SOC2 Compliance
This guide outlines how the PaiTIENT Secure Model Service helps you meet SOC2 compliance requirements when deploying and using AI models.
SOC2 Overview
System and Organization Controls 2 (SOC2) is a framework developed by the American Institute of CPAs (AICPA) that defines criteria for managing customer data based on five "trust service principles": security, availability, processing integrity, confidentiality, and privacy.
The PaiTIENT Secure Model Service is designed to help organizations maintain SOC2 compliance across all five trust principles.
SOC2 Trust Principles
The PaiTIENT platform addresses all five SOC2 trust principles:
1. Security
Protection of system resources against unauthorized access.
| SOC2 Requirement | PaiTIENT Implementation |
|---|---|
| Access Controls | Role-based access control (RBAC) with least privilege |
| Authentication | Multi-factor authentication, strong password policies |
| Network Security | VPC isolation, security groups, network policies |
| Vulnerability Management | Regular security scans, patch management |
| Incident Response | Monitoring, alerting, and response procedures |
2. Availability
System availability for operation and use as committed or agreed.
| SOC2 Requirement | PaiTIENT Implementation |
|---|---|
| Redundancy | Multi-AZ deployments, auto-scaling |
| Disaster Recovery | Cross-region replication, backup procedures |
| Performance Monitoring | Real-time metrics, SLA monitoring |
| Capacity Management | Auto-scaling, resource optimization |
| Incident Management | Automated failover, alert procedures |
3. Processing Integrity
System processing is complete, valid, accurate, timely, and authorized.
| SOC2 Requirement | PaiTIENT Implementation |
|---|---|
| Input Validation | Request validation, input sanitization |
| Error Handling | Comprehensive error handling and reporting |
| Quality Assurance | Model validation, automated testing |
| Monitoring | Performance monitoring, accuracy tracking |
| Transaction Integrity | Audit trails, request validation |
4. Confidentiality
Information designated as confidential is protected as committed or agreed.
| SOC2 Requirement | PaiTIENT Implementation |
|---|---|
| Data Encryption | Hybrid encryption for models and data |
| Access Controls | Strict permission models for confidential data |
| Data Classification | Automatic detection of sensitive information |
| Secure Disposal | Secure data deletion procedures |
| Vendor Management | Sub-processor security assessment |
5. Privacy
Personal information is collected, used, retained, and disclosed in conformity with commitments.
| SOC2 Requirement | PaiTIENT Implementation |
|---|---|
| Privacy Notice | Clear policies on data usage |
| Choice and Consent | Opt-in mechanisms for data collection |
| Collection Limitation | Data minimization practices |
| Use Limitation | Purpose-specific data processing |
| Retention | Configurable data retention policies |
SOC2-Compliant Deployment
Core Security Features
The PaiTIENT platform includes these SOC2-specific security features:
- Infrastructure Security: Secure cloud infrastructure with defense-in-depth
- Data Protection: End-to-end encryption for sensitive data
- Access Management: Comprehensive identity and access management
- Monitoring and Logging: Extensive audit logging and monitoring
- Vendor Management: Rigorous security assessment of sub-processors
- Risk Management: Continuous risk assessment and mitigation
Enabling SOC2 Mode
Enable SOC2 compliance mode to activate all required security controls:
python
# Python example
from paitient_secure_model import Client
from paitient_secure_model.security import SecuritySettings, ComplianceSettings
client = Client(
security_settings=SecuritySettings(
compliance=ComplianceSettings(
soc2=True, # Enable SOC2 mode
audit_logging=True,
log_retention_days=365, # 1 year retention
confidentiality_controls=True
)
)
)
# Create a SOC2-compliant deployment
deployment = client.create_deployment(
model_name="ZimaBlueAI/HuatuoGPT-o1-8B",
deployment_name="soc2-compliant-assistant",
compute_type="gpu",
instance_type="g4dn.xlarge",
security_settings=SecuritySettings(
network_isolation=True,
encryption_level="maximum"
),
vpc_config={
"subnet_ids": ["subnet-abc123", "subnet-def456"],
"security_group_ids": ["sg-123456"]
},
tags={
"compliance": "soc2",
"data-sensitivity": "confidential"
}
)javascript
// Node.js example
const { PaiTIENTClient } = require('paitient-secure-model');
const { SecuritySettings, ComplianceSettings } = require('paitient-secure-model/security');
const client = new PaiTIENTClient({
securitySettings: new SecuritySettings({
compliance: new ComplianceSettings({
soc2: true, // Enable SOC2 mode
auditLogging: true,
logRetentionDays: 365, // 1 year retention
confidentialityControls: true
})
})
});
// Create a SOC2-compliant deployment
async function createSoc2Deployment() {
try {
const deployment = await client.createDeployment({
modelName: "ZimaBlueAI/HuatuoGPT-o1-8B",
deploymentName: "soc2-compliant-assistant",
computeType: "gpu",
instanceType: "g4dn.xlarge",
securitySettings: new SecuritySettings({
networkIsolation: true,
encryptionLevel: "maximum"
}),
vpcConfig: {
subnetIds: ["subnet-abc123", "subnet-def456"],
securityGroupIds: ["sg-123456"]
},
tags: {
compliance: "soc2",
"data-sensitivity": "confidential"
}
});
console.log(`SOC2-compliant deployment created: ${deployment.id}`);
} catch (error) {
console.error('Deployment failed:', error);
}
}Confidential Data Protection
Sensitive Data Detection
The platform can automatically detect and protect sensitive information:
python
# Python example
response = client.generate_text(
