Skip to main content
AC

Acme Cloud

EthicPages logoVisit EthicPages

Compliance Frameworks

Last updated: January 15, 2026

Compliance Frameworks and Certification Status

Document owner: VP Governance, Risk & Compliance Version: 3.0 Effective date: January 1, 2026 Last updated: January 15, 2026 Classification: Public — Trust Center Review cadence: Quarterly, and upon certification changes Company: Acme Cloud, Inc. Address: 1200 Market Street, Suite 400, San Francisco, CA 94103, USA Primary contacts: trust@acmecloud.com | security@acmecloud.com | privacy@acmecloud.com

1. Executive Summary and Purpose

This Compliance Frameworks document provides a comprehensive overview of Acme Cloud, Inc.'s ("Company," "we," "us," or "our") regulatory compliance posture, certification status, and audit program. This document is designed to support enterprise procurement, vendor risk management, and audit teams in evaluating our compliance capabilities against their organizational requirements.

Document Objectives:

ObjectiveDescriptionTarget Audience
Certification TransparencyProvide current status of all security and privacy certificationsSecurity reviewers, procurement
Framework MappingDocument control mappings to major regulatory frameworksCompliance officers, auditors
Evidence AvailabilityClarify what evidence is available and access proceduresThird-party risk teams
Audit SupportDescribe our audit support capabilities and processesCustomer audit teams
Regulatory MonitoringDemonstrate proactive compliance with emerging regulationsLegal, compliance teams

Acme Cloud maintains a robust Governance, Risk, and Compliance (GRC) program that continuously monitors regulatory developments, implements appropriate controls, and provides transparency to our customers. Our compliance program is designed to exceed the minimum requirements of applicable frameworks, providing defense-in-depth assurance to customers operating in regulated industries.

2. Definitions

For purposes of this document, the following terms shall have the meanings set forth below:

TermDefinition
SOC 2Service Organization Control 2, an audit framework developed by AICPA for evaluating service organizations' controls relevant to security, availability, processing integrity, confidentiality, and privacy.
Type I AuditPoint-in-time assessment of control design and implementation as of a specific date.
Type II AuditAssessment of control operating effectiveness over a specified period (typically 12 months).
Trust Services Criteria (TSC)The control objectives and criteria used in SOC 2 audits, organized into Security (Common Criteria), Availability, Processing Integrity, Confidentiality, and Privacy.
ISO 27001International standard for information security management systems (ISMS), specifying requirements for establishing, implementing, maintaining, and continually improving an ISMS.
ISMSInformation Security Management System, a systematic approach to managing sensitive information to remain secure.
Statement of Applicability (SoA)ISO 27001 document declaring which Annex A controls are applicable to the organization and the justification for inclusion or exclusion.
GDPRGeneral Data Protection Regulation, EU regulation governing the processing of personal data of individuals in the European Union.
CCPA/CPRACalifornia Consumer Privacy Act and California Privacy Rights Act, comprehensive privacy laws applicable to California residents.
HIPAAHealth Insurance Portability and Accountability Act, US federal law protecting the privacy and security of protected health information (PHI).
BAABusiness Associate Agreement, a contract required under HIPAA between a covered entity and a business associate.
PCI DSSPayment Card Industry Data Security Standard, security standard for organizations handling credit card information.
SAQSelf-Assessment Questionnaire, a PCI DSS validation tool for merchants and service providers.
CUECsComplementary User Entity Controls, controls that customers must implement to achieve the objectives of service provider controls.
Bridge LetterA letter from management or auditors covering the period between the end of an audit period and the present date.
TIATransfer Impact Assessment, evaluation of risks associated with international data transfers under GDPR.
DPAData Processing Agreement/Addendum, contractual terms governing data processing activities.
SCCsStandard Contractual Clauses, EU-approved contract terms for international data transfers.
DPIAData Protection Impact Assessment, evaluation of processing activities' impact on data subject rights.
GRCGovernance, Risk, and Compliance, the integrated approach to managing governance, risk management, and regulatory compliance.

