communication | Independent Verification | Externally verifiable attestation receipts | External parties verify receipts using published public keys |
4. CC3 -- Risk Assessment
| TSC Control | HATS Capability | Evidence Type | Verification Method |
|---|
CC3.1 Suitable objectives | Governance Replay | Risk objective attestation receipts | Replay risk assessment decisions under documented governance |
CC3.2 Risk identification | Evidence Chains | Risk assessment event attestation chain | Verify temporal coverage; confirm predecessor hash continuity |
CC3.3 Fraud risk consideration | Continuous Attestation + Agent Attestation | Anomaly detection attestation receipts; agent behavior attestation | Verify attestation stream for fraud-relevant events; confirm individual agent action attestation |
CC3.4 Change identification | Evidence Chains | Change management attestation receipts linked to evidence chains | Traverse evidence chain to identify and verify attestation of configuration changes |
5. CC4 -- Monitoring Activities
| TSC Control | HATS Capability | Evidence Type | Verification Method |
|---|
CC4.1 Ongoing evaluations | Continuous Attestation | Real-time attestation receipt stream with sub-second granularity | Verify receipt stream continuity; confirm frequency meets monitoring requirements |
CC4.2 Communication of deficiencies | Governance Replay + Independent Verification | Deficiency notification attestation receipts | Verify deficiency receipts were generated and communicated within SLA |
6. CC5 -- Control Activities
| TSC Control | HATS Capability | Evidence Type | Verification Method |
|---|
CC5.1 Control selection and development | Governance Replay | Control selection decision attestation receipts | Replay control selection decisions; verify governance context |
CC5.2 Technology general controls | Continuous Attestation | Configuration and infrastructure attestation receipts | Verify continuous attestation of technology controls throughout assessment period |
CC5.3 Deployment through policies | Evidence Chains | Policy deployment attestation chain | Verify chain integrity from policy creation through enforcement |
7. CC6 -- Logical and Physical Access
| TSC Control | HATS Capability | Evidence Type | Verification Method |
|---|
CC6.1 Logical access security | Continuous Attestation | Per-access attestation receipts with identity binding | Verify each access event attested with authenticated identity |
CC6.2 Credential issuance | Agent Attestation | Credential issuance attestation receipts | Verify identity verification preceded credential issuance |
CC6.3 Authorization-based access | Continuous Attestation | Authorization check attestation receipts | Verify each access preceded by authorization attestation |
CC6.6 External threats | Encrypted Computation | FHE computation receipts demonstrating data never exposed in plaintext | Verify computation_type field indicates FHE operation |
CC6.7 Access restriction and removal | Evidence Chains | Access revocation attestation receipts | Verify revocation receipts exist for all terminated access |
CC6.8 Unauthorized software prevention | Continuous Attestation | Software inventory attestation receipts | Verify attestation continuity for software state |
8. CC7 -- System Operations
| TSC Control | HATS Capability | Evidence Type | Verification Method |
|---|
CC7.1 Infrastructure change detection | Continuous Attestation | Infrastructure state attestation receipts | Compare successive receipts to detect state changes |
CC7.2 Anomaly monitoring | Continuous Attestation + Evidence Chains | Anomaly detection attestation receipts | Verify stream completeness; confirm anomaly events attested within SLA |
CC7.3 Security event evaluation | Governance Replay | Security event evaluation decision receipts | Replay event evaluation decisions; verify governance context |
CC7.4 Incident response | Evidence Chains + Governance Replay | Incident response evidence chain with decision attestation | Traverse response chain; replay decisions; verify causal linkage |
9. CC8 -- Change Management
| TSC Control | HATS Capability | Evidence Type | Verification Method |
|---|
CC8.1 Changes to infrastructure, data, software | Evidence Chains + Continuous Attestation | Pre- and post-change state attestation receipts bracketing each change event | Verify pre-change and post-change attestations bracket each change; confirm chain integrity |
10. CC9 -- Risk Mitigation
| TSC Control | HATS Capability | Evidence Type | Verification Method |
|---|
CC9.1 Business disruption risk | Evidence Chains + Governance Replay | Business continuity attestation chain with governance binding | Verify continuity coverage; replay mitigation decisions |
CC9.2 Vendor and partner risk | Independent Verification + Evidence Chains | Vendor attestation receipts verifiable by business partners | Partners verify receipts using public keys; traverse vendor-specific chains |
11. Type II Operating Effectiveness
SOC 2 Type II requires evidence that controls operated effectively over a defined period (typically 6 or 12 months). HATS continuous attestation directly addresses this requirement. The attestation receipt chain provides a cryptographically linked, tamper-evident record of every control-relevant operation throughout the assessment period.
An auditor can traverse the evidence chain from the assessment start date to the end date, verifying: (1) no gaps exist in attestation coverage, (2) each receipt is cryptographically linked to its predecessor, (3) all three post-quantum signatures verify on each receipt, and (4) the governance context is consistent with the stated control objectives.
This approach replaces or supplements point-in-time sampling with continuous, cryptographically verifiable evidence. The auditor does not need to rely on management representations; the evidence is independently verifiable.