ArchitectureDiagram.ai logoArchitectureDiagram.ai
Back to blog

SOC 2 Architecture Diagrams: Documenting Controls & Trust Service Criteria (2026)

How to create SOC 2 compliance architecture diagrams for SaaS companies. Covers Trust Service Criteria, control mapping, audit logging, access management, and data flow documentation — with AI prompt templates.

R
Ryan·Senior AI Engineer
·

SOC 2 architecture diagrams are among the most scrutinized technical artifacts your company will produce. During a SOC 2 audit, your auditor will compare your diagrams against your actual infrastructure to verify that every control you've claimed — encryption at rest, access logging, network segmentation — is reflected in your architecture and substantiated by evidence. A diagram that contradicts your infrastructure is worse than no diagram at all. This guide explains what SOC 2 auditors look for in architecture documentation, which Trust Service Criteria (TSC) each diagram layer maps to, and how to use AI to generate accurate, audit-ready diagrams quickly.

SOC 2 Trust Service Criteria and what diagrams cover

SOC 2 Type II audits evaluate five Trust Service Criteria. Architecture diagrams are most directly relevant to three of them:

  • Security (CC): The core criterion — every SaaS company pursuing SOC 2 must include it. Diagrams must show logical access controls, network segmentation (VPCs, security groups, WAF), encryption layers, and monitoring infrastructure. Common Controls (CC6, CC7, CC8, CC9) address logical access, system monitoring, change management, and risk mitigation.
  • Availability (A): Diagrams should document redundancy (multi-AZ deployments, read replicas, load balancers), backup schedules, RTO/RPO targets, and auto-scaling configurations. Relevant for any SaaS with uptime SLAs.
  • Confidentiality (C): Data classification tiers must be visible — show which datastores hold confidential data, which encryption keys protect them (KMS key IDs or HSM references), and how data is masked or tokenized before reaching less-trusted services.
  • Processing Integrity (PI): Relevant for financial or transactional systems. Show input validation, idempotency mechanisms, and reconciliation processes.
  • Privacy (P): Required if you process personal data under SOC 2. Show PII data flows, consent management, anonymization steps, and retention/deletion pipelines.

Core architecture diagrams auditors expect

  • System overview / network topology: Shows all environment tiers (production, staging, dev), VPC boundaries, subnet segmentation (public/private), NAT gateways, VPN or Direct Connect links, and the DMZ or WAF layer facing the internet. This is the first diagram auditors request.
  • Data flow diagram (DFD): Traces confidential and PII data from ingestion through processing to storage and egress. Each flow should be labeled with the transport encryption (TLS 1.3), and each datastore should be annotated with encryption-at-rest status and key management.
  • Identity and access management (IAM) diagram: Shows your identity provider (Okta, AWS SSO, Azure AD), MFA enforcement, privilege tiers (least-privilege IAM roles, RBAC groups), and how service accounts authenticate to internal services (IRSA, Workload Identity, Vault agent).
  • Monitoring and incident response flow: Shows your SIEM or log aggregation stack (Datadog, Splunk, CloudTrail → S3), alerting pipelines, on-call routing (PagerDuty), and the incident response runbook trigger points. Auditors check CC7 (system monitoring) against this diagram.
  • Change management pipeline: A CI/CD diagram that shows code review gates, automated security scans (SAST, dependency audit), staging environment promotion, and production deployment approvals. Auditors verify CC8 (change management) with this.
  • Backup and recovery architecture: Shows automated backup schedules, cross-region replication, restore testing cadence, and RTO/RPO annotations for each tier. Maps to Availability criteria.

Prompt examples for SOC 2 architecture diagrams

Network topology with security controls

"SOC 2 network topology for a B2B SaaS on AWS us-east-1. Single VPC (10.0.0.0/16) with three tiers: public subnets (ALB, WAF, NAT gateway), private application subnets (ECS Fargate services: api, workers, scheduler), and isolated data subnets (RDS PostgreSQL Multi-AZ, ElastiCache Redis). No direct internet access from private or data subnets. Route 53 → CloudFront → WAF → ALB → ECS. VPN gateway for admin access (engineers must use AWS Client VPN with MFA). GuardDuty enabled. All subnets have VPC Flow Logs → CloudWatch → S3 (90-day retention). Security groups: each service has its own SG with least-privilege rules. Label each tier with the TSC controls it supports (CC6.6, CC6.7, CC7.2)."