3. Certification and Compliance Status Summary

3.1 Current Certification Status

FrameworkStatusScopeAuditor/AuthorityReport PeriodNext Milestone
SOC 2 Type II✅ CertifiedSecurity, Availability, Confidentiality — Acme Cloud SaaS PlatformDeloitte & Touche LLPOct 1, 2024 – Sep 30, 2025Type II renewal Q4 2026
ISO 27001:2022🔄 In ProgressISMS covering production SaaS and corporate systemsTÜV SÜD (target)Gap assessment completed Q4 2025Stage 1 audit Q3 2026
SOC 1 Type II➖ Not ApplicableFinancial reporting controlsN/AN/ANot planned
ISO 27017📋 PlannedCloud security controlsTÜV SÜD (target)N/AFollowing ISO 27001 certification
ISO 27018📋 PlannedPII protection in public cloudTÜV SÜD (target)N/AFollowing ISO 27001 certification
ISO 27701📋 EvaluatingPrivacy information managementN/AN/AEvaluation ongoing
CSA STAR📋 PlannedCloud securityCSAN/ASelf-assessment Q2 2026
FedRAMP➖ Not CurrentUS Federal agenciesN/AN/AMarket demand evaluation

Status Legend:

  • ✅ Active/Certified — Current certification maintained
  • 🔄 In Progress — Certification process underway
  • 📋 Planned — On roadmap, not yet initiated
  • ➖ Not Applicable/Current — Not in scope or not planned

3.2 Regulatory Compliance Status

RegulationStatusApplicabilityImplementation SummaryEvidence
GDPR✅ CompliantEEA/UK personal data processingDPA with SCCs, Article 28 compliance, Data Subject Rights proceduresDPA, Privacy Policy, Processing Records
CCPA/CPRA✅ CompliantCalifornia residentsConsumer rights implementation, privacy notices, opt-out mechanismsPrivacy Policy, Service Provider Agreement
HIPAA✅ CompliantPHI processing for BAA customersAdministrative, physical, technical safeguards; BAA availableBAA template, HIPAA Statement
UK GDPR✅ CompliantUK personal data processingUK-specific addendum, UK RepresentativePrivacy Policy, UK Addendum
LGPD✅ CompliantBrazilian data subjectsPrivacy notice, data subject rightsPrivacy Policy (Portuguese)
PDPA (Singapore)✅ CompliantSingapore personal dataConsent management, transfer protectionsRegional terms
PIPEDA✅ CompliantCanadian personal dataPrivacy principles compliancePrivacy Policy
DORA📋 MonitoringEU financial entitiesGap assessment plannedN/A
NIS2 Directive📋 MonitoringEssential/important entitiesSecurity measures mapping in progressN/A
EU AI Act🔄 PreparingAI featuresRisk classification, transparency measuresAI Usage Policy

4. SOC 2 Type II Certification Details

4.1 Audit Scope and Coverage

Acme Cloud's SOC 2 Type II audit encompasses the following:

Scope ElementDescriptionIncluded
Production SaaS PlatformAll customer-facing application services✅ Yes
API ServicesPublic and private API endpoints✅ Yes
InfrastructureAWS cloud infrastructure supporting production✅ Yes
Supporting SystemsIdentity management, monitoring, logging✅ Yes
Corporate SystemsSystems accessing production data✅ Yes
PersonnelEmployees and contractors with production access✅ Yes
SubprocessorsCritical subprocessors (AWS, etc.)✅ Per reliance letters
Mobile ApplicationsiOS and Android applications✅ Yes
Development EnvironmentNon-production systems❌ Excluded
Marketing SystemsCRM, marketing automation❌ Excluded

4.2 Trust Services Criteria Coverage

Trust Services CategoryIncludedControl PointsNotes
Security (Common Criteria)✅ YesCC1–CC9Full common criteria coverage
Availability (A)✅ YesA199.9% SLA; excludes customer-caused outages
Confidentiality (C)✅ YesC1Customer data classification and handling
Processing Integrity (PI)❌ NoNot in current scope; planned for FY2027
Privacy (P)❌ NoCovered separately via privacy program

4.3 SOC 2 Report Availability

DocumentAvailabilityAccess RequirementsTurnaround
SOC 2 Type II Report (Full)Enterprise customers, qualified prospectsNDA + evaluation agreement2 business days
SOC 2 Executive SummaryAll customersCustomer verification1 business day
Bridge LetterEnterprise customersNDA3 business days
Management AssertionEnterprise customersNDA2 business days
Description of SystemIncluded in reportPer report access
CUECs SummaryAll customersCustomer verification1 business day

4.4 Complementary User Entity Controls (CUECs)

Customers must implement the following controls to achieve the objectives of Acme Cloud's SOC 2 controls:

