Trust centerSOC 2 readinessEvidence operations

Vendor management

Vendor lifecycle evidence for platform providers, subprocessors, SOC 2 reports, DPAs, BAAs where applicable, renewal review, and vendor incident handling.

These pages describe SignalEDI's readiness posture and evidence workflow. They are not a SOC 2 attestation or certification claim.

Company hub Trust center

Evidence reviewers ask for

Vendor attestation register
SOC 2, DPA, BAA, and subprocessor records
DPA expiry and renewal review outputs

Operating controls

Risk-tiered vendor review cadence
Contract review before production access
Vendor incident escalation and risk-register linkage

Owner

Finance & Operations Lead

Cadence

Weekly vendor-review automation plus quarterly owner review

Audience

Procurement, privacy, and auditor teams

Company controls

Related company pages

9 operating areas

Policies

Policy library

Approved policy surfaces for information security, access control, acceptable use, change management, incident response, backup/restore, vendor management, and HR security.

Security

Security posture

Security posture map for identity, MFA, RBAC, tenant scoping, encryption expectations, logging, monitoring, and secure SDLC evidence.

Employee training

People compliance

People-compliance evidence for security awareness, policy acknowledgment, privileged-role onboarding, background-check tracking, and annual refresh requirements.

Change management

Change traceability

Traceability for production changes from request to PR, review, CI, deployment, verification, rollback planning, and emergency-change retrospective.

Incident response

IR and CAPA

Incident lifecycle evidence for severity classification, communications, post-incident review, corrective and preventive actions, and customer/regulatory notification decisions.

Access reviews

Access review

Quarterly access review evidence for users, privileged roles, MFA compliance, stale accounts, API keys, service accounts, and vendor-console admins.

Backups

Continuity evidence

Backup and disaster-recovery evidence for approved RTO/RPO, daily backup health, provider retention proof, restore drills, and tabletop validation.

Penetration tests

Testing evidence

Penetration-test planning and evidence handling for scoped external testing, remediation tracking, retest evidence, and customer-safe summaries.

Logs

Audit trail

Logging and monitoring evidence for failed logins, MFA changes, permission changes, production access, admin actions, security alerts, and audit retention.