SOC2
Dhamaka provides built-in controls for SOC 2 Trust Services Criteria, specifically addressing the unique challenges of AI deployments for architecture teams. This guide covers how Dhamaka implements C1.2 (Confidential Information Disposal) and P5.1 (Data Retention) controls for your SOC 2 audit.
The Challenge: AI in Architecture Creates New Compliance Complexity
Traditional SOC 2 audits didn't anticipate AI systems that autonomously process, store, and generate technical documentation. When your architecture AI assistants handle design discussions, retrieve specifications, and generate analysis, you face questions your auditor may not have asked before:
- How do you prove what technical documentation an AI assistant accessed during an architecture review?
- When a retention policy deletes architecture conversations, how do you document that deletion?
- If an AI processes confidential system designs, how do you ensure proper disposal?
Dhamaka eliminates that uncertainty by building SOC 2 controls directly into the platform.
Trust Services Criteria Coverage
C1.2: Confidential Information Disposal
"The entity disposes of confidential information to meet the entity's objectives related to confidentiality."
Architecture AI assistants process confidential information across multiple touchpoints: architect queries, design document retrieval, specification analysis, and technical recommendations.
Automated Retention Enforcement
Dhamaka allows you to configure retention policies per organization and project for:
- Architecture discussions — AI-assisted conversations containing technical designs
- Audit logs — Records of documentation access
- Technical documents — Design documents, specifications, and diagrams
Retention cleanup runs automatically. When data reaches its retention limit, it is securely deleted and the deletion is permanently documented for audit evidence.
Disposal Documentation
Every deletion generates a permanent record that your auditor can review to verify:
- Disposal occurred according to your documented policy
- No confidential data was retained beyond the defined period
- The disposal process is consistent and automated
P5.1: Data Retention
"The entity retains personal information consistent with the entity's objectives related to privacy."
Architecture conversations frequently contain sensitive information—system designs, security architectures, and proprietary technical approaches. Dhamaka ensures this data is retained only as long as necessary while meeting enterprise requirements.
Configurable Retention Periods
Set retention at the organization level for baseline policy, then override at the project level for specific requirements. For example:
- Active projects — Retain through project lifecycle plus archive period
- Completed projects — 3-year retention post-completion
- Sensitive systems — Extended retention per compliance requirements
Legal Hold Integration
When retention policy conflicts with preservation requirements, legal holds take precedence. Data subject to IP dispute, patent litigation, or regulatory investigation is excluded from automated retention until the hold is released.
Retention Tracking
Each retention cleanup execution is logged, including counts of what was deleted, what was archived, and what was skipped due to legal holds. This provides explicit evidence that legal preservation requirements override automated retention.
Implementation Checklist
- Define retention policies aligned with enterprise data governance requirements
- Configure project-level overrides where sensitivity or compliance requirements differ
- Document retention periods in your information security policy
- Establish process for creating legal holds when preservation is required
- Schedule regular review of retention history
- Export deletion records for audit evidence package
Related Documentation
- Enterprise Compliance - Architecture-specific requirements
- Audit Trail - Tamper-evident logging
- Legal Holds - Preservation during disputes