CUEC AreaCustomer ResponsibilityVerification Recommendation
Access ManagementPromptly provision and deprovision user accounts; implement appropriate access reviewsQuarterly access reviews
Password/AuthenticationEnforce appropriate password policies; implement MFA where availableAnnual policy review
Endpoint SecurityMaintain secure endpoints accessing the serviceEndpoint management controls
Network SecuritySecure networks from which service is accessedNetwork security assessment
Security AwarenessTrain personnel on secure service useAnnual security training
Data ClassificationClassify data appropriately before uploadingData governance program
Incident ReportingReport suspected security incidents promptlyIncident response procedures
Configuration ManagementConfigure service security settings appropriatelyConfiguration review
Integration SecuritySecure integrations and API credentialsIntegration security review

5. ISO 27001 Certification Roadmap

5.1 Certification Timeline

PhaseMilestoneTarget DateStatusDeliverables
Phase 1Gap assessmentQ4 2025✅ CompleteGap analysis report, risk treatment plan
Phase 2ISMS documentationQ1 2026🔄 In ProgressPolicy updates, procedures, records
Phase 3Control implementationQ1–Q2 2026🔄 In ProgressControl evidence, operational procedures
Phase 4Internal auditQ2 2026📋 PlannedInternal audit report, corrective actions
Phase 5Management reviewQ2 2026📋 PlannedManagement review meeting, minutes
Phase 6Stage 1 auditQ3 2026📋 PlannedDocumentation review, readiness assessment
Phase 7Stage 2 auditQ3 2026📋 PlannedCertification audit, certificate
Phase 8Surveillance auditsOngoing (annual)📋 FutureContinued compliance verification

5.2 ISMS Scope

The Information Security Management System scope includes:

In ScopeDescriptionRationale
Production SaaS platformAll customer-facing services and infrastructureCore business service
Development operationsCI/CD, code repositories, development practicesService delivery pipeline
Corporate ITSystems accessing production or sensitive dataAttack surface reduction
PersonnelAll employees and contractorsHuman element controls
FacilitiesSan Francisco and Dublin officesPhysical security
SubprocessorsAWS, critical SaaS vendorsExtended security boundary

5.3 Statement of Applicability Summary

Annex A Control AreaControlsApplicableExcludedExclusion Justification
A.5 Organizational controls37352A.5.5 (contact with authorities - no specific requirements); A.5.6 (contact with special interest groups - addressed via incident response)
A.6 People controls880All applicable
A.7 Physical controls14122A.7.3 (securing offices) - coworking facilities managed by provider; A.7.8 (equipment siting) - cloud-only infrastructure
A.8 Technological controls34331A.8.1 (user endpoint devices) - BYOD with MDM required
Total93885

Full Statement of Applicability available to Enterprise customers under NDA.

6. Privacy Compliance Program

6.1 GDPR Compliance Implementation

GDPR RequirementArticleImplementationEvidence
Lawful basisArt. 6Documented bases: contract performance, legitimate interest, consentProcessing records, Privacy Policy
TransparencyArt. 12–14Privacy Policy, collection notices, layered disclosuresPrivacy Policy, in-app notices
Data subject rightsArt. 15–22DSR portal, 30-day fulfillment processDSR procedures, response templates
Data minimizationArt. 5(1)(c)Collection limited to stated purposesData inventory, retention schedules
Storage limitationArt. 5(1)(e)Defined retention periods, automated deletionData Retention Policy
SecurityArt. 32Technical and organizational measuresSecurity Overview, SOC 2
Breach notificationArt. 33–3472-hour notification processIncident Response Plan
DPOArt. 37–39DPO appointed (not required but implemented)DPO contact published
Processor obligationsArt. 28DPA with SCCs, subprocessor managementDPA template
International transfersArt. 44–49SCCs, TIAs, supplementary measuresTransfer documentation
Records of processingArt. 30Comprehensive processing recordsInternal records
DPIAArt. 35DPIA process, templates for high-risk processingDPIA templates (on request)
Privacy by designArt. 25Privacy review in product developmentProduct development procedures

6.2 International Data Transfer Mechanisms

Transfer RouteMechanismLegal BasisSupplementary Measures
EEA → USStandard Contractual Clauses (SCCs)EU Commission Decision 2021/914Encryption, access controls, TIA
EEA → UKUK Addendum to SCCsUK GDPRAligned with EEA measures
EEA → Other third countriesSCCs or adequacy decisionPer country assessmentTIA where required
UK → USInternational Data Transfer Agreement (IDTA)UK GDPREncryption, access controls

