Skip to main content
Skip table of contents

SOC2 with Confluence

Capable Approvals for Confluence helps teams build secure, auditable, and controlled approval workflows that support your organization's SOC 2 compliance journey. This article outlines how Capable Approvals supports key trust service criteria and maps specific features to SOC 2 controls.

✉️ What Is SOC 2?

SOC 2 (System and Organization Controls 2) is a framework developed by the AICPA for managing customer data based on five "Trust Service Criteria":

  1. Security – the system is protected against unauthorized access

  2. Availability – the system is available for operation and use

  3. Processing Integrity – system processing is complete, valid, and authorized

  4. Confidentiality – information is protected as agreed

  5. Privacy – personal information is collected, used, retained, and disclosed appropriately

SOC 2 compliance is especially important for SaaS providers and organizations that store or process sensitive customer data.

✅ Capable Approvals SOC 2 Alignment Checklist

The table below maps specific SOC 2 controls to capabilities provided by Capable Approvals in Confluence:

SOC 2 Control Area

Requirement

How Capable Approvals Helps

Logical Access Controls (CC6.1, CC6.2)

Restrict system access to authorized users

Capable Approvals respects Confluence permissions, ensuring only approved users can view, initiate, or complete approval workflows.

System Operations (CC7.2)

Monitor system changes and generate audit evidence

Each approval action is logged with timestamps, user identity, status, and comments, creating a reliable and immutable audit trail.

Change Management (CC8.1)

Authorize and document system changes

Capable Approvals allows for formal sign-off processes embedded into documentation pages such as infrastructure changes, SOPs, and policy updates.

Risk Mitigation (CC3.2, CC3.3)

Document and review risk-related decisions

Teams can use approvals to sign off on risk assessments and treatment plans, capturing full decision context and approver accountability.

Data Integrity and Accuracy (PI1.1)

Ensure accuracy and completeness of records

Approvals are stored with page content and tracked through version history. Comments and statuses ensure decisions are complete and contextual.

Retention and Availability (A1.2)

Maintain availability and retrieval of records

Records are embedded directly in Confluence, versioned, and exportable for review or evidence.

Confidentiality (C1.1)

Protect confidential information from unauthorized access

Access controls and group permissions within Confluence safeguard approval content and visibility.

Audit Logging and Accountability (CC7.2, CC7.3)

Log actions and ensure traceability

Capable provides immutable audit logs, ensuring every action is traceable to a specific user.

📖 Examples of SOC 2-Relevant Use Cases

  • ✏️ Policy Reviews: Require approvals from security or legal stakeholders before publishing policies.

  • ⚙️ Change Requests: Use Capable to manage approvals for infrastructure or software changes.

  • 📊 Risk Assessments: Ensure sign-off from compliance leads before finalizing risk decisions.

  • 🔢 Access Reviews: Add approvals for documenting access rights changes or user offboarding.

  • 📆 Scheduled Recertification: Use recurring approvals and Confluence Calendar to drive review cadences.

💡 Best Practices for Using Capable Approvals in a SOC 2 Program

  • Configure approval macros in all key documents that require traceability and accountability.

  • Train staff to use Capable and Confluence consistently.

  • Use Confluence's built-in version history to support document lifecycle management.

  • Set Confluence permissions appropriately to restrict access to approval workflows.

  • Establish an internal SOP for recurring approvals and documentation reviews.

🌐 Summary

Capable Approvals provides a flexible and powerful approval engine inside Confluence, designed to support audit-readiness and operational consistency. While SOC 2 does not require certification of a specific tool, using Capable as part of your documentation and compliance workflows ensures:

  • Complete and traceable decision records

  • Restricted access and change tracking

  • Strong support for risk and change management

When used within a well-governed Confluence instance, Capable Approvals strengthens your SOC 2 control environment.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.