How It Works Pricing Blog Start Free Trial

How do I collect evidence from Vercel and GitHub for SOC 2?

March 6, 20262 min readSOC 2 Evidence Collection

GitHub Evidence

Control	Evidence	Where to Find It
Change management (CC8.1)	Branch protection rules	Settings → Branches → Branch protection rules
Change management (CC8.1)	Sample PRs with reviews	Pull Requests → Closed → Filter by merged
Access controls (CC6.1)	Organization member list with roles	Settings → People → Members
Access controls (CC6.1)	2FA requirement	Settings → Authentication security
Code review	PR review requirements	Branch protection → Require pull request reviews
CI/CD	GitHub Actions workflow files	.github/workflows/ directory
Audit logging	Organization audit log	Settings → Audit log

Vercel Evidence

Control	Evidence	Where to Find It
Deployment controls	Git integration settings	Project Settings → Git
Environment management	Environment variable configuration	Project Settings → Environment Variables
Access controls	Team member list with roles	Team Settings → Members
Deployment history	Production deployment log	Deployments tab with timestamps
Preview deployments	Preview deployment for each PR	Linked automatically from GitHub PRs
Domain configuration	Production domain settings with SSL	Project Settings → Domains

Collecting the Evidence

GitHub (30 minutes)

Screenshot branch protection settings for main branch
Screenshot organization security settings (2FA required)
Screenshot member list showing roles (admin vs. member)
Link to 25 representative PRs showing reviews and CI checks
Screenshot GitHub Actions workflow configuration
Export audit log for the audit period

Vercel (15 minutes)

Screenshot Git integration showing which branch triggers production deploys
Screenshot team members and their roles
Screenshot deployment list showing recent production deploys (linked to GitHub commits)
Screenshot environment variable management (showing they're encrypted, not the values)
Screenshot domain settings showing SSL/TLS configuration

Why This Stack Works Well for SOC 2

The Vercel + GitHub combination creates a natural audit trail. Every production deployment traces back to a GitHub merge, which traces back to a PR with reviews and CI checks. This chain of evidence satisfies CC8.1 without any additional tooling.

Related Questions

SOC 2 Evidence Collection

How do I automate SOC 2 evidence collection?

Automate SOC 2 evidence collection by using tools that connect to your cloud providers and code repositories to pull configuration data, access logs, and control status automatically. GRC platforms handle infrastructure-level evidence. AI tools like Screenata additionally capture application-level evidence that GRC platforms miss.

SOC 2 Evidence Collection

How do I collect evidence from AWS for SOC 2?

Collect AWS SOC 2 evidence by screenshotting IAM policies, security group rules, encryption settings, CloudTrail logs, and S3 bucket configurations. Focus on the services you actually use. Most startups need evidence from IAM, S3, RDS or DynamoDB, CloudWatch, and their VPC security groups.

SOC 2 Evidence Collection

How do I collect MFA evidence for SOC 2?

SOC 2 MFA evidence proves that multi-factor authentication is enforced (not just available) across all critical systems. Capture screenshots of your identity provider showing MFA is required, and show user lists confirming all accounts have MFA active. Cover your SSO provider, cloud accounts, and code repositories.

Ready to Automate Your Compliance?

Join 50+ companies automating their compliance evidence with Screenata.

Start Free Trial →