6.3 Transfer Impact Assessment Summary

FactorAssessmentMitigation
US government access risksLow — limited intelligence value; B2B SaaSEncryption at rest, access controls, legal safeguards
Legal frameworkUS lacks comprehensive federal privacy lawContractual commitments, SOC 2 controls
Practical experienceNo government data requests to dateTransparency report (annual)
Technical measuresStrong encryption, access controlsSOC 2 verified

Full TIA documentation available to Enterprise customers upon request.

7. HIPAA Compliance Program

7.1 HIPAA Safeguards Implementation

Safeguard CategoryRequirementImplementationVerification
AdministrativeSecurity management processRisk assessments, policies, proceduresAnnual risk assessment
AdministrativeAssigned security responsibilityCISO designatedOrganizational chart
AdministrativeWorkforce securityBackground checks, access managementHR procedures
AdministrativeInformation access managementRole-based access, minimum necessaryAccess reviews
AdministrativeSecurity awareness trainingAnnual HIPAA trainingTraining records
AdministrativeSecurity incident proceduresIncident response planTabletop exercises
AdministrativeContingency planBusiness continuity, disaster recoveryDR testing
AdministrativeEvaluationAnnual program evaluationAssessment reports
AdministrativeBAA managementBAA execution, subcontractor agreementsContract management
PhysicalFacility access controlsAWS data center controlsSOC 2 reliance
PhysicalWorkstation securityClean desk, screen lockPolicy enforcement
PhysicalDevice and media controlsEncryption, disposal proceduresAsset management
TechnicalAccess controlUnique user IDs, MFA, auto-logoffTechnical controls
TechnicalAudit controlsComprehensive loggingAudit log review
TechnicalIntegrity controlsChecksums, change detectionIntegrity monitoring
TechnicalTransmission securityTLS 1.2+, VPNEncryption standards

7.2 PHI Handling Controls

ControlDescriptionEnforcement
PHI Workspace DesignationCustomers designate workspaces containing PHIAdmin console setting
AI Feature RestrictionsAI features disabled for PHI workspaces by defaultTechnical enforcement
Enhanced Audit LoggingExtended retention, additional log fields for PHI workspacesAutomatic configuration
Access RestrictionsAdditional access controls for PHI workspacesFeature enforcement
Subprocessor LimitationsRestricted subprocessor usage for PHIContractual and technical

7.3 BAA Availability

Customer TypeBAA AvailabilityProcess
Enterprise customersStandard BAA includedContract execution
Professional customersBAA available on requestlegal@acmecloud.com
Self-service customersNot availableUpgrade required

8. Security Assessment Program

8.1 Assessment Calendar

Assessment TypeFrequencyLast CompletedNext ScheduledResponsible Party
External Penetration TestAnnualSeptember 2025September 2026Third-party firm (NCC Group)
Application Security AssessmentAnnualSeptember 2025September 2026Combined with pen test
Internal Vulnerability ScanWeeklyContinuousContinuousSecurity Engineering
External Vulnerability ScanWeeklyContinuousContinuousSecurity Engineering
Red Team ExerciseAnnualJune 2025June 2026Third-party firm
Tabletop Incident ExerciseSemi-annualNovember 2025May 2026Security + Executive team
Disaster Recovery TestSemi-annualDecember 2025June 2026SRE team
Business Continuity TestAnnualNovember 2025November 2026Operations
SOC 2 External AuditAnnualSeptember 2025September 2026Deloitte
ISO 27001 AuditAnnual (post-certification)N/AQ3 2026 (initial)TÜV SÜD
HIPAA Risk AssessmentAnnualJanuary 2026January 2027Compliance
Vendor Security AssessmentPer risk tierContinuousContinuousVendor Risk team

8.2 Penetration Test Program Details

ElementSpecification
ScopeProduction web applications, APIs, mobile apps, infrastructure
MethodologyOWASP Testing Guide, PTES
Finding ClassificationCritical, High, Medium, Low, Informational
Remediation SLAsCritical: 72 hours; High: 14 days; Medium: 60 days; Low: 90 days
RetestingCritical/High findings retested before closure
Report AvailabilityExecutive summary available under NDA

