tutorials
soc-2postgresqlcomplianceaccess-review

SOC 2 Compliance for PostgreSQL: Evidence Collection Guide

Satisfy SOC 2 Trust Service Criteria at the database level. Access reviews, change management, monitoring, and evidence collection with PostgreSQL.

RL
Robert Langner
Managing Director, NILS Software GmbH · · 4 min read

SOC 2 at the Database Level

SOC 2 Type II audits examine whether your security controls operate effectively over a review period (typically 3-12 months). For database teams, this means maintaining continuous evidence — not cramming before the audit.

Mapping SOC 2 Criteria to pgcomply

CC6.1 — Logical Access Control

Your auditor will ask: "Show me who has access to sensitive data and how you review permissions."

-- Current access matrix with PII risk levels
SELECT * FROM pgcomply.access_map();

-- Start periodic review (Pro)
SELECT pgcomply.start_access_review('Q1-2026');

-- Review and approve/revoke
SELECT pgcomply.review_decide('Q1-2026', 'analyst', 'users', 'approve', 'Read-only, masked view only');

CC8.1 — Change Management

"Show me all database changes and who made them."

SELECT * FROM pgcomply.ddl_history(since := NOW() - INTERVAL '6 months');

Every CREATE, ALTER, and DROP is captured with timestamp, executing role, and affected object.

CC7.2 — System Monitoring

"Show me your continuous monitoring controls."

-- Current health status
SELECT * FROM pgcomply.health_check();

-- Verify audit trail integrity
SELECT pgcomply.verify_audit();

-- Connection security analysis
SELECT * FROM pgcomply.connection_audit();

CC6.6 — Data Protection

"Show me how sensitive data is protected."

-- Masking rules in effect
SELECT * FROM pgcomply.masking_status();

-- RLS status per table
SELECT * FROM pgcomply.rls_status();

-- Data classification map
SELECT * FROM pgcomply.classification_map();

Continuous Evidence Collection

Schedule automated evidence collection:

SELECT pgcomply.schedule_jobs(install := true);

This creates: weekly health checks, daily retention enforcement, weekly drift detection, and session logging every 15 minutes. Every check is logged in the immutable audit trail.

The Audit Day

When the auditor arrives, generate a comprehensive report:

-- Pro: Full compliance report
SELECT pgcomply.compliance_report();

This pulls together access reviews, change history, health check results, masking status, and audit trail verification into a single structured document.

Evidence Collection Automation

SOC 2 auditors want evidence from the review period, not a single snapshot. Automate collection:

-- Schedule weekly evidence collection
SELECT pgcomply.schedule_jobs(install := true);

Every scheduled execution is logged in the audit trail. After 6 months:

-- Show health check history over the review period
SELECT event_type, created_at, 
  details->>'pass_count' AS pass,
  details->>'warn_count' AS warn,
  details->>'fail_count' AS fail
FROM pgcomply.audit_log
WHERE event_type = 'health_check'
  AND created_at > NOW() - INTERVAL '6 months'
ORDER BY created_at;

This shows the auditor: "We ran security checks every week for 6 months. Here are the results."

SOC 2 vs ISO 27001: Database Requirements

Both frameworks require similar database controls, but with different emphasis:

| Control Area | SOC 2 Criterion | ISO 27001 Annex A | pgcomply Function | |-------------|-----------------|-------------------|-------------------| | Access control | CC6.1 | A.9.2.3 | access_map(), enable_rls() | | Change management | CC8.1 | A.12.1.2 | ddl_history() | | Monitoring | CC7.2 | A.12.4.1 | health_check(), session_tracking() | | Data classification | — | A.8.2 | classification_map(), auto_classify() | | Encryption | CC6.6 | A.10.1.1 | health_check() SSL check | | Audit trail | CC7.2 | A.12.4.1 | verify_audit() |

If you're pursuing both SOC 2 and ISO 27001, pgcomply covers the database layer for both simultaneously.

Preparing for Audit Day

Two weeks before the audit, generate a comprehensive evidence package:

-- Current state
SELECT * FROM pgcomply.health_check();
SELECT * FROM pgcomply.access_map();
SELECT * FROM pgcomply.classification_map();
SELECT pgcomply.verify_audit();

-- Historical evidence
SELECT * FROM pgcomply.audit_log
WHERE created_at > NOW() - INTERVAL '12 months'
  AND event_type IN ('health_check', 'access_review', 'retention_enforced', 'forget_complete')
ORDER BY created_at;

-- Pro: One-command evidence package
SELECT pgcomply.compliance_report('soc2');

Summary

SOC 2 compliance at the database level requires continuous evidence of access control, change management, monitoring, and data protection. pgcomply automates the collection and provides an immutable audit trail that auditors trust. Set up the automation now — not the week before the audit.

Frequently Asked Questions

What SOC 2 Trust Service Criteria apply to databases?
The most relevant criteria are CC6.1 (logical and physical access), CC6.6 (system boundaries), CC7.2 (monitoring), and CC8.1 (change management). These map directly to database access control, encryption, audit logging, and schema change tracking.
Can pgcomply generate SOC 2 evidence reports?
Yes. pgcomply Pro includes compliance_report() which generates structured JSON reports covering all database-level SOC 2 controls. This includes access reviews, change logs, health check history, and audit trail integrity verification.
Share:TwitterLinkedInHacker News

Related Articles

security

PostgreSQL Security Hardening Checklist (2026): 14 Critical Checks

PostgreSQL security hardening checklist with 14 CIS-based checks. SSL, SCRAM-SHA-256, RLS, logging, and automated assessment.

security

Building an Immutable Audit Trail in PostgreSQL

Build an immutable audit trail in PostgreSQL with SHA-256 hash chains. Tamper-proof logging for SOC 2, GDPR, and DORA compliance.

tutorials

PostgreSQL Compliance Tools Compared (2026): pgcomply vs Enterprise Platforms

Compare PostgreSQL compliance tools: pgcomply vs manual scripts vs pg_audit vs enterprise platforms like Vanta and Drata.