# SOC2 with Confluence

📝

Capable Approvals for Confluence helps teams build secure, auditable, and controlled approval workflows that support your organization's SOC 2 compliance journey. This article outlines how Capable Approvals supports key trust service criteria and maps specific features to SOC 2 controls.

## [#](#what-is-soc-2)✉️ What Is SOC 2?

**SOC 2 (System and Organization Controls 2)** is a framework developed by the AICPA for managing customer data based on five "Trust Service Criteria":

1. **Security** – the system is protected against unauthorized access
2. **Availability** – the system is available for operation and use
3. **Processing Integrity** – system processing is complete, valid, and authorized
4. **Confidentiality** – information is protected as agreed
5. **Privacy** – personal information is collected, used, retained, and disclosed appropriately

SOC 2 compliance is especially important for SaaS providers and organizations that store or process sensitive customer data.

## [#](#capable-approvals-soc-2-alignment-checklist)✅ Capable Approvals SOC 2 Alignment Checklist

The table below maps specific SOC 2 controls to capabilities provided by **Capable Approvals** in Confluence:

| **SOC 2 Control Area**                              | **Requirement**                                           | **How Capable Approvals Helps**                                                                                                                    |
| --------------------------------------------------- | --------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Logical Access Controls (CC6.1, CC6.2)**          | Restrict system access to authorized users                | Capable Approvals respects Confluence permissions, ensuring only approved users can view, initiate, or complete approval workflows.                |
| **System Operations (CC7.2)**                       | Monitor system changes and generate audit evidence        | Each approval action is logged with timestamps, user identity, status, and comments, creating a reliable and immutable audit trail.                |
| **Change Management (CC8.1)**                       | Authorize and document system changes                     | Capable Approvals allows for formal sign-off processes embedded into documentation pages such as infrastructure changes, SOPs, and policy updates. |
| **Risk Mitigation (CC3.2, CC3.3)**                  | Document and review risk-related decisions                | Teams can use approvals to sign off on risk assessments and treatment plans, capturing full decision context and approver accountability.          |
| **Data Integrity and Accuracy (PI1.1)**             | Ensure accuracy and completeness of records               | Approvals are stored with page content and tracked through version history. Comments and statuses ensure decisions are complete and contextual.    |
| **Retention and Availability (A1.2)**               | Maintain availability and retrieval of records            | Records are embedded directly in Confluence, versioned, and exportable for review or evidence.                                                     |
| **Confidentiality (C1.1)**                          | Protect confidential information from unauthorized access | Access controls and group permissions within Confluence safeguard approval content and visibility.                                                 |
| **Audit Logging and Accountability (CC7.2, CC7.3)** | Log actions and ensure traceability                       | Capable provides immutable audit logs, ensuring every action is traceable to a specific user.                                                      |

## [#](#examples-of-soc-2-relevant-use-cases)📖 Examples of SOC 2-Relevant Use Cases

* ✏️ **Policy Reviews:** Require approvals from security or legal stakeholders before publishing policies.
* ⚙️ **Change Requests:** Use Capable to manage approvals for infrastructure or software changes.
* 📊 **Risk Assessments:** Ensure sign-off from compliance leads before finalizing risk decisions.
* 🔢 **Access Reviews:** Add approvals for documenting access rights changes or user offboarding.
* 📆 **Scheduled Recertification:** Use recurring approvals and Confluence Calendar to drive review cadences.

## [#](#best-practices-for-using-capable-approvals-in-a-soc-2-program)💡 Best Practices for Using Capable Approvals in a SOC 2 Program

* Configure approval macros in all key documents that require traceability and accountability.
* Train staff to use Capable and Confluence consistently.
* Use Confluence's built-in version history to support document lifecycle management.
* Set Confluence permissions appropriately to restrict access to approval workflows.
* Establish an internal SOP for recurring approvals and documentation reviews.

## [#](#summary)🌐 Summary

Capable Approvals provides a flexible and powerful approval engine inside Confluence, designed to support audit-readiness and operational consistency. While SOC 2 does not require certification of a specific tool, using Capable as part of your documentation and compliance workflows ensures:

* Complete and traceable decision records
* Restricted access and change tracking
* Strong support for risk and change management

When used within a well-governed Confluence instance, Capable Approvals strengthens your SOC 2 control environment.