8.3 FY2025 Security Assessment Results Summary

AssessmentFindings SummaryStatus
External Penetration Test (Sep 2025)0 Critical, 1 High (remediated), 4 Medium (remediated), 8 LowAll remediated
Red Team Exercise (Jun 2025)2 scenarios tested; initial access achieved in 1 scenario via phishing simulation; escalation preventedFindings addressed
Vulnerability Scanning (Annual)847 unique findings identified; 99.2% remediated within SLAOngoing
Tabletop Exercise (Nov 2025)Ransomware scenario; identified communication gapsProcess improvements implemented

9. Questionnaire and Evidence Support

9.1 Standard Questionnaire Response Times

Questionnaire TypeTypical TurnaroundPre-Completed AvailableNotes
SIG Lite3 business days✅ YesUpdated quarterly
SIG Core5 business days✅ YesUpdated quarterly
CAIQ v43 business days✅ YesUpdated quarterly
HECVAT Full7 business days✅ YesHealthcare customers
HECVAT Lite3 business days✅ YesHealthcare customers
VSA Questionnaire5 business days🔄 PartialUpdated quarterly
Custom RFP Security Section10 business days➖ N/ACase-by-case
Vendor Risk PlatformVaries➖ N/ASupported: SecurityScorecard, BitSight, RiskRecon, OneTrust

9.2 Evidence Package Contents

Standard evidence packages provided to qualified customers include:

DocumentDescriptionUpdate FrequencyAccess
SOC 2 Type II ReportFull auditor's reportAnnualNDA required
SOC 2 Bridge LetterManagement assertion for current periodQuarterlyNDA required
Penetration Test Executive SummaryHigh-level findings summaryAnnualNDA required
Completed SIG LitePre-filled questionnaireQuarterlyCustomer verification
Completed CAIQPre-filled questionnaireQuarterlyCustomer verification
Subprocessor ListCurrent subprocessor inventoryPer changePublic
Architecture OverviewHigh-level system architectureSemi-annualNDA required
Encryption StandardsCryptographic standards documentationAnnualPublic
Data Flow DiagramData processing flowsSemi-annualNDA required
Business Continuity SummaryBC/DR program overviewAnnualNDA required
Insurance CertificatesCyber liability, E&O coverageAnnualNDA required

9.3 Evidence Request Process

StepActionTimelineResponsibility
1Submit request to trust@acmecloud.comCustomer
2Verify customer identity and relationship1 business dayTrust team
3Execute NDA (if required)2–3 business daysLegal
4Prepare evidence package2 business daysGRC team
5Deliver via secure channel1 business dayTrust team
6Follow-up questionsPer complexityTrust team

10. Customer Audit Support

10.1 Audit Support Options

Support TypeDescriptionAvailabilityCost
Self-Service EvidenceTrust Center documents, pre-completed questionnairesAll customersIncluded
Standard Evidence PackageSOC 2, pen test summary, policy documentsAll customersIncluded
Control Walkthrough (Remote)90-minute call reviewing specific controlsEnterprise customersIncluded
Extended Q&A SessionDeep-dive on technical controlsEnterprise customersIncluded
Custom Control MappingMapping to customer's framework (NIST, HITRUST, etc.)Enterprise customersProfessional services
On-Site Audit SupportIn-person audit supportBy arrangementProfessional services

10.2 On-Site Audit Requirements

RequirementSpecification
Advance Notice30 business days minimum
Scope AgreementWritten scope document required
ConfidentialityNDA execution required
DurationMaximum 2 days per audit
Access LimitationsNo access to other customer data; logical separation maintained
Findings HandlingDraft findings reviewed before finalization
CostProfessional services rates apply for extensive engagements

10.3 Framework Mapping Support

FrameworkMapping AvailableFormatAccess
SOC 2 TSC✅ CompleteSpreadsheetStandard evidence package
ISO 27001 Annex A✅ CompleteSpreadsheetEnterprise customers (NDA)
NIST CSF✅ CompleteSpreadsheetEnterprise customers (NDA)
NIST 800-53🔄 PartialSpreadsheetEnterprise customers (NDA)
HITRUST CSF✅ CompleteSpreadsheetEnterprise customers (NDA)
CIS Controls v8✅ CompleteSpreadsheetEnterprise customers (NDA)
GDPR Articles✅ CompleteDocumentDPA appendix
PCI DSS✅ SAQ A onlySpreadsheetOn request

