BBonis Systems
Trust · SOC 2 Engagement Scope

What we are auditing, when, and who is doing it.

A SOC 2 attestation takes 6–12 months from engagement to Type II report. This page documents the scope, the Trust Services Criteria, the timeline, and the controls we expect the audit to observe — so any reviewer can form their own view on whether the scope matches their risk model.

Services in scope

Knox BaaS anchoring primitive

Endpoint / surface
/api/knox/anchor, /api/knox/public-anchor, /api/knox/verify, /api/knox/health

Primary service under audit. All production anchoring traffic, all verification traffic, the hourly Merkle aggregation cron, and OpenTimestamps submission flow.

Core Event Store

Endpoint / surface
internal — replayAndVerify / emitSoft

Parallel hash-chained event log that mirrors every Knox anchor. In scope because the two chains form a mutual attestation (CC7 integrity control).

Knox verification agents

Endpoint / surface
/api/knox/verify-document, /api/knox/anchor-bilateral, /api/knox/pledge, /api/knox/monitor, /api/knox/transfer, /api/knox/agents/collusion

Six verification agents + Knox Agent #7 collusion detection. In scope for Security, Availability, Confidentiality criteria.

KQL read-only console

Endpoint / surface
/bonis/kql, /api/core/kql

In scope for Confidentiality (metadata-only exposure) and Processing Integrity (typed AST, parameterized Prisma).

Multi-chain anchor routing

Endpoint / surface
/api/knox/multi-chain

In scope for Availability (three independent attestation surfaces).

Build-anchor pipeline

Endpoint / surface
scripts/anchor-build.sh + deploy.sh integration

Every Cloud Run deploy hash-chained into Knox (Phase 7). In scope for Processing Integrity and Change Management.

Trust Services Criteria in scope

Security (Common Criteria)

IN SCOPE

All CC1–CC9 controls. This is the baseline SOC 2 criterion and is non-optional.

Availability

IN SCOPE

Targeted at the ≥ 99.9% operational availability commitment. Covers hourly crons, load balancer health, Cloud SQL failover, multi-chain redundancy.

Processing Integrity

IN SCOPE

Direct fit for Bonis — the product IS processing integrity of event records. TLA+ model-checked specs provide external verification artifacts auditors can independently review.

Confidentiality

IN SCOPE

Covers the 'only hashes leave the tenant' property for public-anchor flows, plus API key handling and Cloud SQL private-IP posture.

Privacy

OUT OF SCOPE (Q2 2026)

Privacy criterion applies where the service processes personal information. Bonis Knox primitive processes hashes + opaque IDs — not personal information. In-scope privacy analysis deferred until TerraVault / HealthAgent consumer flows graduate to SOC 2 coverage in a later cycle.

Timeline

Engagement + readiness review

2026-04 → 2026-05

CPA firm engagement, gap assessment, policy/procedure review against Trust Services Criteria.

Remediation sprint

2026-05 → 2026-06

Close any gaps identified. Policy documentation, evidence-collection automation, access-review cadence.

Type I attestation (point-in-time)

2026-06

Initial Type I attestation — design of controls at a single point in time.

Type II observation window

2026-06 → 2026-12

Six-month observation window during which the CPA samples evidence of control operation.

Type II attestation issued

2026-Q1 (of the following year)

Formal Type II report. Shareable under NDA with enterprise customers and federal reviewers.

Controls already in place today

The following controls are already operational at the time of engagement. The audit will sample evidence of operation over the Type II observation window.

  • CC1 Control EnvironmentIn place
  • CC2 Communication & InformationIn place (public trust + status + changelog pages)
  • CC3 Risk AssessmentIn place (Evidence Ledger + Artemis Doctrine)
  • CC4 Monitoring ActivitiesIn place (Knox Agent #5 Continuous Monitoring)
  • CC5 Control ActivitiesIn place
  • CC6 Logical & Physical AccessIn place (MFA + private Cloud SQL + Secret Manager)
  • CC7 System OperationsIn place (cronjobs monitored; Cloud Run default SRE)
  • CC8 Change ManagementIn place (build-anchor Phase 7 — every deploy hash-chained)
  • CC9 Risk MitigationInsurance carrier binding pending (Q2 2026)
  • A1 AvailabilityIn place (99.9%+ measured)
  • PI1 Processing IntegrityIn place (TLA+ specs + event-store mutual attestation)
  • C1 ConfidentialityIn place (hash-only anchoring + private IP + Secret Manager)

What this page is NOT

  • This is not a SOC 2 attestation. No Type I or Type II report has been issued.
  • This is not a FedRAMP authorization, an ATO, a FISMA attestation, or a CMMC certification.
  • This is not a HIPAA BAA — a BAA template is drafted and ready for counsel execution per engagement.
  • This is a binding public commitment: the scope above is the scope the auditor will actually observe. If it narrows in response to engagement realities, this page will be updated with an explicit change note.

Questions on scope — including requests to expand criteria (e.g., add Privacy for enterprise healthcare deployments): Jonis Fields, Bonis Systems LLC · jonisfields@gmail.com · +1 (210) 452-3767.