Home Integrations

Integrations

By Maciej Litwiniuk

• 5 articles

AWS Integration User Guide

Humadroid Compliance Platform Overview Humadroid's AWS integration automatically collects compliance evidence from your Amazon Web Services infrastructure. Once connected, it continuously monitors your AWS environment and gathers evidence that satisfies controls for SOC 2 and ISO 27001 compliance frameworks. Key Benefits - Automated evidence collection - No more manual screenshots or exports - Compliance-focused collection - Evidence collected on schedule (weekly or monthly) - Auto-verification - Many evidence sources are automatically checked against compliance rules - Multi-framework support - Single integration satisfies controls across SOC 2 and ISO 27001 Security Model - Read-only access - Humadroid cannot modify your AWS resources - Cross-account role assumption - Secure AWS STS-based authentication - External ID protection - Prevents confused deputy attacks - Full audit trail - All API calls logged in your CloudTrail Evidence Sources The AWS integration collects 17 distinct evidence types across six categories: Identity & Access Management IAM Password Policy - Description: Verifies password complexity, length, expiration, and reuse requirements - Frequency: Monthly - Auto-Verify: Yes IAM MFA Status - Description: Verifies multi-factor authentication is enabled for all users including root - Frequency: Monthly - Auto-Verify: Yes IAM Access Keys - Description: Monitors access key rotation, usage patterns, and lifecycle - Frequency: Monthly - Auto-Verify: Yes Logging & Monitoring CloudTrail Configuration - Description: Verifies audit logging is enabled and properly configured - Frequency: Monthly - Auto-Verify: Yes CloudTrail Events - Description: Audit trail of API calls and management events - Frequency: Monthly - Auto-Verify: No CloudWatch Alarms - Description: System monitoring and alerting configuration - Frequency: Monthly - Auto-Verify: Yes VPC Flow Logs - Description: Network traffic logging configuration - Frequency: Monthly - Auto-Verify: Yes Security Services GuardDuty Status - Description: Threat detection service status and configuration - Frequency: Monthly - Auto-Verify: Yes GuardDuty Findings - Description: Security threats and anomalies detected - Frequency: Weekly - Auto-Verify: No Security Hub Status - Description: Consolidated security findings service status - Frequency: Monthly - Auto-Verify: Yes AWS Config Status - Description: Configuration change tracking service status - Frequency: Monthly - Auto-Verify: Yes Network Security Security Groups - Description: Network security rules and firewall configuration - Frequency: Monthly - Auto-Verify: Yes Network ACLs - Description: Network access control list rules - Frequency: Monthly - Auto-Verify: Yes Encryption & Data Protection S3 Bucket Encryption - Description: Verifies all S3 buckets have encryption enabled - Frequency: Monthly - Auto-Verify: Yes S3 Public Access Block - Description: Verifies S3 buckets block public access - Frequency: Monthly - Auto-Verify: Yes RDS Encryption - Description: Verifies RDS instances have encryption enabled - Frequency: Monthly - Auto-Verify: Yes EBS Volume Encryption - Description: Verifies EBS volumes are encrypted - Frequency: Monthly - Auto-Verify: Yes KMS Key Rotation - Description: Verifies KMS keys are configured for automatic rotation - Frequency: Monthly - Auto-Verify: Yes Backup & Recovery AWS Backup Jobs - Description: Backup execution and success monitoring - Frequency: Weekly - Auto-Verify: Yes RDS Snapshots - Description: Database backup snapshots - Frequency: Monthly - Auto-Verify: Yes SOC 2 Control Coverage The AWS integration provides evidence for the following SOC 2 (2017) Trust Services Criteria: CC6 - Logical and Physical Access Controls CC6.1 - Logical Access Security The entity implements logical access security software, infrastructure, and architectures to protect information assets - IAM Password Policy - Password complexity requirements are enforced - IAM MFA Status - Multi-factor authentication is enabled - IAM Access Keys - Access credentials are properly managed - S3 Encryption - Data at rest is encrypted - S3 Public Access Block - Data is not publicly exposed - RDS Encryption - Databases are encrypted - EBS Volume Encryption - Storage volumes are encrypted - KMS Key Rotation - Encryption keys are properly rotated CC6.2 - User Registration and Authorization Prior to issuing system credentials and granting access, the entity registers and authorizes new users - IAM MFA Status - Complete inventory of IAM users with access details - IAM Access Keys - Access key creation and authorization records CC6.3 - Removal of Access Rights The entity removes credentials and disables system access when no longer required - CloudTrail Events - Access revocation events are logged - IAM Access Keys - Inactive or unused access keys identified CC6.6 - Logical Access Security Measures The entity implements controls to prevent or detect and act upon unauthorized logical access - Security Groups - Firewall rules restrict access appropriately - Network ACLs - Network-level access controls are in place - VPC Flow Logs - Network traffic is monitored - GuardDuty Status - Threat detection is active - GuardDuty Findings - Security threats are identified and tracked CC6.7 - Data Transmission Controls The entity restricts transmission and movement of data - S3 Encryption - Data is encrypted during storage and transfer - RDS Encryption - Database data is encrypted CC7 - System Operations CC7.1 - Security Monitoring The entity monitors system components for anomalies and security events - GuardDuty Status - Threat detection service is active - Security Hub Status - Security monitoring is consolidated - CloudWatch Alarms - Alerts are configured for security events CC7.2 - Security Event Logging The entity identifies and logs security events - CloudTrail Configuration - Audit logging is properly configured - CloudTrail Events - Security events are recorded - VPC Flow Logs - Network activity is logged CC7.3 - Security Incident Response The entity evaluates security events and responds to identified incidents - GuardDuty Findings - Threats are detected and tracked - CloudWatch Alarms - Incident alerts are configured CC8 - Change Management CC8.1 - Change Management The entity authorizes, documents, and controls infrastructure changes - CloudTrail Events - Infrastructure changes are logged - AWS Config Status - Configuration changes are tracked A1 - Availability A1.1 - System Availability The entity maintains, monitors, and evaluates current processing capacity - Backup Jobs - Data can be recovered - RDS Snapshots - Database backups are maintained - CloudWatch Alarms - Availability monitoring is active A1.2 - Recovery Procedures The entity's recovery procedures support system recovery in accordance with recovery objectives - Backup Jobs - Backup procedures are executed successfully - RDS Snapshots - Point-in-time recovery is available ISO 27001:2022 Control Coverage The AWS integration provides evidence for the following ISO 27001:2022 Annex A controls: A.5 - Organizational Controls A.5.15 - Access Control Rules to control physical and logical access to information and other associated assets shall be established and implemented - IAM Password Policy - Password policies enforce access security - IAM MFA Status - Strong authentication is required - IAM Access Keys - Access credentials are managed - Security Groups - Network access is controlled A.5.16 - Identity Management The full life cycle of identities shall be managed - IAM MFA Status - Complete inventory of identities - IAM Access Keys - Access