Cinderblock

Compliance posture

Cinderblock is not SOC2-attested. The demo is a portfolio piece — attestation is engagement-level work, not template-level work.

What the template does provide is the technical surface a SOC2 or GDPR posture needs:

Technical controls already shipped

  • Append-only audit logat the grant level. Even a compromised application server can't rewrite history.
  • Doubly-logged impersonation. Every action taken by an admin while impersonating a member is logged with both identities. Privilege escalation is traceable.
  • Role-based access control with policy tests. The hostile fixture asserts cross-tenant isolation under joins, subqueries, aggregates, and UNIONs.
  • MFA enforcement for owners on sensitive actions. TOTP enrolment is the production gate.
  • Retention policies per plan (30d Free / 90d Team / forever Business). Daily pg_cron sweeps.
  • Secret hygiene. Signing keys (invitation HMAC, impersonation JWT) live in Supabase Vault / EC2 .env only; never in committed code.

What an engagement-level deliverable would add

  • DPA review against your customers' contracts (data residency, sub-processor disclosures).
  • SOC2 controls mapping — taking the technical surface above and matching it against the trust services criteria.
  • Penetration test or third-party review of the deployed environment.
  • Backup + disaster-recovery drills with restore-time measurements.

See Disclaimerfor the framing the test suite makes, and the boundary between "structurally correct" and "audited."