11. Regulatory Monitoring and Horizon Scanning

11.1 Current Regulatory Monitoring

Regulation/StandardStatusApplicabilityAcme Cloud Action
EU AI ActEnacted; phased effective 2025–2027AI featuresRisk classification, transparency documentation; see AI Usage Policy
US State Privacy LawsExpanding (19 states enacted as of 2025)US customersUnified privacy program; state-specific notices
SEC Cyber Disclosure RulesEffective 2024Public company readinessIncident disclosure procedures prepared
DORAEffective January 2025EU financial customersGap assessment planned Q2 2026
NIS2 DirectiveTransposition ongoingEssential/important entitiesSecurity measures mapping
UK PSTI ActEffective 2024IoT securityN/A — no IoT products
Digital Services ActEffective 2024Online platformsLimited applicability assessment
Colorado AI ActEffective 2026AI in ColoradoImpact assessment
CPRA RegulationsOngoing refinementCalifornia residentsPrivacy program updates
Brazil AI BillPendingAI in BrazilMonitoring

11.2 Regulatory Response Process

Regulation StatusAcme Cloud ResponseTimeline
Proposed/DraftLegal monitoring, industry engagementOngoing
Enacted, pre-effectiveGap assessment, remediation planning6–12 months before effective
EffectiveFull compliance, documentation, customer communicationBy effective date
Enforcement action (industry)Lessons learned review30 days
Material changeImpact assessment, policy updates90 days or as required

12. SOC 2 and ISO 27001 Control Mapping

12.1 SOC 2 Control Categories

Control CategorySOC 2 ReferenceKey ControlsDocumentation
Control EnvironmentCC1Governance, integrity, accountabilityCorporate Governance, Code of Conduct
Communication and InformationCC2Internal/external communicationSecurity awareness, incident notification
Risk AssessmentCC3Risk identification and managementRisk assessment program
Monitoring ActivitiesCC4Ongoing evaluation, deficiency remediationContinuous monitoring, audit program
Control ActivitiesCC5Policies and proceduresSecurity policies, control documentation
Logical and Physical AccessCC6Access management, authenticationAccess Control Policy
System OperationsCC7Incident detection and responseIncident Response Plan
Change ManagementCC8Change control processesChange management procedures
Risk MitigationCC9Vendor management, business continuityThird-Party Risk, Business Continuity
AvailabilityA1System availability and recoveryBusiness Continuity, SLA
ConfidentialityC1Data classification and protectionData classification, encryption

12.2 ISO 27001:2022 Annex A Overview

Control ThemeControl CountKey Focus Areas
A.5 Organizational37Policies, roles, asset management, supplier relationships
A.6 People8Screening, awareness, disciplinary, termination
A.7 Physical14Perimeters, entry controls, equipment protection
A.8 Technological34Access control, cryptography, security in development

12.3 Cross-Framework Control Mapping Example

Control AreaSOC 2 TSCISO 27001NIST CSFCIS Controls
Access ControlCC6.1–CC6.3A.5.15–A.5.18, A.8.2–A.8.5PR.AC5, 6
EncryptionCC6.1, CC6.7A.8.24PR.DS3.11
Incident ResponseCC7.1–CC7.5A.5.24–A.5.28, A.6.8RS.RP, RS.CO17
Vulnerability ManagementCC7.1A.8.8ID.RA, PR.IP7
Change ManagementCC8.1A.8.32PR.IP4.1
Business ContinuityA1.1–A1.3A.5.29–A.5.30PR.IP11
Vendor ManagementCC9.2A.5.19–A.5.23ID.SC15

13. Shared Responsibility Model

13.1 Responsibility Matrix

Responsibility AreaAcme CloudCustomerShared
Physical Infrastructure
Hypervisor and Network
Platform Security Controls
Application Security
Data Encryption (infrastructure)
Data Encryption (application)
Patch Management (platform)
Incident Detection (platform)
User Access Management
Data Classification
Content and Data
Endpoint Security (customer)
User Security Awareness
Integration Security
API Credential Management
Compliance (platform)
Compliance (use of service)
Incident Response (platform)
Incident Response (data)

