SOC2 / GDPR
MemorySync’s compliance framework provides automated control tracking, evidence generation, privacy settings, and data subject request handling across SOC 2, GDPR, and ISO 27001. Every control is mapped to specific platform capabilities, so your compliance posture is continuously evaluated — not just checked once a year.
Compliance Overview
Compliance in MemorySync is not a static checklist — it is a live system that tracks your organization’s posture across multiple regulatory frameworks. Each framework has a set of controls, and each control is mapped to a specific platform capability (encryption, access control, audit logging, etc.).
- Per-organization tracking. Each organization has its own compliance posture tracked separately, with visibility into which frameworks are active, how many controls pass, and what needs attention.
- Automated evaluation. Controls are evaluated automatically based on your current configuration. For example, if envelope encryption is enabled and all data is encrypted, the encryption controls are marked as passing.
- Compliance percentage. Each framework shows a compliance percentage calculated from passing controls divided by applicable controls (excluding N/A).
- Audit scheduling. Track your last audit date and next scheduled audit for each framework. Get reminders when audit deadlines approach.
Supported Frameworks
| Framework | Status Tracking | Coverage |
|---|---|---|
| SOC 2 Type II | Full | Trust Services Criteria: CC6.1 (logical access), CC6.6 (encryption), CC6.7 (key management), CC7.2 (monitoring), CC7.3 (incident response). Annual audit tracking with evidence generation. |
| GDPR | Full | Data subject request handling (access, delete, export), right-to-be-forgotten enforcement, data residency controls, consent tracking, data minimization, privacy settings management. |
| ISO 27001 | Full | Annex A controls: A.10.1.1 (cryptographic policy), A.10.1.2 (key management), A.12.4.1 (event logging), A.12.4.2 (log protection), A.18.1.5 (crypto regulation). |
Each framework can have one of four statuses: compliant (all applicable controls pass), in_progress (some controls pass, some fail or pending), not_started (no controls evaluated), or non_compliant (failing controls detected).
Control Mapping
MemorySync maps its platform capabilities to specific regulatory controls. This mapping is used for automated evidence generation and compliance scoring.
| Platform Control | SOC 2 | ISO 27001 | Description |
|---|---|---|---|
| Envelope Encryption | CC6.6 | A.10.1.1, A.18.1.5 | Industry-standard authenticated encryption for all data at rest with per-tenant key isolation. |
| Key Hierarchy | CC6.7 | A.10.1.2 | Layered key hierarchy for defense in depth, with separate keys for data, tenants, and master encryption. |
| Key Rotation | CC6.7 | A.10.1.2 | Automated key rotation with configurable schedule (default: 90 days). |
| Admin MFA | CC6.1 | — | MFA required for administrative operations on encryption keys. |
| Audit Logging | CC7.2 | A.12.4.1 | Comprehensive audit logging for all encryption and access operations. |
| Log Retention | CC7.2 | A.12.4.2 | 7-year retention for security and encryption audit logs. |
| Incident Response | CC7.3 | — | Documented incident response procedures for cryptographic events. |
Each control can be in one of four states: pass, fail, not_applicable, or not_evaluated. Controls are evaluated automatically where possible and manually by compliance officers where human judgment is required.
Privacy & Data Protection
Privacy settings are configured at the organization level and control how MemorySync handles personal data. These settings directly impact GDPR compliance.
| Setting | Default | Description |
|---|---|---|
data_anonymization | false | When enabled, strips personally identifiable information from memories before storage. Works in conjunction with PII redaction. |
end_to_end_encryption | true | Enables envelope encryption for all data at rest. Enabled by default for all organizations. |
auto_retention | false | Automatically delete data after the configured retention period. When disabled, data is retained indefinitely until manual deletion. |
retention_days | null | Number of days before auto-deletion (only applies when auto_retention is enabled). |
consent_required | false | Require explicit consent tracking before storing data for each user. Required for GDPR compliance with certain data categories. |
data_minimization | false | Enable data minimization policies that limit what data is stored to only what is necessary for the stated purpose. |
data_region | null | Pin data to a specific geographic region (e.g., eu-west-1). Required for GDPR data residency compliance. |
Changes to privacy settings are audit-logged and require the security.manage permission.
Data Subject Requests
MemorySync provides a complete Data Subject Request (DSR) lifecycle management system, covering GDPR Article 15 (access), Article 17 (erasure), and data portability rights.
| Request Type | Description |
|---|---|
access | The data subject requests a copy of all personal data you hold about them. MemorySync compiles the data into a downloadable report. |
delete | The data subject requests erasure of their personal data. MemorySync removes all memories, profile data, and audit references for the subject. |
export | The data subject requests their data in a portable format (JSON). Similar to access but formatted for machine-readable consumption. |
Each DSR goes through a status lifecycle: pending → in_progress → completed (or failed / rejected).
- SLA tracking. Each request has a configurable SLA deadline (default: 30 days). Overdue requests are flagged and time remaining against each SLA is tracked.
- Assignment. Each DSR can be assigned to a specific team member for processing.
- Signed download URLs. For access and export requests, results are delivered as time-limited, cryptographically signed download URLs that expire automatically.
- Legal basis. Each request can record the legal basis (e.g., “GDPR Art. 17”) and rejection reason if the request is denied.
Evidence Generation
MemorySync can generate audit-ready evidence packages on demand. These packages contain the documentation your auditors need to verify compliance controls.
Each evidence package includes:
| Evidence File | Controls Covered | Contents |
|---|---|---|
| Key Inventory | Key hierarchy, rotation | Per-tenant key counts grouped by lifecycle stage, current key versions, oldest and newest key dates. |
| Encryption Coverage | Envelope encryption | Total records, envelope-encrypted count, legacy-encrypted count, plaintext count, compliance status. |
| Audit Log Summary | Audit logging | Event counts by type and by tenant for the audit period. Retention policy compliance. |
| Audit Log Samples | Audit logging | Representative sample of audit events from the period, stratified by event type. |
| Control Attestations | All | Status and evidence availability for each control, with SOC 2 and ISO 27001 mappings. |
| Rotation History | Key rotation | All key rotation events within the audit period: started, completed, by whom. |
Every evidence file has an individual SHA-256 checksum, and the package has a combined checksum for integrity verification. Packages are identified by a unique ID (e.g., EVD-20260509-a1b2c3d4) and can be exported as JSON or CSV.
Trust Center
The Trust Center lets you publish your compliance posture publicly, giving your customers and prospects confidence in your security practices without sharing sensitive internal details.
- Public URL. Enable a public trust center page at a custom URL slug (e.g.,
trust.yourcompany.com). Visitors can see your compliance status without authentication. - Framework visibility. Choose which frameworks to display. For example, show SOC 2 and GDPR publicly but keep ISO 27001 internal-only.
- Control detail toggle. Decide whether to show individual control pass/fail status or just the overall framework percentage.
- Audit dates. Optionally display your last and next scheduled audit dates to demonstrate ongoing commitment to compliance.
- Custom branding. Add a custom heading and description to your trust center page to match your brand voice.
Trust Center configuration is provisioned for Enterprise organizations through your MemorySync account team. Every change to the configuration is recorded in the audit log for traceability.