Compliance evidence hub (read-only)
Authoritative documentation lives in the git repository under
specifications/QueryTek Tapestry/10_Compliance/evidence-hub/. This page is a static
pointer for operators; it does not query databases and contains no secrets (P4-008, SPEC-008). Not an
assertion of SOC 2 Type II or ISO certification.
Canonical paths in the Tapestry repo (examples):
10_Compliance/evidence-hub/README.md— evidence hub index10_Compliance/control-matrix-tapestry-soc2-iso-draft.md— P4-005 control matrix (draft)10_Compliance/exception-remediation-log.md— operational exceptions10_Compliance/operations/quarterly-compliance-review-tapestry.md— quarterly process
Control to evidence (summary)
Mirrors the v1 mapping in the evidence hub README; refresh from git when rows change.
| Matrix ref | Theme | Primary evidence (repository path) |
|---|---|---|
| SOC-01 / ISO-01 | Traceability, policies | 05_Architecture_Engineering/ADRs/ADR-021 …, 10_Compliance/index.md |
| SOC-02 / ISO-03 | Access, session |
05_…/Specifications/SPEC-003 …, ADR-017 …, tests/ per SPEC-012
|
| SOC-03 / ISO-04–05 | Ops, IR, monitoring |
08_Docs_Playbooks/…/Runbook - Incident Response.md, P4-001–P4-004 evidence docs
|
| SOC-04 | Change, CI | ADR-016 …, SPEC-012 …, .github/workflows/, scripts/checks/ |
| SOC-A1 | Availability | SPEC-016 …, P4-001 QA results |
| SOC-C1 / ISO-02 | Confidentiality, observability | ADR-008 …, SPEC-008 …, P4-002 monitoring narrative |
Access posture
Same network and exposure assumptions as the rest of /console/*. For production, use private
ingress; see 10_Compliance/evidence-hub/security-and-access-p4-008.md in the repository.