key lifecycle management A.5.17 - Authentication Information Allocation and management of authentication information shall be controlled - IAM Password Policy - Authentication requirements are enforced - IAM MFA Status - MFA is properly configured - IAM Access Keys - Credentials are properly managed A.5.18 - Access Rights Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed - IAM Access Keys - Access key usage is reviewed - CloudTrail Events - Access changes are logged A.5.23 - Cloud Services Security Processes for acquisition, use, management and exit from cloud services shall be established - GuardDuty Status - Cloud threat detection is active - Security Hub Status - Cloud security posture is monitored - CloudTrail Configuration - Cloud activity is logged A.8 - Technological Controls A.8.1 - User Endpoint Devices Information stored on, processed by or accessible via user endpoint devices shall be protected - EBS Volume Encryption - Storage attached to instances is encrypted A.8.3 - Information Access Restriction Access to information and other associated assets shall be restricted - S3 Public Access Block - Data is not publicly accessible - Security Groups - Network access is restricted - Network ACLs - Network-level access controls exist A.8.9 - Configuration Management Configurations, including security configurations, shall be established, documented, implemented, monitored and reviewed - AWS Config Status - Configuration changes are tracked - Security Groups - Security configurations are documented A.8.10 - Information Deletion Information stored shall be deleted when no longer required - S3 Encryption - S3 lifecycle and deletion policies A.8.11 - Data Masking Data masking shall be used in accordance with the organization's topic-specific policy - RDS Encryption - Database encryption protects sensitive data A.8.12 - Data Leakage Prevention Data leakage prevention measures shall be applied - S3 Public Access Block - Public exposure is prevented - GuardDuty Findings - Data exfiltration attempts are detected - VPC Flow Logs - Data transfers are monitored A.8.13 - Information Backup Backup copies of information, software and systems shall be maintained and regularly tested - Backup Jobs - Backups are executed regularly - RDS Snapshots - Database backups are maintained A.8.14 - Redundancy Information processing facilities shall be implemented with sufficient redundancy to meet availability requirements - RDS Encryption - Multi-AZ deployment status - Backup Jobs - Cross-region backup configuration A.8.15 - Logging Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed - CloudTrail Configuration - API activity is logged - VPC Flow Logs - Network activity is logged - CloudWatch Alarms - Logs are monitored for anomalies A.8.16 - Monitoring Activities Networks, systems and applications shall be monitored for anomalous behaviour - GuardDuty Status - Threat monitoring is active - GuardDuty Findings - Anomalies are detected and tracked - CloudWatch Alarms - System monitoring is configured - Security Hub Status - Security posture is monitored A.8.20 - Networks Security Networks and network devices shall be secured, managed and controlled - Security Groups - Network security rules are configured - Network ACLs - Network access controls are in place - VPC Flow Logs - Network traffic is monitored A.8.24 - Use of Cryptography Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented - S3 Encryption - Object storage is encrypted - RDS Encryption - Databases are encrypted - EBS Volume Encryption - Block storage is encrypted - KMS Key Rotation - Encryption keys are rotated Verification Rules Auto-verified evidence sources are checked against the following compliance thresholds: IAM Password Policy - Minimum password length: 14 characters - Require uppercase letters: Yes - Require lowercase letters: Yes - Require numbers: Yes - Require symbols: Yes - Maximum password age: 90 days - Password reuse prevention: 24 passwords IAM MFA Status - All users have MFA: 100% - Root account has MFA: Required IAM Access Keys - Maximum key age: 90 days - No unused keys: Required CloudTrail - CloudTrail enabled: Required - Multi-region trail: Required - Log file validation: Required - Encryption enabled: Required S3 Security - All buckets encrypted: Required - Default encryption enabled: Required - Public access blocked: Required RDS Security - All instances encrypted: Required - Automated backups enabled: Required - Retention period: 7+ days Network Security - No open SSH (0.0.0.0/0:22): Required - No open RDP (0.0.0.0/0:3389): Required - VPC Flow Logs enabled: Required Security Services - GuardDuty enabled: Required - Security Hub enabled: Recommended - AWS Config enabled: Recommended Summary: Control Coverage Matrix SOC 2 Controls by Evidence Source IAM Password Policy - CC6.1: Yes IAM MFA Status - CC6.1: Yes - CC6.2: Yes IAM Access Keys - CC6.1: Yes - CC6.2: Yes - CC6.3: Yes CloudTrail Config - CC7.2: Yes CloudTrail Events - CC6.3: Yes - CC7.2: Yes - CC8.1: Yes CloudWatch Alarms - CC7.1: Yes - CC7.3: Yes - A1.1: Yes VPC Flow Logs - CC6.6: Yes - CC7.2: Yes GuardDuty Status - CC6.6: Yes - CC7.1: Yes GuardDuty Findings - CC6.6: Yes - CC7.3: Yes Security Hub - CC7.1: Yes AWS Config - CC8.1: Yes Security Groups - CC6.6: Yes Network ACLs - CC6.6: Yes S3 Encryption - CC6.1: Yes - CC6.7: Yes S3 Public Access - CC6.1: Yes RDS Encryption - CC6.1: Yes - CC6.7: Yes EBS Encryption - CC6.1: Yes KMS Key Rotation - CC6.1: Yes Backup Jobs - A1.1: Yes - A1.2: Yes RDS Snapshots - A1.1: Yes - A1.2: Yes ISO 27001 Controls by Evidence Source IAM Password Policy - A.5.15: Yes - A.5.17: Yes IAM MFA Status - A.5.15: Yes - A.5.16: Yes - A.5.17: Yes IAM Access Keys - A.5.15: Yes - A.5.16: Yes - A.5.17: Yes - A.5.18: Yes CloudTrail Config - A.5.23: Yes - A.8.15: Yes CloudTrail Events - A.5.18: Yes CloudWatch Alarms - A.8.15: Yes - A.8.16: Yes VPC Flow Logs - A.8.12: Yes - A.8.15: Yes - A.8.20: Yes GuardDuty Status - A.5.23: Yes - A.8.16: Yes GuardDuty Findings - A.8.12: Yes - A.8.16: Yes Security Hub - A.5.23: Yes - A.8.16: Yes AWS Config - A.8.9: Yes Security Groups - A.5.15: Yes - A.8.3: Yes - A.8.9: Yes - A.8.20: Yes Network ACLs - A.8.3: Yes - A.8.20: Yes S3 Encryption - A.8.24: Yes S3 Public Access - A.8.3: Yes - A.8.12: Yes RDS Encryption - A.8.24: Yes EBS Encryption - A.8.24: Yes KMS Key Rotation - A.8.24: Yes Backup Jobs - A.8.13: Yes RDS Snapshots - A.8.13: Yes Getting Started To set up the AWS integration: 1. Navigate to Settings > Integrations > AWS 2. Click Connect AWS Account 3. Follow the setup wizard to create an IAM role in your AWS account 4. Paste the Role ARN and validate the connection 5. Enable evidence sources for your compliance controls AWS Permissions Required The integration requires read-only permissions via the AWS-managed SecurityAudit policy plus additional permissions: Core Permissions iam:GetAccountPasswordPolicy iam:ListUsers iam:ListMFADevices iam:ListAccessKeys iam:GetAccessKeyLastUsed cloudtrail:DescribeTrails cloudtrail:GetTrailStatus cloudtrail:LookupEvents cloudwatch:DescribeAlarms guardduty:ListDetectors guardduty:GetDetector guardduty:GetFindings securityhub:GetEnabledStandards securityhub:GetFindings ec2:DescribeFlowLogs ec2:DescribeVpcs ec2:DescribeSecurityGroups ec2:DescribeNetworkAcls ec2:DescribeVolumes s3:ListAllMyBuckets s3:GetBucketEncryption s3:GetBucketPublicAccessBlock rds:DescribeDBInstances rds:DescribeDBSnapshots kms:ListKeys kms:GetKeyRotationStatus backup:ListBackupJobs backup:ListBackupPlans config:DescribeConfigurationRecorders config:DescribeConfigurationRecorderStatus Support If you need help with your AWS integration: - Email: support@humadroid.com - Status: https://status.humadroid.com

