Trust & Compliance

Control Matrix

Control ownership, evidence, and review cadence mapped for audit and procurement readiness.

Trust Center Compliance Export Center Request Trust Pack

Purpose

The Control Matrix is a procurement-oriented inventory of controls: what the control is, who owns it, what evidence is produced, and how often it is reviewed. It is intentionally written to be usable in security reviews without requiring access to internal systems.

How to read this matrix

Control ID: stable identifier for reference
Domain: Security, Privacy, Operations, AI Governance, etc.
Description: what the control does
Owner: responsible role or function
Evidence: where proof is generated
Review cadence: how often the control is reviewed

Domains covered

Information Security
Identity and Access Management
Data Protection and Privacy
Secure Development
Operational Resilience & Business Continuity
Incident Response
AI / Agent Governance
Vendor and Subprocessor Management

Control ID

Domain

Control

Evidence

Review

IAM-01

Access

Role-based access control with least privilege and tenant isolation boundaries.

Auth logs; role mappings

Quarterly

AUD-01

Logging

Sensitive and administrative actions generate auditable events with actor, scope, and timestamp.

Audit event stream

Monthly

SDLC-01

SDLC

Changes are reviewed and deployed via controlled releases with rollback capability.

PR history; release notes

Per release

IR-01

Response

Incident runbooks define detection, triage, escalation, and customer communication steps.

Runbooks; templates

Semiannual

AI-01

AI Gov

Agent tool use is constrained by policy-as-code with approval gates for high-impact actions.

Policy versions; run logs

Quarterly

Evidence availability

Evidence is generated through normal operations and shared selectively under NDA via the Trust Pack process. Raw operational data is not publicly exposed. Where a control is deployment-dependent (e.g., hosting provider encryption at rest), the matrix captures the configuration and responsibility split.

Pilot-stage notice

The Control Matrix reflects the current pilot-stage control posture. Formal external attestations are introduced as part of the transition to General Availability.