13.2 Customer Security Configuration Checklist

ConfigurationRecommendationLocation
Enable MFARequired for all usersAdmin Console → Security
Configure SSORecommended for EnterpriseAdmin Console → Authentication
Review access permissionsQuarterly review recommendedAdmin Console → Users
Enable audit log exportRecommended for complianceAdmin Console → Compliance
Configure session timeoutPer organizational policyAdmin Console → Security
Review API permissionsQuarterly review recommendedAdmin Console → Integrations
Configure IP allowlistRecommended for sensitive dataAdmin Console → Security
Enable data export encryptionRecommendedAdmin Console → Data

14. Trust Center Document Index

14.1 Complete Document Catalog

DocumentPrimary Framework MappingAudienceUpdate Frequency
Security OverviewSOC 2, ISO 27001AllQuarterly
Privacy PolicyGDPR, CCPAAllAnnual + material changes
Data Processing AgreementGDPR Art. 28AllAnnual
Subprocessor ListGDPR, SOC 2AllPer change
Access Control PolicySOC 2 CC6, ISO A.8Security reviewersSemi-annual
Encryption StandardsSOC 2, ISO A.8.24Security reviewersAnnual
Incident Response PlanSOC 2 CC7, GDPR Art. 33Security reviewersAnnual
Business Continuity PlanSOC 2 A1, ISO A.5.29Security reviewersAnnual
HIPAA StatementHIPAAHealthcare customersAnnual
Penetration Testing ProgramSOC 2, ISOSecurity reviewersAnnual
Third-Party Risk ManagementSOC 2 CC9, ISO A.5.19Vendor risk teamsSemi-annual
Vulnerability DisclosureSOC 2 CC7Security researchersAnnual
AI Usage PolicyEU AI Act, SOC 2AllQuarterly
Code of ConductSOC 2 CC1AllAnnual
Compliance Frameworks (this page)AllProcurement, auditQuarterly

Related Trust Center documents

security overview, privacy policy, dpa, hipaa statement, penetration testing, third party risk, incident response, business continuity

Document revision history

VersionDateAuthorSummary of changes
1.02024-06-01Legal & ComplianceInitial Trust Center publication
2.02025-03-15GRC ProgramSOC 2 Type II alignment refresh; expanded subprocessors
2.52025-09-01Security EngineeringEncryption standards update; ISO 27001 mapping
3.02026-01-15Trust Center ProgramFull procurement-grade expansion; 34-document set

Contact

Acme Cloud, Inc. 1200 Market Street, Suite 400 San Francisco, CA 94103, USA

ChannelEmailUse case
Trust & procurementtrust@acmecloud.comSecurity questionnaires, trust reviews
Securitysecurity@acmecloud.comIncidents, vulnerabilities, control questions
Privacyprivacy@acmecloud.comDSRs, privacy assessments
Legallegal@acmecloud.comContractual, DPA, legal notices

15. GRC Program Governance

15.1 GRC Organizational Structure

RoleResponsibilitiesReports To
VP GRCProgram ownership, Board reporting, regulatory strategyGeneral Counsel
Compliance ManagerAudit coordination, evidence management, questionnairesVP GRC
Privacy LeadPrivacy program, DSRs, DPIAsVP GRC
Risk AnalystRisk assessments, vendor risk, control testingCompliance Manager
Audit CoordinatorExternal audit liaison, evidence collectionCompliance Manager

15.2 GRC Metrics and Reporting

MetricTargetFY2025 ActualTrend
SOC 2 control effectiveness>95%98%
Audit findings (material)00
Questionnaire response time<5 days3.2 days
Control testing completion100%100%
Regulatory monitoring coverage100% applicable100%
Customer audit support satisfaction>4.5/54.7/5

15.3 Annual Compliance Calendar

MonthActivityFramework
JanuaryHIPAA risk assessmentHIPAA
FebruaryInternal control self-assessmentSOC 2
MarchISO 27001 internal auditISO 27001
AprilPrivacy program reviewGDPR, CCPA
MayPenetration testSOC 2, ISO 27001
JuneDR test, BC testSOC 2 A1
JulyMid-year control testingSOC 2
AugustVendor risk assessment cycleSOC 2 CC9
SeptemberExternal pen test, SOC 2 audit endSOC 2
OctoberSOC 2 report issuanceSOC 2
NovemberTabletop exerciseSOC 2 CC7
DecemberAnnual policy reviewAll

This document is updated quarterly. Last updated: January 15, 2026. For the most current information, contact trust@acmecloud.com.

Last updated: January 15, 2026
EthicPages logoEthicPages