Last updated on Dec 29, 2025

GitHub Integration User Guide

Humadroid Compliance Platform Overview Humadroid's GitHub integration automatically collects compliance evidence from your GitHub organization. Once connected, it continuously monitors your organization's security settings, access controls, and code security features, gathering evidence that satisfies controls for SOC 2 and ISO 27001 compliance frameworks. Key Benefits - Automated evidence collection - No more manual screenshots or exports - Compliance-focused collection - Evidence collected on schedule (weekly or monthly) - Auto-verification - Most evidence sources are automatically checked against compliance rules - Multi-framework support - Single integration satisfies controls across SOC 2 and ISO 27001 Security Model - Read-only access - Humadroid cannot modify your GitHub organization or repositories - GitHub App authentication - Secure, fine-grained permissions per repository - Installation tokens - Short-lived tokens (1 hour) instead of persistent OAuth tokens - External ID protection - Unique installation ID prevents unauthorized access - Full audit trail - All API calls can be tracked in GitHub's audit log (Enterprise) Evidence Sources The GitHub integration collects 12 distinct evidence types across four categories: Organization & Access Management Organization 2FA Status - Description: Verifies 2FA is required and enabled for all organization members - Frequency: Monthly - Auto-Verify: Yes Organization Members - Description: Lists all organization members with roles and activity - Frequency: Monthly - Auto-Verify: No Team Permissions - Description: Documents team membership and repository access - Frequency: Monthly - Auto-Verify: No Outside Collaborators - Description: Lists external users with repository access - Frequency: Monthly - Auto-Verify: Yes Repository Security Branch Protection Rules - Description: Collects branch protection settings for all repositories - Frequency: Monthly - Auto-Verify: Yes Repository Visibility - Description: Inventories repository visibility (public/private/internal) - Frequency: Monthly - Auto-Verify: Yes Required Reviews - Description: Collects pull request review requirements by repository - Frequency: Monthly - Auto-Verify: Yes Deploy Keys - Description: Audits SSH deploy keys across repositories - Frequency: Monthly - Auto-Verify: Yes Security Scanning Secret Scanning - Description: Verifies secret scanning is enabled and checks for alerts - Frequency: Monthly - Auto-Verify: Yes Dependabot Alerts - Description: Collects Dependabot configuration and vulnerability alerts - Frequency: Monthly - Auto-Verify: Yes Code Scanning - Description: Verifies CodeQL/code scanning is enabled and checks findings - Frequency: Monthly - Auto-Verify: Yes Audit & Logging Audit Log - Description: Collects organization audit log events (Enterprise only) - Frequency: Monthly - Auto-Verify: No SOC 2 Control Coverage The GitHub integration provides evidence for the following SOC 2 (2017) Trust Services Criteria: CC6 - Logical and Physical Access Controls CC6.1 - Logical Access Security The entity implements logical access security software, infrastructure, and architectures to protect information assets - Organization 2FA Status - Multi-factor authentication is required for all members - Organization Members - Complete inventory of users with access - Team Permissions - Access is organized through teams with defined permissions CC6.2 - User Registration and Authorization Prior to issuing system credentials and granting access, the entity registers and authorizes new users - Organization Members - Complete inventory of all registered users - Outside Collaborators - External users are tracked and authorized CC6.3 - Removal of Access Rights The entity removes credentials and disables system access when no longer required - Audit Log - Access changes are logged (Enterprise) - Organization Members - Current membership can be compared over time CC6.6 - Logical Access Security Measures The entity implements controls to prevent or detect and act upon unauthorized logical access - Branch Protection Rules - Code access is controlled through branch protection - Repository Visibility - Repositories are properly classified (public/private) - Deploy Keys - SSH keys for automated access are tracked CC7 - System Operations CC7.1 - Security Monitoring The entity monitors system components for anomalies and security events - Secret Scanning - Leaked secrets are detected automatically - Dependabot Alerts - Vulnerable dependencies are identified - Code Scanning - Security vulnerabilities in code are detected CC7.2 - Security Event Logging The entity identifies and logs security events - Audit Log - Security-relevant events are logged (Enterprise) CC7.3 - Security Incident Response The entity evaluates security events and responds to identified incidents - Secret Scanning - Leaked secrets are identified for remediation - Dependabot Alerts - Vulnerabilities are tracked for response - Code Scanning - Code security issues are tracked for resolution CC8 - Change Management CC8.1 - Change Management The entity authorizes, documents, and controls infrastructure changes - Branch Protection Rules - Code changes require specific workflows - Required Reviews - Changes require peer review before merge - Code Scanning - Automated security validation of changes ISO 27001:2022 Control Coverage The GitHub integration provides evidence for the following ISO 27001:2022 Annex A controls: A.5 - Organizational Controls A.5.15 - Access Control Rules to control physical and logical access to information and other associated assets shall be established and implemented - Organization 2FA Status - Strong authentication is enforced - Organization Members - Access is granted to authorized users - Team Permissions - Access is organized through teams A.5.16 - Identity Management The full life cycle of identities shall be managed - Organization Members - Complete inventory of identities A.5.17 - Authentication Information Allocation and management of authentication information shall be controlled - Organization 2FA Status - 2FA is properly configured A.5.18 - Access Rights Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed - Audit Log - Access changes are logged (Enterprise) - Outside Collaborators - External access is tracked - Team Permissions - Team-based access is documented A.8 - Technological Controls A.8.3 - Information Access Restriction Access to information and other associated assets shall be restricted - Branch Protection Rules - Code access is restricted - Repository Visibility - Data exposure is controlled A.8.9 - Configuration Management Configurations shall be established, documented, implemented, monitored and reviewed - Branch Protection Rules - Security configurations are documented A.8.12 - Data Leakage Prevention Data leakage prevention measures shall be applied - Secret Scanning - Secrets in code are detected - Repository Visibility - Public exposure is monitored - Dependabot Alerts - Vulnerable code is identified A.8.15 - Logging Logs that record activities shall be produced, stored, protected and analysed - Audit Log - Organization activity is logged (Enterprise) A.8.16 - Monitoring Activities Networks, systems and applications shall be monitored for anomalous behaviour - Secret Scanning - Secret leakage is monitored - Dependabot Alerts - Vulnerability alerts are monitored - Code Scanning - Code security is continuously monitored A.8.25 - Secure Development Life Cycle Rules for the secure development of software and systems shall be established and applied - Branch Protection Rules - Development workflows are enforced - Required Reviews - Code review is required - Code Scanning - Security testing is automated A.8.28 - Secure Coding Secure coding principles shall be applied to software development - Code Scanning - Security vulnerabilities are detected - Dependabot Alerts - Insecure dependencies are identified - Secret Scanning - Hardcoded secrets are detected A.8.31 - Separation of Development, Test and Production Environments Development, testing and production environments shall be separated and secured - Branch Protection Rules - Branch policies enforce environment separation - Repository Visibility - Repository access is properly segmented Verification Rules Auto-verified evidence sources are checked against the following compliance thresholds: Organization 2FA Status - 2FA required for organization: Required - Member 2FA coverage: 100% - Maximum organization owners: 5 (configurable) Branch Protection - Default branch protected: 100% (for applicable repos) - Require pull requests: Required - Required approving reviews: 1+ - Dismiss stale reviews: Recommended - Enforce on administrators: Recommended - Require status checks: Recommended Repository Visibility - Allow public repositories: No (configurable) - Maximum public repositories: 0 (configurable) Required Reviews - Reviews required coverage: 100% - Minimum reviewers: 1 Secret Scanning - Secret scanning enabled: 100% - Push protection enabled: Recommended - Maximum open alerts: 0 Dependabot - Dependabot enabled: 100% - Maximum critical alerts: 0 - Maximum high alerts: 0 (configurable) - Auto security updates: Recommended Code Scanning - Code scanning enabled: 80% (configurable) - Maximum critical alerts: 0 - Maximum high alerts: 0 (configurable) Deploy Keys - Maximum key age: 90 days (configurable) - Read-only keys preferred: Recommended Outside Collaborators - Maximum collaborators with admin: 0 - All collaborators documented: Required Summary: Control Coverage Matrix SOC 2 Controls by Evidence Source Organization 2FA Status - CC6.1: Yes Organization Members - CC6.1: Yes - CC6.2: Yes - CC6.3: Yes Team Permissions - CC6.1: Yes Outside Collaborators - CC6.2: Yes Branch Protection - CC6.6: Yes - CC8.1: Yes Repository Visibility - CC6.6: Yes Required Reviews - CC8.1: Yes Deploy Keys - CC6.6: Yes Secret Scanning - CC7.1: Yes - CC7.3: Yes Dependabot Alerts - CC7.1: Yes - CC7.3: Yes Code Scanning - CC7.1: Yes - CC7.3: Yes - CC8.1: Yes Audit Log - CC6.3: Yes - CC7.2: Yes ISO 27001 Controls by Evidence Source Organization 2FA Status - A.5.15: Yes - A.5.17: Yes Organization Members - A.5.15: Yes - A.5.16: Yes Team Permissions - A.5.15: Yes - A.5.18: Yes Outside Collaborators - A.5.18: Yes Branch Protection - A.8.3: Yes - A.8.9: Yes - A.8.25: Yes - A.8.31: Yes Repository Visibility - A.8.3: Yes - A.8.12: Yes - A.8.31: Yes Required Reviews - A.8.25: Yes Deploy Keys - (No specific ISO 27001 controls mapped) Secret Scanning - A.8.12: Yes - A.8.16: Yes - A.8.28: Yes Dependabot Alerts - A.8.12: Yes - A.8.16: Yes - A.8.28: Yes Code Scanning - A.8.16: Yes - A.8.25: Yes - A.8.28: Yes Audit Log - A.5.18: Yes - A.8.15: Yes Getting Started To set up the GitHub integration: 1. Navigate to Settings > Integrations > GitHub 2. Click Install GitHub App 3. Select your GitHub organization 4. Choose repository access (all repositories recommended) 5. Approve the permissions 6. Enable evidence sources for your compliance controls For detailed setup instructions, see the GitHub App Setup Guide. GitHub Permissions Required The integration uses a GitHub App with the following permissions: Repository Permissions (Read-only) Administration - Description: Branch protection, settings - Used For: Branch protection rules, repo configuration Metadata - Description: Basic repository information - Used For: Repository listing (auto-granted) Secret scanning alerts - Description: View secret scanning alerts - Used For: Secret scanning status and alerts Dependabot alerts - Description: View Dependabot alerts - Used For: Vulnerability monitoring Code scanning alerts - Description: View code scanning alerts - Used For: CodeQL and security findings Organization Permissions (Read-only) Members - Description: Organization membership - Used For: Member listing, 2FA status Administration - Description: Organization settings - Used For: 2FA requirement, org configuration GitHub Plan Feature Matrix Free Plan - Organization 2FA enforcement: Yes - Branch protection: Yes - Required reviews: Yes - Secret scanning (public repos): Yes - Secret scanning (private repos): No - Push protection: No - Dependabot alerts: Yes - Code scanning: Yes - Audit log (web UI): No - Audit log (API): No - IP allow lists: No - SAML SSO: No Team Plan - Organization 2FA enforcement: Yes - Branch protection: Yes - Required reviews: Yes - Secret scanning (public repos): Yes - Secret scanning (private repos): Yes* - Push protection: Yes* - Dependabot alerts: Yes - Code scanning: Yes - Audit log (web UI): Yes - Audit log (API): No - IP allow lists: No - SAML SSO: No *Requires GitHub Advanced Security add-on Enterprise Plan - Organization 2FA enforcement: Yes - Branch protection: Yes - Required reviews: Yes - Secret scanning (public repos): Yes - Secret scanning (private repos): Yes - Push protection: Yes - Dependabot alerts: Yes - Code scanning: Yes - Audit log (web UI): Yes - Audit log (API): Yes - IP allow lists: Yes - SAML SSO: Yes Support If you need help with your GitHub integration: - Email: support@humadroid.com - Status: https://status.humadroid.com

