| Criterion | Control ID | Control Name | Control Owner | Evidence Repository |
| CC1.1 | GOV-01 | Governance Charter Approved | CEO | Board minutes (GDrive) |
| CC6.1 | AC-01 | Workforce SSO w/ MFA | IT Lead | Google Workspace access logs |
| CC6.1 | AC-02 | Bi-Monthly Access Review | ISM | internal AI agents attestation |
| CC6.1 | AC-03 | Privileged Access Approval Workflow | SRE Lead | AWS CloudTrail logs |
| CC7.1 | CM-01 | Peer-reviewed Pull Requests | Eng. Leads | GitHub PR data |
| CC7.2 | MON-03 | SIEM Alerting & On-call | SRE | Better Stack & Datadog logs |
| CC8.1 | NET-02 | AWS WAF Ruleset | SRE | Terraform state |
| A1.2 | BCP-04 | Automated DB Backups | DBA | S3 backup logs |
| C1.1 | ENC-01 | TLS 1.3 Everywhere | SRE | SSL Labs scans |
| PI1.1 | QA-05 | CI/CD Test Suite ≥ 90% pass | QA Lead | GitHub Actions traces |
| P6.1 | PRIV-02 | DSAR Workflow | Legal | Jira tickets |
| CC2.2 | TRN-01 | Security Awareness Training Completed | HR | LMS certificates |
| CC4.1 | MON-01 | Weekly Control Monitoring Review | ISM | internal AI agents audit trail |
| CC5.3 | VND-04 | Annual Vendor Re-Assessment | Legal | Vendor questionnaires |
| C1.3 | DSP-02 | Secure Data Disposal Procedures | SRE | S3 lifecycle logs |
| A1.3 | CAP-02 | Capacity Planning Bi-Monthly Review | SRE Lead | Capacity docs |
| PI1.2 | QA-06 | Data Validation Checks in ETL | Data Eng Mgr | Redshift query logs |
| P8.1 | PRIV-05 | Consent SDK Toggle | Product | SDK repo commits |
| CC3.1 | RSK-01 | Formal Risk Assessment | ISM | Risk Assessment Report |
| CC3.3 | RSK-04 | Business Impact Analysis | ISM | BIA docs |
| CC3.4 | RSK-05 | Risk Treatment Plan Implemented | ISM | Risk Treatment Plan |
| CC5.1 | DEV-01 | Secure SDLC Policy & Training | Eng. Director | SDLC policy, training records |
| CC5.2 | DEV-02 | Code Review & Merge Checks | Eng. Leads | GitHub PR data |
| CC9.1 | OPS-01 | 24x7 Monitoring & Alerting | SRE | Better Stack & Grafana dashboards |
| CC9.2 | OPS-02 | Incident Response Process | ISM | IR plan, post-mortems |
| PI1.3 | QA-07 | Processing Reconciliation Jobs | Data Eng Mgr | Redshift audit logs |
| PI1.4 | QA-08 | Output Delivery Verification | SRE | API monitoring logs |
| P3.1 | PRIV-03 | Consent Management SDK | Product | SDK commits |
| P4.1 | PRIV-04 | Data Minimisation Controls | Product | DPIA docs |
| P5.1 | DSP-03 | Data Retention & Disposal | ISM | Retention policy, lifecycle logs |