Security Glossary

The Startup Guide to Compliance Architecture

Understand the core concepts behind SOC 2 and Continuous Readiness. No fluff, just the technical foundation you need to build trust.

The Compliance Roadmap

Gap Analysis

A SOC 2 gap analysis is the process of comparing your current technical and operational state against the Trust Services Criteria. For most startups, this is where "informal security" becomes "verifiable controls."

The real work in a gap analysis isn't just identifying what's missing; it's understanding the delta between how your engineers work today and what an auditor needs to see. Liance automates this by linking your actual stack to the criteria, showing you exactly where the "gaps" are in your evidence chain before you even book your audit window.

How Liance handles this

  • Translated Criteria: We turn dry SOC 2 language into actionable engineering tasks.

  • Evidence Mapping: Automatically identifying which proof already exists in your IAM or CloudTrail logs.

  • Remediation Path: A prioritized list of fixes that move you closer to audit-readiness.

The Framework Layers

Trust Services Criteria

SOC 2 is built around five Trust Services Criteria (TSC). Every audit starts with Security (the Common Criteria), but the others are optional add-ons depending on your product commitments.

Confusion often arises between "Common Criteria" and "Trust Services Criteria." The Common Criteria *is* the Security TSC. The other four (Availability, Processing Integrity, Confidentiality, and Privacy) are specialized extensions. Liance help you scope these correctly so you don't over-engineer your compliance posture.

How Liance handles this

  • Security (Mandatory): Protects against unauthorized access and system damage.

  • Availability: Proves your system meets uptime commitments and SLA requirements.

  • Processing Integrity: Ensures transactions are complete, accurate, and authorized.

  • Confidentiality & Privacy: Higher-stakes protection for sensitive and personal data.

Signals vs. Screenshots

Evidence Automation

The industry is shifting from "Point-in-Time Screenshots" to "Continuous Signal Collection." Manual evidence collection is brittle; a screenshot only proves a control was active for the split-second it was captured.

Automated evidence collection uses APIs to pull live data from your infrastructure. This creates a "Live Proof Graph" where readiness isn't a state you achieve once a year, but a continuous byproduct of your operations. If a control drifts, the signal breaks, and you're notified immediately.

How Liance handles this

  • Durable Proof: Evidence that never goes stale because it is pulled in real-time.

  • Drift Detection: Hourly monitoring for MFA, public buckets, and over-privileged roles.

  • Audit Confidence: Providing auditors with a consistent history of operations instead of a folder of random images.

Ready to build your proof graph?

Move beyond definitions. Start running a compliance operating system that scales with your growth.