Last updated on Dec 19, 2025

Cloudflare integration guide

Overview Humadroid's Cloudflare integration automatically collects compliance evidence from your Cloudflare account. Once connected, it continuously monitors your zones' security configurations, SSL/TLS settings, WAF rules, and DDoS protection, gathering evidence that satisfies controls for SOC 2 and ISO 27001 compliance frameworks. Key Benefits - Automated evidence collection - No more manual screenshots or exports - Compliance-focused collection - Evidence collected on schedule (daily or weekly) - Auto-verification - All evidence sources are automatically checked against compliance rules - Multi-framework support - Single integration satisfies controls across SOC 2 and ISO 27001 Security Model - Read-only access - Humadroid cannot modify your Cloudflare configuration - API token authentication - Fine-grained, scoped API tokens instead of global API keys - Zone-level permissions - Access limited to selected zones - Full audit trail - All API calls can be tracked in Cloudflare's audit log (Business+ plans) Evidence Sources The Cloudflare integration collects 11 distinct evidence types across four categories: SSL/TLS & Encryption SSL/TLS Mode - Description: Verifies SSL/TLS encryption mode for all zones (off, flexible, full, strict) - Frequency: Daily - Auto-Verify: Yes Minimum TLS Version - Description: Verifies minimum TLS version setting for all zones - Frequency: Daily - Auto-Verify: Yes HSTS Configuration - Description: Collects HTTP Strict Transport Security settings including max-age, includeSubDomains, and preload - Frequency: Daily - Auto-Verify: Yes Certificate Status - Description: Monitors SSL certificate validity and expiration status - Frequency: Daily - Auto-Verify: Yes Web Application Firewall WAF Configuration - Description: Collects WAF configuration including managed rules, custom rules, and security settings - Frequency: Daily - Auto-Verify: Yes Access Rules - Description: Collects IP access rules and firewall access control configurations - Frequency: Daily - Auto-Verify: Yes DDoS & Bot Protection DDoS Protection Status - Description: Verifies DDoS protection is enabled (always on for Cloudflare-proxied traffic) - Frequency: Daily - Auto-Verify: Yes Rate Limiting Rules - Description: Collects rate limiting rule configurations - Frequency: Daily - Auto-Verify: Yes Bot Protection Status - Description: Collects bot protection settings including bot fight mode and managed bot protection - Frequency: Daily - Auto-Verify: Yes DNS Security DNSSEC Status - Description: Verifies DNSSEC is enabled for DNS security - Frequency: Daily - Auto-Verify: Yes Security Headers - Description: Collects security header configurations (HSTS, X-Content-Type-Options, X-Frame-Options) - Frequency: Daily - Auto-Verify: Yes SOC 2 Control Coverage The Cloudflare integration provides evidence for the following SOC 2 (2017) Trust Services Criteria: CC6 - Logical and Physical Access Controls CC6.1 - Logical Access Security The entity implements logical access security software, infrastructure, and architectures to protect information assets - SSL/TLS Mode - End-to-end encryption protects data in transit - TLS Version - Modern TLS protocols prevent protocol downgrade attacks - Certificate Status - Valid certificates ensure secure connections CC6.6 - Logical Access Security Measures The entity implements controls to prevent or detect and act upon unauthorized logical access - WAF Configuration - Web Application Firewall blocks malicious traffic - Access Rules - IP-based access controls restrict unauthorized access - Rate Limiting - Prevents brute force and credential stuffing attacks - Bot Protection - Detects and blocks malicious bot traffic - Security Headers - Prevents clickjacking and content-type attacks CC6.7 - Data Transmission Controls The entity restricts transmission and movement of data - SSL/TLS Mode - Encryption protects data during transmission - TLS Version - Strong protocols ensure secure data transfer - HSTS Configuration - Forces HTTPS to prevent downgrade attacks - Certificate Status - Valid certificates ensure data integrity CC7 - System Operations CC7.1 - Security Monitoring The entity monitors system components for anomalies and security events - WAF Configuration - Monitors and logs security threats - Bot Protection - Monitors for malicious bot activity - DDoS Protection - Monitors for DDoS attacks A1 - Availability A1.2 - Recovery Procedures The entity's recovery procedures support system recovery in accordance with recovery objectives - DDoS Protection - Mitigates availability attacks - DNSSEC Status - Protects DNS integrity to ensure availability ISO 27001:2022 Control Coverage The Cloudflare integration provides evidence for the following ISO 27001:2022 Annex A controls: A.5 - Organizational Controls A.5.15 - Access Control Rules to control physical and logical access to information and other associated assets shall be established and implemented - WAF Configuration - Access control via web application firewall - Access Rules - IP-based access restrictions A.8 - Technological Controls A.8.3 - Information Access Restriction Access to information and other associated assets shall be restricted - WAF Configuration - Restricts access to web applications - Access Rules - IP, country, and ASN-based access controls A.8.20 - Networks Security Networks and network devices shall be secured, managed and controlled - WAF Configuration - Web application layer security - DDoS Protection - Network-level attack protection - Rate Limiting - Network traffic controls - Bot Protection - Automated traffic filtering - DNSSEC Status - DNS security extensions - Security Headers - HTTP security headers A.8.24 - Use of Cryptography Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented - SSL/TLS Mode - Encryption mode configuration - TLS Version - Cryptographic protocol version - HSTS Configuration - Enforced HTTPS communication - Certificate Status - Certificate management and validity Verification Rules Auto-verified evidence sources are checked against the following compliance thresholds: SSL/TLS Mode - Minimum SSL mode: Full (configurable) - Options: off, flexible, full, strict - Recommended: Strict TLS Version - Minimum TLS version: 1.2 (configurable) - Options: 1.0, 1.1, 1.2, 1.3 - Recommended: 1.2 or higher HSTS Configuration - HSTS enabled: Required - Include subdomains: Required - Minimum max-age: 31536000 seconds (1 year) - Preload: Recommended (not required by default) Certificate Status - Valid certificate: Required - Minimum days until expiry: 30 days (configurable) - Universal SSL: Recommended WAF Configuration - WAF enabled: Required - Managed rules configured: Required DDoS Protection - DDoS protection active: Required (automatic for proxied zones) Rate Limiting - Rate limiting configured: Recommended (not required by default) Bot Protection - Bot protection enabled: Required (bot management or browser check) - Advanced Bot Management: Not required by default DNSSEC Status - DNSSEC enabled: Required Access Rules - Block rules configured: Recommended (not required by default) Security Headers - HSTS header: Required - X-Content-Type-Options: Required - X-Frame-Options: Recommended (not required by default) Summary: Control Coverage Matrix SOC 2 Controls by Evidence Source SSL/TLS Mode - CC6.1: Yes - CC6.7: Yes TLS Version - CC6.1: Yes - CC6.7: Yes HSTS Configuration - CC6.7: Yes Certificate Status - CC6.1: Yes - CC6.7: Yes WAF Configuration - CC6.6: Yes - CC7.1: Yes Access Rules - CC6.6: Yes DDoS Protection - CC6.6: Yes - CC7.1: Yes - A1.2: Yes Rate Limiting - CC6.6: Yes Bot Protection - CC6.6: Yes - CC7.1: Yes DNSSEC Status - A1.2: Yes Security Headers - CC6.6: Yes ISO 27001 Controls by Evidence Source SSL/TLS Mode - A.8.24: Yes TLS Version - A.8.24: Yes HSTS Configuration - A.8.24: Yes Certificate Status - A.8.24: Yes WAF Configuration - A.5.15: Yes - A.8.3: Yes - A.8.20: Yes Access Rules - A.5.15: Yes - A.8.3: Yes DDoS Protection - A.8.20: Yes Rate Limiting - A.8.20: Yes Bot Protection - A.8.20: Yes DNSSEC Status - A.8.20: Yes Security Headers - A.8.20: Yes Getting Started To set up the Cloudflare integration: 1. Navigate to Settings > Integrations > Cloudflare 2. Click Connect Cloudflare Account 3. Create an API token in your Cloudflare dashboard (see permissions below) 4. Paste the API token and validate the connection 5. Select the zones you want to monitor 6. Enable evidence sources for your compliance controls Cloudflare Permissions Required Create a custom API token with the following permissions: Zone Permissions (Read-only) Zone → Zone → Read - Basic zone information for zone listing and status Zone → Zone Settings → Read - Zone configuration for SSL mode, TLS version, HSTS Zone → SSL and Certificates → Read - Certificate information for status and expiry monitoring Zone → Firewall Services → Read - Firewall rules for access rules and rate limiting Zone → WAF → Read - WAF configuration for status and managed rules Zone → DNS → Read - DNS settings for DNSSEC status Account Permissions (Read-only) Account → Account Settings → Read - Account information for verification Setup Instructions 1. Log into your Cloudflare Dashboard 2. Go to Profile → API Tokens → Create Token 3. Click Create Custom Token 4. Name the token "Humadroid Compliance Read-Only" 5. Add the permissions listed above 6. Set Zone Resources: Include all zones (or specific zones) 7. Create the token and copy it to Humadroid Cloudflare Plan Feature Matrix Free Plan Available features: - SSL/TLS Mode - Minimum TLS Version - HSTS Configuration - Certificate Status - DDoS Protection (Always On) - DNSSEC - Basic WAF - Bot Fight Mode - Access Rules - Security Headers Not available: - Rate Limiting (requires Pro+) Pro Plan Includes all Free features, plus: - Rate Limiting (5 rules) - Enhanced WAF - Polish/Mirage Business Plan Includes all Pro features, plus: - Rate Limiting (Unlimited) - Page Shield - Audit Logs - Advanced WAF Enterprise Plan Includes all Business features, plus: - Advanced Bot Management - Logpush - Advanced DDoS Protection - Custom SSL Troubleshooting Common Issues "Permission denied - API token needs 'Zone:WAF:Read' permission" - Your API token is missing the WAF read permission - Edit your token in Cloudflare to add: Zone → WAF → Read "No accounts accessible with this token" - Your token doesn't have account-level read access - Add: Account → Account Settings → Read "Authentication failed" - Check that your API token is correct and hasn't expired - Verify the token has the required permissions Evidence showing 0 for all metrics - Ensure the selected zones have the features enabled - Some features require specific Cloudflare plans Support If you need help with your Cloudflare integration: - Documentation: https://docs.humadroid.com/integrations/cloudflare - Email: support@humadroid.com - Status: https://status.humadroid.com Last updated: January 2026

