Raxx · internal docs

internal · gated

SOC-2 Quarterly Attestation — 2026 Q2

Quarter: Q2 2026 Target date: 2026-04-01 10:00 UTC Hard close: 2026-04-06 00:00 UTC Attested by: (operator email) Commit date: (UTC timestamp of this commit) Status: DRAFT — pending operator dry-run on staging

This file is the template established by #1496. Complete each section and commit this file to main within the hard close window. The commit SHA is the dated, signed attestation statement.

Pre-flight

[ ] SC-A11 (jobs/audit_integrity_check.py) confirmed operational on staging
[ ] SC-A13 (archiver) confirmed operational on staging

Step 1 — Compliance role assignment (CC6.1)

Result: PASS / FAIL / NOT-RUN

Evidence file: Raxx / Compliance / 2026-Q2 / CC6.1-role-assignment.png

Notes: (paste query output or describe finding)

Step 2 — Auditor group membership (CC6.2)

Result: PASS / FAIL / NOT-RUN

Evidence file: Raxx / Compliance / 2026-Q2 / CC6.2-group-membership.txt

Notes: (group is provisioned empty per OQ-3; confirm zero rows)

Step 3 — HMAC chain monthly verification (CC8.1)

Result: PASS / FAIL / NOT-RUN

Evidence file: Raxx / Compliance / 2026-Q2 / CC8.1-hmac-chain-monthly.png

Notes: (paste audit_integrity_log row or describe failure)

Step 4 — Archiver manifest completeness (A1.2)

Result: PASS / FAIL / NOT-RUN

Evidence file: Raxx / Compliance / 2026-Q2 / A1.2-archiver-manifest.csv

Notes: (note any missing months or failed runs)

Step 5 — 7-year retention bounds (A1.2)

Result: PASS / FAIL / NOT-RUN

Evidence file: Raxx / Compliance / 2026-Q2 / A1.2-retention-bounds.png

Notes: (oldest_hot_row date; most recent Glacier job date)

Step 6 — pg_audit external sink (CC7.2)

Result: PASS / FAIL / NOT-RUN

Evidence file: Raxx / Compliance / 2026-Q2 / CC7.2-pgaudit-sample.txt

Notes: (confirm no gaps > 24 h; list any maintenance windows)

Step 7 — Out-of-window RBAC grant review (CC6.7)

Result: PASS / FAIL / NOT-RUN

Evidence file: Raxx / Compliance / 2026-Q2 / CC6.7-rbac-grants-audit.csv

Notes: (list any findings with linked issue numbers)

Open findings

#	Step	Description	Issue
(none)

Attestation statement

I, (operator name), confirm that the above checks were executed against the Raptor production system (raxx-api-prod) on (UTC date), that all steps marked PASS reflect the system state at the time of collection, and that all findings are documented with linked GitHub issues.

Signed by git commit: (SHA will appear here after commit)

Auto-generated from docs/ in raxx-app/TradeMasterAPI. Gated behind Cloudflare Access. Re-deployed on every push to main.