{
  "definition_id": "ckl-soc2-evidence-collection",
  "title": "SOC 2 Evidence Collection Round",
  "version": "1.0.0",
  "source_citation": "AICPA SOC 2 Trust Services Criteria evidence-gathering pattern for a single audit period.",
  "mandate_hash": null,
  "steps": [
    {
      "step_id": "access-review",
      "title": "Pull the quarterly access review",
      "instruction": "Export the access review report and confirm every terminated user was removed within SLA.",
      "evidence_requirement": "file-digest",
      "approver_role": null,
      "gate": "blocking"
    },
    {
      "step_id": "change-mgmt-sample",
      "title": "Sample change management tickets",
      "instruction": "Select a sample of production changes and confirm each has an approval and a linked deployment record.",
      "evidence_requirement": "file-digest",
      "approver_role": null,
      "gate": "blocking"
    },
    {
      "step_id": "vuln-scan",
      "title": "Confirm vulnerability scan cadence",
      "instruction": "Confirm scans ran on schedule for the period and high findings were remediated or risk-accepted.",
      "evidence_requirement": "text",
      "approver_role": "security_lead",
      "gate": "blocking"
    },
    {
      "step_id": "vendor-review",
      "title": "Confirm critical vendor reviews",
      "instruction": "Confirm each critical subprocessor has a current SOC 2 or equivalent report on file.",
      "evidence_requirement": "attestation",
      "approver_role": "security_lead",
      "gate": "advisory"
    },
    {
      "step_id": "package-evidence",
      "title": "Package the evidence bundle",
      "instruction": "Assemble the evidence set for the auditor and record the package hash for the audit trail.",
      "evidence_requirement": "file-digest",
      "approver_role": null,
      "gate": "advisory"
    }
  ],
  "definition_digest": "ff1d4823c28aa8ced262d64017ec9338023cd94cfb38b0c3a191083034aa2a5b",
  "audit_signature": {
    "proof": {
      "type": "DataIntegrityProof",
      "cryptosuite": "eddsa-jcs-2022",
      "verificationMethod": "did:key:z6Mkn8MY23A8pHF5M7HJnqWmPrzoSVV2rSHCsmv7sjodUo9R",
      "proofPurpose": "assertionMethod",
      "created": "2026-07-16T00:00:00.000Z",
      "proofValue": "z3CS8b6FUHFyNxgComTGutfcenKRktGeyNgHR8MYWDYV91t2Twa3JQizkPskmJ62XeV2xRd7N9eAs88EgqHHbwwDc"
    }
  }
}