Data flow diagram with encryption annotations

"SOC 2 data flow diagram for a healthcare SaaS. Data sources: browser clients (TLS 1.3), mobile SDK (TLS 1.3 + certificate pinning), webhook payloads from third-party integrations (HMAC-signed). Flow: API layer (Fargate) → validates and authenticates (JWT + Cognito) → writes to RDS (AES-256, KMS CMK key ID: alias/prod-rds-key) → async events published to SQS → worker service processes and writes to S3 (SSE-KMS, alias/prod-s3-key). PII fields (name, email, DOB) are encrypted at the application layer before DB write using a separate KMS key. Audit log of all reads/writes to PII goes to CloudTrail + DynamoDB audit table. Label each datastore with: encryption-at-rest status, key management method, and data classification (Confidential/Internal)."

IAM and access control diagram

"SOC 2 IAM architecture. Identity provider: Okta (SAML 2.0) federated to AWS SSO. Human access tiers: read-only (default for all engineers), read-write-prod (requires manager approval in Jira, auto-expires in 8 hours via AWS SSO permission set), break-glass (requires 2 approvals + records full session in AWS CloudTrail). Service-to-service: ECS tasks use IRSA (IAM Roles for Service Accounts), no static credentials. Secrets stored in AWS Secrets Manager with automatic rotation (30 days for DB credentials). Show Okta → AWS SSO → permission sets → IAM roles → services. Annotate each role with the principle of least-privilege scope. TSC mapping: CC6.1, CC6.2, CC6.3."

CI/CD change management pipeline

"SOC 2 change management pipeline (CC8). Flow: developer pushes to feature branch → GitHub PR created → required 1 peer code review → automated checks: GitHub Actions runs unit tests, Snyk SCA (dependency CVEs), Semgrep SAST, Checkov IaC scan, Trivy container scan. All checks must pass before merge. Merge to main → deploys to staging automatically → integration test suite runs → manual QA sign-off required for prod deploy → production deploy via ArgoCD (GitOps, no direct kubectl access). All prod deployments logged to immutable audit trail in S3. Emergency hotfix path: same pipeline but with async review (within 24 hours post-deploy). Show all approval gates as decision nodes."

SOC 2 vs other compliance frameworks: diagram scope

FrameworkPrimary audienceDiagram focusKey difference
SOC 2 Type IIB2B SaaS customersSecurity controls, access management, monitoringOperational effectiveness over 6–12 months
ISO 27001Enterprise, global customersISMS scope, risk register, asset inventoryCertification-based, broader ISMS scope
PCI DSSPayment processors, e-commerceCDE scope, network segmentation, cardholder data flowCardholder Data Environment scoping is critical
HIPAAHealthcare, health techPHI data flows, BAA coverage, access audit logsPHI-specific, BAA contracts required
GDPREU data controllers/processorsData subject rights flows, DPA chains, data residencyCross-border transfer restrictions are central

Annotation checklist for SOC 2 diagrams

  • TSC control references: Annotate each component or boundary with the specific TSC controls it supports (e.g., “CC6.6 — network segmentation”). Auditors cross-reference diagrams against your control matrix.
  • Encryption status: Every datastore and data-in-transit link should be explicitly labeled — never assume reviewers know it's encrypted. Include key management references (KMS alias, HSM slot).
  • Audit log destinations: Show where audit trails land (CloudTrail → S3, application logs → SIEM) and their retention period. Auditors look for evidence that logs can't be tampered with.
  • Environment boundaries: Clearly delineate production from staging from development. Auditors check that developer access to production is restricted and logged.
  • Third-party integrations: Any vendor or SaaS integration should be shown with its data scope and whether it holds customer data. Auditors check vendor management controls (CC9.2).
  • Diagram version and date: Include a version, owner, and last-reviewed date in the diagram footer. Auditors verify that documentation is kept current.

Related guides: zero-trust architecture, HIPAA-compliant architecture diagrams, fintech architecture diagrams, DevSecOps architecture diagrams, and authentication architecture diagrams.

Ready to try it yourself?

Start Creating - Free