How It WorksPricingBlogStart Free Trial
All answers

How do I prove feature flag changes for SOC 2 change management?

March 6, 20262 min readSOC 2 for Specific Tech Stacks

Why Feature Flags Matter for SOC 2

Feature flags modify application behavior without deploying new code. From a SOC 2 perspective, flipping a flag in production is equivalent to a code change — it alters how the system operates. Your change management policy (CC8.1) should cover flag changes.

Auditors are increasingly aware of feature flags. If they ask "how do changes reach production?" and you only describe your GitHub PR workflow, they'll ask about other change vectors — including feature flags.

Evidence to Provide

EvidenceSource
Flag change audit logLaunchDarkly audit log, Unleash event log, or custom logging
Approval workflowScreenshots showing approval requirements for production flags
Flag inventoryList of active production flags with owners
Change historySample flag changes showing who, what, when
Rollback capabilityEvidence that flags can be quickly reverted

Change Management Controls for Flags

Minimum Controls

  1. Audit logging: Every flag change is logged with timestamp, user, old value, new value
  2. Access control: Not everyone can change production flags — limit to specific roles
  3. Documentation: Significant flag changes have a description or ticket reference
  1. Approval workflow: Production flag changes require peer approval (LaunchDarkly supports this)
  2. Staged rollout: Flags are toggled in staging before production
  3. Review cadence: Stale flags are reviewed and removed quarterly

Platform-Specific Evidence

LaunchDarkly: Export the audit log showing flag changes during the observation period. Screenshot approval workflows and role-based access settings.

Custom flags (database or config file): Treat flag changes like code changes — require a PR for configuration file changes, or log database updates to an audit table.

Common Gap

Feature flag platforms often have weaker access controls than your code repository. While your GitHub requires PR reviews, your LaunchDarkly might let any team member toggle production flags. Address this asymmetry before the audit.

Related Questions

SOC 2 for Specific Tech Stacks

How do I document SOC 2 evidence for GitHub access controls?

Document GitHub access controls by capturing organization member lists with roles, team-level repository permissions, branch protection settings, 2FA enforcement, and audit logs. Map GitHub's permission model (Owner, Member, Outside Collaborator) to your SOC 2 access control policy.

SOC 2 for Specific Tech Stacks

How do I get SOC 2 for a Next.js app deployed on Vercel?

Getting SOC 2 for a Next.js app on Vercel means documenting your deployment pipeline (Git-based deploys), access controls (Vercel team roles, GitHub branch protection), and data handling (API routes, database connections). Vercel's built-in security features cover many infrastructure controls. You need to prove application-level controls.

SOC 2 for Specific Tech Stacks

How do I handle SOC 2 evidence for apps without SSO?

You can pass SOC 2 without SSO by implementing compensating controls: enforced MFA, strong password policies, manual access reviews, and documented onboarding/offboarding checklists. SSO is a best practice but not a SOC 2 requirement. Document why your current approach is sufficient for your risk profile.

Ready to Automate Your Compliance?

Join 50+ companies automating their compliance evidence with Screenata.

Start Free Trial →

© 2025 Screenata. All rights reserved.