StateAnchor and SOC 2

StateAnchor’s gate engine, exception ledger, and append-only audit trail are designed to map directly to SOC 2 CC8.1 (Change Management) controls. This page explains what auditors ask, how StateAnchor answers, and how to generate a structured evidence package for any audit period.

What auditors ask -- and how StateAnchor answers

“How do you ensure API changes are reviewed before deployment?”

StateAnchor gates every spec change in CI. No spec change merges without passing the gate engine. Breaking changes require an explicit exception with a named approver and documented justification before the PR can merge.

“How are exceptions to your change management process documented?”

The exception ledger records every gate override: who approved it, their written justification, and a hard expiry date. Exceptions that are not renewed automatically revoke. The ledger is append-only and cannot be retroactively edited. Every exception requires a second independent activation signal -- a code-owner acknowledgment, a consumer test pass, or a manual override -- before it suppresses a gate finding.

“How do you prove your audit trail hasn’t been tampered with?”

Every gate decision is anchored in a tamper-evident audit log (RFC 6962 Merkle tree). The log root is published to a public GitHub repository on a schedule. Any auditor can independently verify that a gate decision occurred and was not altered, without access to StateAnchor.

“Can you produce evidence for an audit?”

Yes. The compliance export generates a structured evidence package covering a specified date range, formatted for SOC 2 audit submission. It includes every gate decision, every exception with approver and justification, and an audit trail integrity statement.

Mapping to SOC 2 controls

Generating a compliance export

The compliance export is available from the project settings page. It generates a structured evidence package covering the date range you specify.

1. Open your project in the StateAnchor dashboard and navigate to Settings.
2. Scroll to the SOC 2 Evidence Export section.
3. Set the from and to dates for the audit period. The default is the last 90 days.
4. Choose the format: JSON for machine-readable output, Markdown for a human-readable document you can share with an auditor or attach to a questionnaire.
5. Click Download evidence package. The file downloads immediately.

The export can also be generated programmatically via the API:

GET /api/projects/{projectId}/compliance-export
  ?from=2026-01-01
  &to=2026-03-31
  &format=markdown

Authorization: Bearer <your-api-key>

What the export includes

A. Change Management Controls (CC8.1)

For each sync run in the audit period: run ID, timestamp, commit SHA, branch, author, gate verdict (ERR / WARN / INFO / PASS), what changed (change kinds with classification), whether the run was blocked and why, and the artifact SHA hashes generated.

B. Exception Authorization Records

For each drift exception: exception ID, creation timestamp, change kind and endpoint, status (ANERGIC / ACTIVE / EXPIRED / REVOKED), approver identity, written justification, activation signal (who provided the second signal and when), expiry date, and whether it was revoked before expiry.

C. Access and Authorization Summary

Project created date, GitHub connection established date, total sync runs in period, blocked runs, exceptions created and resolved, and distinct committers who triggered syncs.

D. Audit Trail Integrity

Tamper-evident audit log root hash for the period and link to the public verification URL. The integrity statement reads: “All gate decisions in this period are included in the public tamper-evident audit log at [URL], independently verifiable without access to StateAnchor.”

Current compliance posture

If you have specific compliance requirements -- security questionnaires, vendor assessments, or custom DPAs -- contact micah@stateanchor.dev.