How does Screenata write SOC 2 policies from my codebase?

How Does Codebase-Aware Policy Generation Work?

Traditional SOC 2 policies are written from templates. A consultant interviews your team, learns about your systems, then customizes generic documents. The result often has gaps because consultants learn through conversation — they can miss implementation details, edge cases, or recent changes.

Screenata takes a different approach. It reads your source code and cloud configuration directly, building a technical understanding of how your systems actually work. Then it writes policies that reference those specific systems.

What Screenata Analyzes

System Area	What It Reads	Policy It Generates
Authentication	NextAuth, Auth0, Clerk configs	Access control policy with your actual auth provider
Deployment	Vercel, AWS, GitHub Actions configs	Change management policy with your CI/CD pipeline
Data storage	Database schemas, encryption settings	Data protection policy with your actual storage setup
Access controls	IAM policies, RBAC implementations	Logical access policy with your permission model
Monitoring	Logging configs, alerting rules	Incident response plan with your actual tools

Why This Matters for Audits

SOC 2 auditors test whether your controls operate as your policies describe. If your policy says "all code changes require pull request approval" but your GitHub repo allows direct pushes to main, that's a finding. When policies are generated from your actual codebase, they describe what you actually do — not what a template assumed you do.

The Process

1. Connect: Grant Screenata read access to your GitHub repos and cloud accounts.
2. Analyze: Screenata scans your authentication, deployment, access control, and data handling code.
3. Generate: Policies are written referencing your specific tools, configurations, and workflows.
4. Review: You review each policy, make adjustments, and approve.
5. Evidence: Screenata maps each policy statement to the evidence it can collect automatically.