deployment_id="dep_12345abcde",
prompt="Credit card number 4111-1111-1111-1111 and SSN 123-45-6789.",
security_settings=SecuritySettings(
sensitive_data_detection=True,
sensitive_data_redaction=True
)
)
# The prompt is processed as:
# "Credit card number [REDACTED] and SSN [REDACTED]."Data Classification
Implement proper data classification:
python
# Python example
client = Client(
security_settings=SecuritySettings(
data_classification={
"enabled": True,
"levels": ["public", "internal", "confidential", "restricted"],
"default_level": "confidential",
"handling_rules": {
"restricted": {
"encryption": "maximum",
"access_approval": "required",
"retention_days": 30
}
}
}
)
)
# Generate text with classified data
response = client.generate_text(
deployment_id="dep_12345abcde",
prompt="Analyze the following financial data...",
security_settings=SecuritySettings(
data_classification_level="restricted"
)
)Audit and Compliance Reporting
Comprehensive Audit Logs
SOC2 compliance requires detailed audit logs:
python
# Python example for retrieving audit logs
audit_logs = client.get_audit_logs(
start_time="2023-11-01T00:00:00Z",
end_time="2023-11-30T23:59:59Z",
filter={
"deployment_id": "dep_12345abcde",
"event_type": ["model.inference", "security.access_control"]
}
)
for log in audit_logs:
print(f"Event: {log.event_type}, Time: {log.timestamp}, User: {log.user_id}")Compliance Reports
Generate compliance reports for auditing purposes:
python
# Python example for generating compliance reports
report = client.generate_compliance_report(
report_type="soc2",
time_period="last_30_days",
include_principles=["security", "availability", "confidentiality"],
include_sections=[
"access_control",
"encryption",
"network_security",
"incident_response"
],
output_format="pdf"
)
print(f"Report generated: {report.url}")Risk Management
Risk Assessment
Implement regular risk assessments:
python
# Python example for risk assessment
risk_assessment = client.run_risk_assessment(
assessment_type="soc2",
scope={
"deployments": ["dep_12345abcde"],
"principles": ["security", "availability", "confidentiality"]
}
)
for finding in risk_assessment.findings:
print(f"Risk: {finding.title}")
print(f"Severity: {finding.severity}")
print(f"Recommendation: {finding.recommendation}")Vulnerability Management
Keep your systems secure with vulnerability management:
python
# Python example for vulnerability scanning
scan_result = client.run_security_scan(
deployment_id="dep_12345abcde",
scan_type="vulnerability"
)
for vulnerability in scan_result.vulnerabilities:
print(f"Vulnerability: {vulnerability.cve_id}")
print(f"Severity: {vulnerability.severity}")
print(f"Status: {vulnerability.status}")Access Controls
Role-Based Access Control
Implement proper access controls:
python
# Python example for role-based access control
from paitient_secure_model import Client
from paitient_secure_model.security import SecuritySettings, AccessControlSettings
client = Client(
security_settings=SecuritySettings(
access_control=AccessControlSettings(
require_mfa=True,
session_timeout_minutes=30,
concurrent_sessions_limit=3,
ip_restrictions=["10.0.0.0/8"]
)
)
)
# Create a role with restricted permissions
client.create_role(
name="financial-analyst",
permissions=[
"model:read",
"deployment:read",
"text:generate"
],
resource_pattern="deployment/financial-*"
)
# Assign the role to a user
client.assign_role(
user_id="user_12345",
role_name="financial-analyst"
)Access Reviews
Conduct regular access reviews:
python
# Python example for access review
access_review = client.create_access_review(
name="Quarterly SOC2 Access Review",
reviewers=["user_67890"],
scope={
"roles": ["admin", "operator"],
"resources": ["deployment/*"]
},
deadline_days=14
)
print(f"Access review created: {access_review.id}")Change Management
Controlled Changes
Implement proper change management:
python
# Python example for change management
change_request = client.create_change_request(
title="Update model to latest version",
description="Upgrade from HuatuoGPT-o1-8B to HuatuoGPT-o1-8B-v2",
affected_resources=["deployment/dep_12345abcde"],
risk_assessment="low",
implementation_plan="1. Deploy new model version\n2. Test functionality\n3. Switch traffic",
rollback_plan="Revert to previous model version",
approvers=["user_67890"]
)
print(f"Change request created: {change_request.id}")Vendor Management
Sub-processor Security
Manage vendor security:
python
# Python example for vendor management
vendors = client.list_sub_processors()
for vendor in vendors:
print(f"Vendor: {vendor.name}")
print(f"Service: {vendor.service}")
print(f"Security Assessment: {vendor.security_assessment_date}")
print(f"SOC2 Compliant: {vendor.soc2_compliant}")SOC2 Compliance Checklist
Before using the PaiTIENT platform for sensitive data, ensure you've addressed these key areas:
- [ ] Security: Access controls, network security, vulnerability management
- [ ] Availability: Redundancy, disaster recovery, performance monitoring
- [ ] Processing Integrity: Input validation, quality assurance, monitoring
- [ ] Confidentiality: Data encryption, access controls, secure disposal
- [ ] Privacy: Data minimization, purpose limitation, retention controls
- [ ] Risk Management: Risk assessment, vulnerability management
- [ ] Change Management: Controlled changes, testing, approval
- [ ] Vendor Management: Sub-processor security assessment
- [ ] Training: Staff trained on security requirements
- [ ] Documentation: Policies and procedures documented
Next Steps
- Learn about HIPAA Compliance
- Explore Security Best Practices
- Understand Secure Deployment
- Review our Python SDK and Node.js SDK