Last updated on Jan 14, 2026

GCP integration guide

Overview Humadroid's GCP integration automatically collects compliance evidence from your Google Cloud Platform infrastructure. Once connected, it continuously monitors your GCP environment and gathers evidence that satisfies controls for SOC 2 and ISO 27001 compliance frameworks. Key Benefits - Automated evidence collection - No more manual screenshots or exports - Compliance-focused collection - Evidence collected on schedule (weekly or monthly) - Auto-verification - Many evidence sources are automatically checked against compliance rules - Multi-framework support - Single integration satisfies controls across SOC 2 and ISO 27001 Security Model - Read-only access - Humadroid cannot modify your GCP resources - Service Account authentication - Secure credential handling with least-privilege permissions - Encrypted credential storage - Service account keys encrypted at rest - Full audit trail - All API calls logged in your Cloud Audit Logs Evidence Sources The GCP integration collects 15 distinct evidence types across six categories: Identity & Access Management IAM Policy - Description: Documents IAM policy bindings and role assignments across the project - Frequency: Monthly - Auto-Verify: Yes IAM Service Accounts - Description: Inventories all service accounts with keys and usage patterns - Frequency: Monthly - Auto-Verify: Yes IAM MFA Status - Description: Verifies multi-factor authentication enforcement for users - Frequency: Monthly - Auto-Verify: Yes Logging & Monitoring Audit Logs Status - Description: Verifies Cloud Audit Logs are enabled and properly configured - Frequency: Monthly - Auto-Verify: Yes Audit Log Events - Description: Audit trail of API calls and administrative events - Frequency: Monthly - Auto-Verify: No Monitoring Alerts - Description: Cloud Monitoring alert policies configuration - Frequency: Monthly - Auto-Verify: Yes VPC Flow Logs - Description: Network traffic logging configuration for VPCs - Frequency: Monthly - Auto-Verify: Yes Security Services Security Findings - Description: Security Command Center findings and threat detection - Frequency: Weekly - Auto-Verify: No Network Security Firewall Rules - Description: VPC firewall rules configuration and security analysis - Frequency: Monthly - Auto-Verify: Yes Encryption & Data Protection Storage Encryption - Description: Verifies Cloud Storage buckets have encryption enabled - Frequency: Monthly - Auto-Verify: Yes Storage Public Access - Description: Verifies Cloud Storage buckets block public access - Frequency: Monthly - Auto-Verify: Yes SQL Encryption - Description: Verifies Cloud SQL instances have encryption enabled - Frequency: Monthly - Auto-Verify: Yes Compute Encryption - Description: Verifies Compute Engine disks are encrypted - Frequency: Monthly - Auto-Verify: Yes KMS Key Rotation - Description: Verifies Cloud KMS keys are configured for automatic rotation - Frequency: Monthly - Auto-Verify: Yes Backup & Recovery SQL Backups - Description: Cloud SQL backup execution and configuration monitoring - Frequency: Weekly - Auto-Verify: Yes SOC 2 Control Coverage The GCP integration provides evidence for the following SOC 2 (2017) Trust Services Criteria: CC6 - Logical and Physical Access Controls CC6.1 - Logical Access Security The entity implements logical access security software, infrastructure, and architectures to protect information assets - IAM Policy - Access policies enforce least-privilege principles - IAM MFA Status - Multi-factor authentication is enforced - IAM Service Accounts - Service account credentials are properly managed - Storage Encryption - Data at rest is encrypted - SQL Encryption - Databases are encrypted - Compute Encryption - Compute disks are encrypted - KMS Key Rotation - Encryption keys are properly rotated CC6.2 - User Registration and Authorization Prior to issuing system credentials and granting access, the entity registers and authorizes new users - IAM Policy - Complete inventory of users with access and role bindings - IAM Service Accounts - Service account creation and authorization records CC6.3 - Removal of Access Rights The entity removes credentials and disables system access when no longer required - Audit Log Events - Access revocation events are logged - IAM Service Accounts - Inactive or unused service accounts identified CC6.6 - Logical Access Security Measures The entity implements controls to prevent or detect and act upon unauthorized logical access - Firewall Rules - VPC firewall rules restrict access appropriately - VPC Flow Logs - Network traffic is monitored - Storage Public Access - Storage buckets are not publicly exposed CC6.7 - Data Transmission Controls The entity restricts transmission and movement of data - Storage Encryption - Data is encrypted during storage and transfer - SQL Encryption - Database data is encrypted - Compute Encryption - Compute disks are encrypted - KMS Key Rotation - Encryption keys are managed securely CC7 - System Operations CC7.1 - Security Monitoring The entity monitors system components for anomalies and security events - Security Findings - Security Command Center detects threats - Monitoring Alerts - Alerts are configured for security events CC7.2 - Security Event Logging The entity identifies and logs security events - Audit Logs Status - Audit logging is properly configured - Audit Log Events - Security events are recorded - VPC Flow Logs - Network activity is logged CC7.3 - Security Incident Response The entity evaluates security events and responds to identified incidents - Security Findings - Threats are detected and tracked - Monitoring Alerts - Incident alerts are configured CC7.4 - Security Alerting The entity implements alerting mechanisms for security events - Monitoring Alerts - Alert policies are configured and active CC8 - Change Management CC8.1 - Change Management The entity authorizes, documents, and controls infrastructure changes - Audit Log Events - Infrastructure changes are logged A1 - Availability A1.2 - Recovery Procedures The entity's recovery procedures support system recovery in accordance with recovery objectives - SQL Backups - Database backups are maintained and executed successfully ISO 27001:2022 Control Coverage The GCP integration provides evidence for the following ISO 27001:2022 Annex A controls: A.5 - Organizational Controls A.5.15 - Access Control Rules to control physical and logical access to information and other associated assets shall be established and implemented - IAM Policy - Access policies enforce security requirements - IAM MFA Status - Strong authentication is required - IAM Service Accounts - Service account access is managed - Firewall Rules - Network access is controlled A.5.16 - Identity Management The full life cycle of identities shall be managed - IAM Policy - Complete inventory of identities - IAM Service Accounts - Service account lifecycle management A.5.17 - Authentication Information Allocation and management of authentication information shall be controlled - IAM MFA Status - MFA is properly configured - IAM Service Accounts - Service account keys are managed A.5.18 - Access Rights Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed - IAM Service Accounts - Service account access is reviewed - Audit Log Events - Access changes are logged A.5.23 - Cloud Services Security Processes for acquisition, use, management and exit from cloud services shall be established - Security Findings - Cloud threat detection is active - Audit Logs Status - Cloud activity is logged A.8 - Technological Controls A.8.3 - Information Access Restriction Access to information and other associated assets shall be restricted - Storage Public Access - Data is not publicly accessible - Firewall Rules - Network access is restricted A.8.9 - Configuration Management Configurations, including security configurations, shall be established, documented, implemented, monitored and reviewed - Firewall Rules - Security configurations are documented A.8.12 - Data Leakage Prevention Data leakage prevention measures shall be applied - Storage Public Access - Public exposure is prevented - Security Findings - Data exfiltration attempts are detected - VPC Flow Logs - Data transfers are monitored A.8.13 - Information Backup Backup copies of information, software and systems shall be maintained and regularly tested - SQL Backups - Backups are executed regularly A.8.15 - Logging Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed - Audit Logs Status - API activity is logged - VPC Flow Logs - Network activity is logged - Monitoring Alerts - Logs are monitored for anomalies A.8.16 - Monitoring Activities Networks, systems and applications shall be monitored for anomalous behaviour - Security Findings - Threat monitoring is active - Monitoring Alerts - System monitoring is configured A.8.20 - Networks Security Networks and network devices shall be secured, managed and controlled - Firewall Rules - Network security rules are configured - VPC Flow Logs - Network traffic is monitored A.8.24 - Use of Cryptography Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented - Storage Encryption - Cloud Storage is encrypted - SQL Encryption - Databases are encrypted - Compute Encryption - Compute disks are encrypted - KMS Key Rotation - Encryption keys are rotated Verification Rules Auto-verified evidence sources are checked against the following compliance thresholds: IAM Policy - Overly permissive roles: Flagged - Primitive roles (Owner/Editor): Flagged for review - External members: Documented IAM Service Accounts - Maximum key age: 90 days - Unused service accounts: Flagged - User-managed keys: Documented IAM MFA Status - MFA enforcement: Required - Organization policy: Should enforce MFA Audit Logs Status - Admin Activity logs: Required (always on) - Data Access logs: Recommended - Log retention: 400+ days recommended Storage Security - All buckets encrypted: Required (default in GCP) - Customer-managed keys (CMEK): Recommended - Public access blocked: Required - Uniform bucket-level access: Recommended SQL Security - All instances encrypted: Required - Automated backups enabled: Required - Backup retention period: 7+ days - SSL/TLS required: Recommended Network Security - No open SSH (0.0.0.0/0:22): Required - No open RDP (0.0.0.0/0:3389): Required - VPC Flow Logs enabled: Required - Default deny rules: Recommended KMS Key Rotation - Automatic rotation enabled: Required - Rotation period: 90 days recommended Security Services - Security Command Center enabled: Recommended - Cloud Monitoring alerts configured: Recommended Summary: Control Coverage Matrix SOC 2 Controls by Evidence Source IAM Policy - CC6.1: Yes - CC6.2: Yes IAM Service Accounts - CC6.1: Yes - CC6.2: Yes - CC6.3: Yes IAM MFA Status - CC6.1: Yes Audit Logs Status - CC7.2: Yes Audit Log Events - CC6.3: Yes - CC7.2: Yes - CC8.1: Yes Monitoring Alerts - CC7.1: Yes - CC7.3: Yes - CC7.4: Yes VPC Flow Logs - CC6.6: Yes - CC7.2: Yes Security Findings - CC7.1: Yes - CC7.3: Yes Firewall Rules - CC6.6: Yes Storage Encryption - CC6.1: Yes - CC6.7: Yes Storage Public Access - CC6.6: Yes SQL Encryption - CC6.1: Yes - CC6.7: Yes Compute Encryption - CC6.1: Yes - CC6.7: Yes KMS Key Rotation - CC6.1: Yes - CC6.7: Yes SQL Backups - A1.2: Yes ISO 27001 Controls by Evidence Source IAM Policy - A.5.15: Yes - A.5.16: Yes IAM Service Accounts - A.5.15: Yes - A.5.16: Yes - A.5.17: Yes - A.5.18: Yes IAM MFA Status - A.5.15: Yes - A.5.17: Yes Audit Logs Status - A.5.23: Yes - A.8.15: Yes Audit Log Events - A.5.18: Yes Monitoring Alerts - A.8.15: Yes - A.8.16: Yes VPC Flow Logs - A.8.12: Yes - A.8.15: Yes - A.8.20: Yes Security Findings - A.5.23: Yes - A.8.12: Yes - A.8.16: Yes Firewall Rules - A.5.15: Yes - A.8.3: Yes - A.8.9: Yes - A.8.20: Yes Storage Encryption - A.8.24: Yes Storage Public Access - A.8.3: Yes - A.8.12: Yes SQL Encryption - A.8.24: Yes Compute Encryption - A.8.24: Yes KMS Key Rotation - A.8.24: Yes SQL Backups - A.8.13: Yes Getting Started To set up the GCP integration: 1. Navigate to Settings > Integrations > GCP 2. Click Connect GCP Project 3. Follow the setup wizard to create a Service Account in your GCP project 4. Download and upload the Service Account JSON key 5. Validate the connection 6. Enable evidence sources for your compliance controls For detailed setup instructions, see the GCP Setup Guide. GCP Permissions Required The integration requires read-only permissions via a Service Account with the following roles: Recommended Roles - Security Reviewer (roles/iam.securityReviewer) - Viewer (roles/viewer) - Cloud Asset Viewer (roles/cloudasset.viewer) Core Permissions resourcemanager.projects.get resourcemanager.projects.getIamPolicy iam.serviceAccounts.list iam.serviceAccounts.get iam.roles.list logging.logEntries.list logging.sinks.list cloudkms.cryptoKeys.list cloudkms.cryptoKeys.get cloudkms.keyRings.list storage.buckets.list storage.buckets.get storage.buckets.getIamPolicy cloudsql.instances.list cloudsql.backupRuns.list compute.instances.list compute.disks.list compute.firewalls.list compute.subnetworks.list compute.networks.list securitycenter.findings.list securitycenter.sources.list monitoring.alertPolicies.list cloudasset.assets.searchAllResources GCP Service Feature Matrix Standard GCP Project - IAM policy audit: Yes - Service account inventory: Yes - Firewall rules audit: Yes - Storage encryption check: Yes - Storage public access check: Yes - Cloud SQL encryption: Yes - Cloud SQL backups: Yes - Compute disk encryption: Yes - KMS key rotation: Yes - VPC Flow Logs: Yes - Cloud Audit Logs: Yes - Security Command Center: Requires activation - Cloud Monitoring: Yes Organization-Level Features Some features provide enhanced coverage at the organization level: - Organization-wide IAM policies - Cross-project security findings - Centralized audit log aggregation - Organization policy constraints Note: Organization-level features require additional permissions at the organization level.

Last updated on Jan 29, 2026

Vercel Integration User Guide

Overview Humadroid's Vercel integration automatically collects compliance evidence from your Vercel deployment platform. Once connected, it continuously monitors your Vercel team configuration, project settings, and security controls to gather evidence that satisfies controls for SOC 2 and ISO 27001 compliance frameworks. Key Benefits - Automated evidence collection - No more manual screenshots or exports - Compliance-focused collection - Evidence collected on schedule (monthly) - Auto-verification - Many evidence sources are automatically checked against compliance rules - Multi-framework support - Single integration satisfies controls across SOC 2 and ISO 27001 - Plan-aware - Automatically adapts to your Vercel plan (Hobby/Pro/Enterprise) Security Model - Read-only access - Humadroid cannot modify your Vercel settings or deployments - Dual authentication options - OAuth integration (recommended) or API Token - Team-scoped access - Access limited to selected team only - Encrypted credential storage - Credentials encrypted at rest - Easily revocable - Disconnect anytime from Humadroid or revoke from Vercel Evidence Sources The Vercel integration collects 10 distinct evidence types across three categories: Access Control Team Members & Roles - Description: Collects team membership and role assignments for access control evidence - Frequency: Monthly - Auto-Verify: Yes - Plan Required: All plans RBAC Configuration - Description: Documents role-based access control configuration and custom roles - Frequency: Monthly - Auto-Verify: Yes - Plan Required: All plans Project Access Settings - Description: Collects project-level access restrictions and team assignments - Frequency: Monthly - Auto-Verify: Yes - Plan Required: All plans SSO/SAML Configuration - Description: Collects SSO enforcement status and SAML configuration - Frequency: Monthly - Auto-Verify: Yes - Plan Required: Enterprise only Deployment Security Deployment Protection - Description: Collects deployment protection settings including authentication requirements - Frequency: Monthly - Auto-Verify: Yes - Plan Required: All plans (limited on Hobby) Environment Variables - Description: Inventories environment variables and validates sensitive variable protection - Frequency: Monthly - Auto-Verify: Yes - Plan Required: All plans Network Security WAF Status - Description: Collects Web Application Firewall enablement status across projects - Frequency: Monthly - Auto-Verify: Yes - Plan Required: Pro+ WAF Rules - Description: Collects custom WAF rules and managed rule configurations - Frequency: Monthly - Auto-Verify: No (manual review recommended) - Plan Required: Pro+ IP Blocking Rules - Description: Collects IP blocking and allowlist configurations - Frequency: Monthly - Auto-Verify: Yes - Plan Required: All plans (limits vary by plan) Audit & Monitoring Audit Logs - Description: Team activity audit logs for security monitoring - Frequency: Monthly - Auto-Verify: No (manual review required) - Plan Required: Enterprise only SOC 2 Control Coverage The Vercel integration provides evidence for the following SOC 2 (2017) Trust Services Criteria: CC6 - Logical and Physical Access Controls CC6.1 - Logical Access Security The entity implements logical access security software, infrastructure, and architectures to protect information assets - Team Members & Roles - Access policies enforce least-privilege principles - RBAC Configuration - Role-based access controls are properly configured - Project Access Settings - Project-level access is restricted appropriately - SSO/SAML Configuration - Enterprise SSO enforces strong authentication CC6.2 - User Registration and Authorization Prior to issuing system credentials and granting access, the entity registers and authorizes new users - Team Members & Roles - Complete inventory of users with access and role assignments - Audit Logs - User registration and authorization events are logged (Enterprise) CC6.3 - Removal of Access Rights The entity removes credentials and disables system access when no longer required - RBAC Configuration - Role changes and access modifications documented - Audit Logs - Access revocation events are logged (Enterprise) CC6.6 - Logical Access Security Measures The entity implements controls to prevent or detect and act upon unauthorized logical access - Project Access Settings - Project-level access restrictions prevent unauthorized access - Deployment Protection - Deployments are protected from unauthorized access - WAF Status - Web Application Firewall protects against attacks (Pro+) - WAF Rules - Custom WAF rules provide application-level protection (Pro+) - IP Blocking Rules - Network-level access restrictions are configured CC6.7 - Data Transmission Controls The entity restricts transmission and movement of data - Environment Variables - Sensitive data is properly protected and encrypted CC7 - System Operations CC7.2 - Security Event Logging The entity identifies and logs security events - Audit Logs - Security events are recorded (Enterprise) CC8 - Change Management CC8.1 - Change Management The entity authorizes, documents, and controls infrastructure changes - Deployment Protection - Deployment changes require appropriate authorization - Audit Logs - Infrastructure changes are logged (Enterprise) ISO 27001:2022 Control Coverage The Vercel integration provides evidence for the following ISO 27001:2022 Annex A controls: A.5 - Organizational Controls A.5.15 - Access Control Rules to control physical and logical access to information and other associated assets shall be established and implemented - Team Members & Roles - Access policies enforce security requirements - RBAC Configuration - Role-based access control is implemented - Project Access Settings - Project-level access is controlled - SSO/SAML Configuration - Strong authentication is enforced (Enterprise) A.5.16 - Identity Management The full life cycle of identities shall be managed - Team Members & Roles - Complete inventory of identities - Audit Logs - Identity lifecycle events are tracked (Enterprise) A.5.17 - Authentication Information Allocation and management of authentication information shall be controlled - SSO/SAML Configuration - Authentication is properly configured (Enterprise) - Deployment Protection - Deployment authentication requirements A.5.18 - Access Rights Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed - RBAC Configuration - Access rights are managed through roles - Audit Logs - Access changes are logged (Enterprise) A.5.23 - Information Security for Use of Cloud Services Processes for acquisition, use, management and exit from cloud services shall be established - WAF Status - Cloud security controls are configured (Pro+) - Deployment Protection - Cloud deployments are protected - Audit Logs - Cloud service usage is logged (Enterprise) A.8 - Technological Controls A.8.3 - Information Access Restriction Access to information and other associated assets shall be restricted - Project Access Settings - Project data access is restricted - Deployment Protection - Deployment access is controlled - IP Blocking Rules - Network access is restricted A.8.9 - Configuration Management Configurations, including security configurations, shall be established, documented, implemented, monitored