Compliance Report

SOC 2 Compliance Report

Trust Services Criteria for Enterprise Document Management

v1.0 — February 2026

What is SOC 2?

SOC 2 — AICPA Trust Services Criteria

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how service organizations manage customer data. SOC 2 is a critical security standard especially for cloud services, SaaS providers and data processing organizations.

SOC 2 audits are built on five Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality and Privacy. These criteria evaluate how organizations protect and manage their information systems.

This report explains how YesPDF supports SOC 2 Trust Services Criteria point by point.

SOC 2 Report Types

SOC 2 Type I

Evaluates the suitability of control design as of a specific date. Answers: "Are controls properly designed?"

SOC 2 Type II

Evaluates both design and operating effectiveness of controls over a period (typically 6-12 months). Answers: "Are controls working as designed?"

Five Trust Services Criteria (TSC)

SOC 2 audits are built on the following five criteria. Security is mandatory; others are selected based on the organization's needs.

🛡️
Security

Protection of information and systems against unauthorized access, use, modification and destruction. The foundational and mandatory criterion of SOC 2.

Required
⏱️
Availability

Systems and information are available for operation and use as committed.

Optional
⚙️
Processing Integrity

System processing is complete, accurate, timely and authorized.

Optional
🔐
Confidentiality

Information designated as confidential is protected against unauthorized disclosure.

Optional
👤
Privacy

Personal information is collected, used, retained, disclosed and disposed of in accordance with commitments.

Optional

SOC 2 Criteria and YesPDF Solutions

1. Security — Logical and Physical Access Controls (CC6)

The organization implements logical and physical access controls to prevent unauthorized access to information assets.

✅ YesPDF Solution

  • Role-Based Access Control (RBAC): Granular authorization with administrator, editor, viewer and department-based roles.
  • Document-Level Permissions: Read, edit, download and print permissions can be defined separately for each document.
  • LDAP/Active Directory Integration: Centralized access management through integration with the organization's existing authentication infrastructure.
  • IP Restriction: Document access can be restricted to the corporate network or specified IP ranges.
  • Automatic Session Timeout: Inactive sessions are automatically terminated after a configured period.
  • On-Premise Architecture: Physical access control is managed at the organization's own facilities — no dependency on third-party data centers.

2. Security — Monitoring and Auditing (CC7)

The organization implements monitoring and auditing mechanisms to detect and respond to security events.

✅ YesPDF Solution

  • Comprehensive Audit Log: Every document access, edit, download, print and sharing operation is automatically recorded.
  • Immutable Records: Audit logs cannot be modified or deleted — providing reliable evidence for SOC 2 audits.
  • Detailed Tracking: User ID, timestamp, document name, operation type, IP address and device information — all details are recorded.
  • Activity Reports: Access reports can be generated by user, document or time period.
  • Security Event Detection: Abnormal access patterns and suspicious activities can be detected through reports.

3. Security — Change Management (CC8)

The organization implements controls to manage changes to infrastructure, data, software and procedures.

✅ YesPDF Solution

  • Version Control: Document changes are tracked with version history — who made each change and when is recorded.
  • Configuration Management: System settings can only be modified by users with administrator roles.
  • Update Controls: YesPDF updates are tested in a controlled environment before deployment.
  • Rollback: Previous document versions can be restored at the document level.

4. Availability (A1)

The organization implements controls to ensure systems and information are available as committed.

✅ YesPDF Solution

  • Load Balancer Support: High availability through load balancers such as F5 BIG-IP and Citrix NetScaler.
  • Backup and Recovery: Automated backup plans prevent data loss and enable rapid recovery.
  • Performance Monitoring: System resources and response times are monitored to detect performance issues early.
  • Business Continuity: On-premise architecture ensures local network access continues even during internet outages.

5. Processing Integrity (PI1)

The organization ensures that system processing is complete, accurate, timely and authorized.

✅ YesPDF Solution

  • Job Queue Management: PDF conversion, OCR and other operations are managed through a queue system — no job is lost.
  • Job Status Tracking: Every job's status (pending, processing, completed, failed) can be monitored in real-time.
  • Automatic Retry: Failed operations are retried with configurable retry policies.
  • Digital Signatures: Document integrity can be verified through digital signatures.

6. Confidentiality (C1)

The organization ensures that information designated as confidential is protected against unauthorized access and disclosure.

