GraphWarden and SOC 2: how the proxy supports your Trust Service Criteria
SOC 2 reports attest how a service organization designs and operates controls against the AICPA's Trust Service Criteria: Security (mandatory), Availability, Confidentiality, Processing Integrity, and Privacy. For SaaS vendors and cloud service providers integrating with Microsoft 365, the Graph API surface is a frequent source of assessor questions on logical access and data handling. GraphWarden helps address several Trust Service Criteria by centralizing access control to Graph, producing a verifiable audit trail, and keeping Graph credentials inside your own Azure Key Vault. This document maps each criterion to GraphWarden's capabilities, with explicit limits on the parts of SOC 2 that remain your responsibility.
Who this document is for
SOC 2 context
SOC 2 — System and Organization Controls 2 — is an attestation framework maintained by the AICPA (the American Institute of CPAs). A SOC 2 report is issued by a licensed CPA firm, not by the vendor's customers or by a certification body. Two report types exist: Type I attests design of controls at a point in time; Type II attests operating effectiveness over a period, typically 6 to 12 months. The 2017 Trust Services Criteria (updated in 2022) define five categories — Security (also called Common Criteria, CC), Availability (A), Confidentiality (C), Processing Integrity (PI), and Privacy (P). Security is mandatory; the other four are selected based on commitments to customers.
The Common Criteria include CC1 (control environment), CC2 (communication), CC3 (risk assessment), CC4 (monitoring), CC5 (control activities), CC6 (logical and physical access), CC7 (system operations), CC8 (change management), and CC9 (risk mitigation). Additional criteria under A, C, PI, and P address the specific Trust Service categories the service organization commits to. GraphWarden's technical surface maps most directly to CC6 (logical access), C1 (confidentiality), and P1 (privacy), with supporting relevance to A1 (availability) and PI1 (processing integrity).
SOC 2 mapping to GraphWarden capabilities
| Trust Service Criterion | GraphWarden capability | Status | Technical proof |
|---|---|---|---|
| CC6.1 — Logical and Physical Access Controls | Rulesets enforce least-privilege Graph access per App Identity | Aligned | Each ruleset is a documented access-control artifact, auditable by a SOC 2 assessor. |
| A1.1 — Availability | Health endpoints and horizontal scale support | Supported | Proxy exposes a health check and scales horizontally; continuity is your deployment architecture responsibility. |
| C1.1 — Confidentiality | Response Filter transforms and Key Vault zero-knowledge credentials | Aligned | Credentials remain in your Key Vault; response bodies can be filtered per policy. |
| PI1.1 — Processing Integrity | Audit trail of every Graph call | Supported | Every call captured with method, path, status, and identity — verifiable chain of custody. |
| P1.1 — Privacy | Data minimization via Response Filter and limited Graph scope via Ruleset | Aligned | PII exposure reduced at the API layer by declarative field allowlists and endpoint restrictions. |
Concrete scenario
A SaaS vendor pursuing SOC 2 Type II integrates three M365-connected products into its service offering. The auditors ask for evidence of logical access control on data flowing through third-party APIs under CC6.1, and for a chain-of-custody record for Graph responses served to end users under PI1.1. The vendor produces the three App Identity rulesets (one per product) together with a 9-month export of the audit log, correlated by App Identity and correlation-ID. The rulesets document the access-control policy; the audit log demonstrates operating effectiveness over the Type II window.
Hosting and data residency
Hosted tier: the proxy runtime is in Azure Canada Central; the control plane runs in Canada East (OVHCloud). On-premise tier (Windows Service or Docker) inside your own infrastructure: processing remains entirely under your control, which simplifies the subservice-organization analysis. For a SOC 2 Type II attestation, include the applicable tier (Hosted or On-premise) in your complementary subservice-organization controls (CSOC) section — geography itself is not material to the Trust Service Criteria, but documenting the deployment target is. Graph credentials (client secrets, certificates) never leave your Azure Key Vault: GraphWarden holds only their SHA-256 fingerprint to authenticate calls from your applications.
Limits
GraphWarden helps address several Trust Service Criteria but does not cover an entire SOC 2 attestation scope. The following items remain your responsibility.
- GraphWarden does NOT cover controls outside the Graph API surface — HR processes, physical security, vendor management, and change management extend beyond the proxy.
- GraphWarden does NOT provide the 6-12 months of evidence a Type II report requires on its own — GraphWarden supplies the mechanisms; evidence collection, retention, and presentation are your responsibility.
- GraphWarden does NOT carry a SOC 2 attestation — a SOC 2 report is issued by a CPA firm to a specific service organization. Page-level status is
aligned, not a formal attestation. - GraphWarden does NOT cover Incident Response (CC7.x) — the audit log informs incident scoping, but your incident-response process, communications, and post-incident review remain your responsibility.
- GraphWarden does NOT cover Change Management (CC8.1) end-to-end — ruleset changes are version-controlled and auditable, but your broader change-management program (code deployments, infrastructure changes, third-party integrations) extends beyond the proxy.
- GraphWarden does NOT cover Risk Assessment (CC3) or Control Environment (CC1) — these are organizational controls, not technical ones.
Prepare your SOC 2 brief with an AI assistant
Prepare a SOC 2 compliance brief
Prepare a SOC 2 compliance brief covering CC6, A1, C1, PI1, and P1 for my M365-integrated product using GraphWarden.
I need to deliver to my SOC 2 project lead:
1. Which Trust Service Criteria GraphWarden helps meet (criterion-by-criterion mapping)
2. Which criteria remain under my responsibility (out of scope — incident response, change management, risk assessment, control environment)
3. The technical artifacts I can export for the assessor package (YAML rulesets, audit log, App Identity inventory)
Reference documentation: https://graphwarden.com/llms.txt
Ask me:
- Type I or Type II attestation and the planned attestation window
- Which Trust Service Criteria I have committed to beyond Security
- How many Graph-integrated applications are in scope
Reference: llms.txt
Troubleshooting
- My auditor asks for evidence of logical access control (CC6.1) on Graph calls. Export the ruleset YAML and the audit log for the relevant App Identities and period; see Agent API.
- My auditor asks how we enforce confidentiality (C1.1) at the API layer. Walk through a Response Filter on a representative ruleset and show the field-level transform; see Rulesets and Rules.
- The audit log has a gap during a specific hour. Check whether the proxy instance restarted or lost connectivity to the audit endpoint; the
heartbeatcadence helps reconstruct the downtime window — see Agent API. - A complementary subservice organization control question lands on us. The hosting section above captures the CSOC anchor; refer the assessor to your GraphWarden deployment contract for the applicable region.
- The assessor asks for a list of every system integrated to Graph. Export the App Identity inventory from your GraphWarden admin — each App Identity is an explicit entry in scope.
Resources
- For deployment, see On-Premise Windows Installation.
- For app identities, see App Identities.
- For the proxy trust model, see Trust Model.
- Data Processing Agreement (DPA) template — coming in a later phase .
Next steps
For a demo tailored to your SOC 2 deployment, contact the GraphWarden team. Review the use cases to see how other SaaS vendors have mapped rulesets to their Trust Service Criteria documentation. Bring to the session: your attestation type (I or II), your committed Trust Service Criteria, your list of Graph-integrated applications, and the desired audit retention tier (90 days, 1 year, or 7 years).
Last reviewed: