SOC 2 Compliance for PostgreSQL: How TimeTravel Automates Audit Evidence Generation

If you've been through a SOC 2 Type II audit, you know the pain: weeks of scrambling through database logs, backup records, and email chains trying to prove that your data wasn't tampered with, that changes were tracked, and that retention policies were followed. It's tedious, error-prone, and expensive.

What if you could generate all of that evidence — cryptographically verifiable, auditor-ready, and covering four key SOC 2 trust criteria — with a single click?

That's exactly what Shayntech TimeTravel does. In this guide, we'll walk through how TimeTravel maps to SOC 2 controls, how to set it up for your PostgreSQL database, and how to generate professional audit evidence reports in minutes.

Why SOC 2 Auditors Care About Your Database

SOC 2 (Service Organization Control 2) is built around five Trust Service Criteria. The two that matter most for database integrity are:

Most companies rely on a patchwork of database logs, manual screenshots, and ad-hoc reports to satisfy these requirements. TimeTravel replaces all of that with a single, automated system.

How TimeTravel's Architecture Maps to SOC 2 Controls

TimeTravel wasn't built specifically for SOC 2 — it was built for general-purpose database version control. But its architecture happens to map almost perfectly to SOC 2 requirements:

Immutable SHA-256 Hash Chain → CC6.1, CC6.6

Every change to a tracked table is hashed using SHA-256 and linked to the previous entry. This creates a cryptographic chain where any modification — even a single bit — breaks every subsequent hash. Auditors can independently verify the chain at any time.

Change Data Capture (CDC) → CC7.2

PostgreSQL triggers capture every INSERT, UPDATE, and DELETE with the full old and new values, timestamp, and table name. The Enterprise Dashboard displays this as a searchable, filterable audit log that maps directly to CC7.2's change monitoring requirements.

Time Travel Queries → A1.2, A1.3

Need to prove that customer records existed on a specific date? Run a time travel query to that timestamp and show the exact database state. The dashboard generates a PDF of the result that serves as retention evidence.

The SOC 2 Report Center: Four Report Types

The Enterprise Dashboard includes a dedicated Report Center with four pre-built report templates. Each one is designed to map directly to SOC 2 criteria and includes an auditor attestation statement:

Step-by-Step: Setting Up SOC 2 Evidence with TimeTravel

Here's how to go from zero to SOC 2-ready in under 30 minutes:

Step 1: Deploy TimeTravel

The Docker Compose setup includes everything: the main application, a PostgreSQL instance (or you can point to an existing one), and the dashboard web UI. The entire stack starts in under 10 seconds.

Step 2: Track Your Tables

From the dashboard, select which tables to track. For SOC 2 purposes, you'll want to track any table containing customer data, financial records, configuration settings, or audit-relevant information:

• users — Customer account records
• orders / transactions — Financial data
• config / settings — System configuration changes
• documents / files — Stored content metadata
• audit_log — Application-level audit events

You can also use the CLI to track tables programmatically:

Step 3: Run Chain Verification

Before generating reports, run a chain verification to ensure the entire hash chain is intact. The dashboard will re-hash every entry and compare it against the stored hash:

If any entry has been tampered with, the verification returns a FAIL result with the exact entry number and expected vs. actual hash values — giving your auditor a clear trail to investigate.

Step 4: Generate SOC 2 Evidence Reports

From the Report Center, select the report type you need and click Generate. Each report is produced as a professional PDF that includes:

• Company name and report date
• SOC 2 control mapping (which criteria the report addresses)
• Detailed evidence (hash chain results, change log entries, time travel snapshots)
• Auditor attestation statement
• System metadata (database name, tracked tables, verification timestamps)

Reports are ready in seconds and can be downloaded, printed, or shared directly with your auditor.

TimeTravel vs. Traditional SOC 2 Evidence Collection

Real-World Example: A SaaS Company's SOC 2 Journey

Consider a typical B2B SaaS company with 50 PostgreSQL tables, 10M+ rows of customer data, and a SOC 2 Type II audit coming in six weeks. Before TimeTravel, their evidence collection process looked like this:

1. Week 1-2: Engineering team writes custom scripts to extract WAL logs and reconstruct change history
2. Week 3: Compliance officer manually verifies backup integrity across 20+ daily snapshots
3. Week 4: Auditors identify gaps in data retention evidence — scramble to restore old backups
4. Week 5: Third consultant hired to compile reports at $15,000
5. Week 6: Last-minute scramble produces evidence that barely passes

With TimeTravel, the same process takes one afternoon:

1. Hour 1: Deploy TimeTravel docker-compose, point at production PostgreSQL
2. Hour 2: Track 15 SOC 2-relevant tables from the dashboard
3. Hour 3: Run chain verification → PASS. Generate all four SOC 2 reports
4. Hour 4: Deliver PDF package to auditors. Done.

SOC 2 Best Practices with TimeTravel

To get the most out of TimeTravel for SOC 2 compliance:

• Track tables from day one. TimeTravel captures history as soon as a table is tracked. The earlier you enable tracking, the more evidence you'll have when audit time comes.
• Run chain verification weekly. Schedule a cron job to verify the hash chain every Sunday night. Save the PASS results as continuous evidence of monitoring.
• Generate reports at audit checkpoints. Before each quarterly audit review, generate and archive all four SOC 2 reports. This creates a paper trail of ongoing compliance.
• Document your tracking configuration. Maintain a record of which tables are tracked, when tracking was enabled, and the rationale for each. Auditors appreciate clear documentation.
• Test your recovery procedures. Use time travel queries to verify that you can reconstruct past database states. Document a successful test as evidence for CC7.2.

Beyond SOC 2: HIPAA, GDPR, and SOX

While this guide focuses on SOC 2, TimeTravel's capabilities extend to other compliance frameworks:

The Bottom Line

SOC 2 compliance doesn't have to be expensive, stressful, or time-consuming. With Shayntech TimeTravel, you can transform your PostgreSQL database from a compliance liability into an always-audit-ready asset — without sending your data anywhere, without expensive consultants, and without weeks of manual effort.

The Free CLI Edition is open source (MIT license) and gives you the full hash chain, change tracking, and time travel queries. The Enterprise Dashboard adds the web UI, PostgreSQL support, SOC 2 report center, and professional PDF generation.

Ready to make your database audit-ready? Get started at shayntech.com/products/timetravel or clone the GitHub repo and start tracking tables today.

Shayntech is an AI consulting and software company dedicated to making advanced infrastructure accessible to every team. TimeTravel is one of several open-source tools we've built to help companies build better, more reliable data systems.