✅ YesPDF Solution

  • AES-256 Encryption: All documents are encrypted with AES-256 both in transit and at rest.
  • Permanent Redaction: Confidential information can be irreversibly removed from documents.
  • PDF Encryption: Individual PDF files can be password-protected with permission restrictions.
  • Secure Deletion: Confidential documents past their retention period are securely destroyed with deletion records maintained.
  • Classification: Documents can be categorized by confidentiality level (Public, Internal, Confidential, Highly Confidential).

7. Privacy (P1)

The organization implements controls for the collection, use, retention, disclosure and disposal of personal information as stated in the privacy notice.

✅ YesPDF Solution

  • Data Minimization: YesPDF collects only personal data necessary for document management.
  • On-Premise Data Control: Personal data never leaves institutional infrastructure — not sent to third-party servers.
  • Retention Policies: Automatic retention periods can be defined for documents containing personal data.
  • Access Rights: Users can only access personal data they are authorized for.
  • Batch Redaction: Personal data can be redacted from documents in bulk for GDPR/KVKK compliance requests.

SOC 2 Common Criteria

SOC 2 is based on the COSO (Committee of Sponsoring Organizations) internal control framework. Common criteria apply to all Trust Services Criteria:

Control Environment (CC1)
Demonstrates the organization's commitment to security and ethical values.
YesPDF's role-based structure and centralized admin panel support establishing the control environment.
Communication and Information (CC2)
Ensures effective communication of security policies and procedures.
Audit logs and reporting features facilitate sharing of security information.
Risk Assessment (CC3)
Identifies and assesses risks to the organization's objectives.
Access reports and activity logs support risk assessment processes.
Monitoring Activities (CC4)
Ensures ongoing monitoring of internal control effectiveness.
Comprehensive audit logging and reporting form the foundation of monitoring activities.
Control Activities (CC5)
Implements policies and procedures to mitigate risks.
RBAC, encryption, redaction and retention policies are direct control activities.

Vendor Assessment and SOC 2

Enterprise customers frequently require SOC 2 compliance in vendor assessment processes. YesPDF's on-premise architecture provides significant advantages in these evaluations:

  • No third-party data processing risk since data never leaves the organization
  • SOC 2 audit scope covers the organization's own controls rather than a provider's
  • Subservice organization dependency is eliminated
  • Naturally integrates into the organization's existing SOC 2 control framework

On-Premise vs. Cloud Comparison

Comparing on-premise and cloud solutions for SOC 2 compliance:

Criteria YesPDF (On-Premise) Cloud PDF Tools
Data LocationOrganization's own serverThird-party data center
Control Scope100% under organization controlShared responsibility model
Audit EaseAll logs local — direct accessDependent on provider reports
Subservice Organization RiskNoneChain dependency risk
Physical SecurityUnder organization facility controlUnder provider data center control
Configuration ControlFull customizationLimited configuration options
Incident ResponseDirect intervention capabilityProvider coordination required

SOC 2 Compliance Checklist

To support SOC 2 criteria with YesPDF:

  1. 1
    Define access policies

    Configure RBAC roles and permissions to enforce the least privilege principle.

  2. 2
    Enable audit logging

    Ensure all document access is logged. Regularly share access reports with auditors.

  3. 3
    Verify encryption

    Confirm AES-256 encryption is active and all documents are stored encrypted.

  4. 4
    Implement change management

    Verify that system configuration changes are logged and go through an approval process.

  5. 5
    Test backup plan

    Verify that regular backups are taken and recovery procedures work correctly.

  6. 6
    Configure retention policies

    Define retention periods by document type and enable automatic alerts.

  7. 7
    Create incident response plan

    Define steps for security incidents, assign responsibilities and test the plan.

  8. 8
    Train staff

    Educate relevant staff on security awareness and YesPDF usage.

  9. 9
    Perform periodic risk assessment

    Regularly assess risks in document management processes and update controls.

  10. 10
    Prepare for audit

    Prepare access reports, configuration records and policy documents for SOC 2 auditors.

Summary

YesPDF supports organizations in meeting SOC 2 Trust Services Criteria through its on-premise architecture, comprehensive access controls, immutable audit logs, AES-256 encryption, permanent redaction, version control and flexible retention policies. The on-premise architecture ensures data control remains entirely with the organization, eliminates third-party dependencies and simplifies SOC 2 audit scope.

Technical Support

For questions about SOC 2 compliance and YesPDF configuration:

This document was prepared by the YesPDF technical team. This report does not constitute legal or audit advice. We recommend consulting your organization's independent auditor for SOC 2 audit preparation.