FAQ
FAQ’s
Do we have to grant Sprinto code-level access for SOC 2 compliance, and what is the specific need for code-level access?

Do we have to grant Sprinto code-level access for SOC 2 compliance, and what is the specific need for code-level access?

No, you do not have to grant Sprinto code-level access for SOC 2 compliance for every application.

Sprinto operates on the principle of requiring the least access privilege necessary to support the level of automation needed for SOC 2 compliance. Our primary goal is to ensure your security while enabling seamless compliance processes.
If your source code provider supports fine-grained API controls that restrict access to metadata (such as Github), Sprinto will leverage these capabilities. In such cases, there is no need for code-level access, as the API allows us to interact only with the necessary metadata without touching your codebase.

However, if the source code provider does not offer fine-grained access control through their API (such as bitbucket) , we offer two approaches to maintain the integrity and security of your systems while still integrating effectively with Sprinto:

  1. Customer Permission with Transparency: If you choose to grant Sprinto the required permissions, we build a completely transparent API log. This log provides full visibility into all requests made by Sprinto, ensuring that you have complete oversight of every interaction. This approach allows you to monitor and audit the access granted, giving you peace of mind that your sensitive data is being handled securely.
  2. Limited Scope with Workflow Checks: Alternatively, you can choose to limit the scope of permissions granted to Sprinto. In this scenario, some parts of the compliance process will be automated, while other parts will be managed through workflow checks. This hybrid approach allows you to maintain tighter control over your systems while still benefiting from Sprinto’s automation capabilities.

In both scenarios, Sprinto’s approach is designed to minimize risk and ensure that only the minimum necessary access is granted to achieve SOC 2 compliance. By prioritizing security and transparency, Sprinto enables your organization to stay compliant without unnecessary exposure or risk.

Was this article helpful?

How can we improve this article?

Related questions

  • Which is the latest version of the PCI DSS compliance?
  • What is the current version of ISO 27001?
  • What is PCI DSS compliance verification?
  • What are PCI DSS compliance milestones?
  • What are the three steps of PCI compliance?
  • What are the functions of PCI?
  • How often must PCI DSS compliance be validated?
  • What is required for PCI DSS compliance?
  • How to reduce PCI DSS cost?
  • Does ISO 27001 require MFA?

Found this useful?

Get SOC 2 compliance
ready in 4 weeks!

Try Sprinto

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.

Contact sales