and reviewed - WAF Status - Security configurations are documented (Pro+) - WAF Rules - Custom security rules are configured (Pro+) A.8.12 - Data Leakage Prevention Data leakage prevention measures shall be applied - Environment Variables - Sensitive variables are protected - Deployment Protection - Unauthorized access to deployments is prevented A.8.15 - Logging Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed - Audit Logs - Activity logs are maintained (Enterprise) A.8.16 - Monitoring Activities Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken - WAF Status - Security monitoring via WAF (Pro+) A.8.20 - Networks Security Networks and network devices shall be secured, managed and controlled - WAF Status - Web Application Firewall provides network protection (Pro+) - WAF Rules - Network security rules are configured (Pro+) - IP Blocking Rules - Network access is controlled A.8.21 - Security of Network Services Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored - WAF Status - Network service security is monitored (Pro+) - IP Blocking Rules - Network service access is controlled Verification Rules Auto-verified evidence sources are checked against the following compliance thresholds: Team Members & Roles - All team members have assigned roles: Required - No orphaned or inactive members: Flagged - Admin role usage: Documented and reviewed RBAC Configuration - Custom roles follow least-privilege: Recommended - Role assignments documented: Required - Sensitive permissions (billing, team management): Flagged for review Project Access Settings - Project access restricted to authorized teams: Required - No overly permissive project settings: Flagged - Production project restrictions: Recommended Deployment Protection - Production environments protected: Required - Authentication required for preview deployments: Recommended - Password protection configured: Optional Environment Variables - Sensitive variables marked as secret: Required - Production secrets properly scoped: Required - No plaintext credentials: Required - Environment separation (dev/staging/prod): Recommended SSO/SAML Configuration (Enterprise) - SSO enforcement enabled: Required - SAML configuration valid: Required - Identity provider properly configured: Required WAF Status (Pro+) - WAF enabled on production projects: Required - WAF mode set to active (not monitor-only): Recommended - All public-facing projects protected: Required WAF Rules (Pro+) - OWASP Core Rule Set enabled: Recommended - Custom rules reviewed: Manual verification - Rule exceptions documented: Required IP Blocking Rules - Blocking rules configured: Optional - Allowlist properly scoped: Recommended - Geographic restrictions (if applicable): Documented Audit Logs (Enterprise) - Audit logging enabled: Required - Log retention appropriate: Recommended - Regular log review: Manual verification Summary: Control Coverage Matrix SOC 2 Controls by Evidence Source Team Members & Roles - CC6.1: Yes - CC6.2: Yes RBAC Configuration - CC6.1: Yes - CC6.3: Yes Project Access Settings - CC6.1: Yes - CC6.6: Yes Deployment Protection - CC6.6: Yes - CC8.1: Yes Environment Variables - CC6.7: Yes SSO/SAML Configuration (Enterprise) - CC6.1: Yes WAF Status (Pro+) - CC6.6: Yes WAF Rules (Pro+) - CC6.6: Yes IP Blocking Rules - CC6.6: Yes Audit Logs (Enterprise) - CC6.2: Yes - CC6.3: Yes - CC7.2: Yes - CC8.1: Yes ISO 27001 Controls by Evidence Source Team Members & Roles - A.5.15: Yes - A.5.16: Yes RBAC Configuration - A.5.15: Yes - A.5.18: Yes Project Access Settings - A.5.15: Yes - A.8.3: Yes Deployment Protection - A.5.17: Yes - A.5.23: Yes - A.8.3: Yes - A.8.12: Yes Environment Variables - A.8.12: Yes SSO/SAML Configuration (Enterprise) - A.5.15: Yes - A.5.17: Yes WAF Status (Pro+) - A.5.23: Yes - A.8.9: Yes - A.8.16: Yes - A.8.20: Yes - A.8.21: Yes WAF Rules (Pro+) - A.8.9: Yes - A.8.20: Yes IP Blocking Rules - A.8.3: Yes - A.8.20: Yes - A.8.21: Yes Audit Logs (Enterprise) - A.5.16: Yes - A.5.18: Yes - A.5.23: Yes - A.8.15: Yes Additional ISO 27001 Control Coverage A.5.23 - Cloud Services Security - WAF Status (Pro+): Yes - Deployment Protection: Yes - Audit Logs (Enterprise): Yes A.8.16 - Monitoring Activities - WAF Status (Pro+): Yes A.8.21 - Security of Network Services - WAF Status (Pro+): Yes - IP Blocking Rules: Yes Getting Started To set up the Vercel integration: 1. Navigate to Settings > Integrations > Vercel 2. Click Connect Vercel Account 3. Choose your authentication method: - OAuth (Recommended): Click "Connect with Vercel" for one-click authorization - API Token: Manually create and enter a Vercel API token 4. Select the team to monitor (if your account has multiple teams) 5. Validate the connection 6. Enable evidence sources for your compliance controls Option 1: OAuth Connection (Recommended) 1. Click Connect with Vercel button 2. You'll be redirected to Vercel to authorize Humadroid 3. Grant read-only access to your Vercel account 4. You'll be automatically redirected back to Humadroid 5. Select a team if you have multiple teams This method provides automatic token management and scoped permissions. Option 2: API Token (Manual) 1. Log into your Vercel Dashboard 2. Go to Account Settings > Tokens 3. Click Create to create a new token 4. Name: "Humadroid Compliance Read-Only" 5. Scope: Select Full Account for team access 6. Expiration: "No Expiration" recommended for automated collection 7. Click Create Token 8. Copy the token immediately (it won't be shown again) Vercel Permissions Required The integration requires read-only permissions via OAuth or an API Token with Full Account scope: Required Scopes - Team:Read - Access team membership and settings - Projects:Read - Access project configurations - Deployments:Read - Access deployment settings - Firewall:Read - Access WAF and IP blocking rules (Pro+) Vercel Plan Feature Matrix Hobby Plan Available Features: - Team Members & Roles - RBAC Configuration (basic roles) - Project Access Settings - Deployment Protection (limited) - Environment Variables - IP Blocking Rules (10 IPs max) Not Available: - WAF Status - WAF Rules - SSO/SAML Configuration - Audit Logs Pro Plan Available Features: - Team Members & Roles - RBAC Configuration - Project Access Settings - Deployment Protection (full features) - Environment Variables - IP Blocking Rules (100 IPs max) - WAF Status - WAF Rules (40 rules max) Not Available: - SSO/SAML Configuration - Audit Logs Enterprise Plan All Features Available: - Team Members & Roles - RBAC Configuration (custom roles) - Project Access Settings - Deployment Protection (full features) - Environment Variables - IP Blocking Rules (custom limits) - WAF Status - WAF Rules (1000 rules max) - SSO/SAML Configuration - Audit Logs - SIEM Streaming - Trusted IPs Troubleshooting Common Issues "Invalid API Token" - Verify the token was copied correctly (no extra spaces) - Check if the token has expired - Ensure the token has Full Account scope "No teams found" - The API token may be personal-only; create a team-scoped token - Verify you have access to at least one team "WAF data not available" - WAF features require Pro plan or higher - Ensure the Firewall:Read scope is included "SSO/Audit data not available" - These features require Enterprise plan - Contact Vercel to upgrade if needed

Last updated on Feb 04, 2026