How does Dock work with Vanta for SOC 2 control evidence?
Vanta runs automated tests against your infrastructure and pulls evidence on a continuous schedule. Drata does the same. Neither is built to record what an agent decided when a control drifted, which policy clause the agent quoted, or who approved the remediation. Dock sits next to your compliance platform and stores the interpretation layer. Every control review the agent does writes a row in Dock with a pointer back to the Vanta check ID, the policy clause read, the proposed remediation, and the reviewer who signed off before the auditor packet went out.
The architecture
Vanta and Drata stay the system of record for raw control state: which laptops have disk encryption, which repos have branch protection, which access reviews completed on time. Dock is the system of record for what the agent interprets from that data. Each Dock row carries a pointer back to the platform record as vanta_test_id or drata_control_id, along with agent identity, the decision the agent reached, the human reviewer, and the timestamp. When the agent needs current control status, it re-fetches from Vanta's API rather than trusting a cached value in Dock. Dock holds the reasoning. Vanta holds the truth about the stack. See the broader compliance pillar for how this pattern repeats across frameworks.
The Dock control-review table
| dock_row_id | vanta_test_id | control | finding | agent_decision | policy_clause | reviewer | status |
|---|---|---|---|---|---|---|---|
| ctrl-8821 | vt_access_review_q2 | CC6.3 quarterly access review | 3 stale GitHub admin grants | Recommend revoke; matches AC-2 clause 4.2 | InfoSec Policy v3.1 §4.2 | sarah@ | approved |
| ctrl-8822 | vt_mdm_encryption | CC6.7 endpoint encryption | 1 laptop reporting disabled FileVault | Open ticket to IT; do not waive | Endpoint Policy §2.1 | govind@ | approved |
| ctrl-8823 | vt_vendor_review | CC9.2 vendor risk review | New subprocessor missing DPA | Block production rollout until DPA signed | Vendor Mgmt §3.4 | sarah@ | pending |
A worked workflow
The compliance agent polls Vanta every six hours. A CC6.3 access review check fails: three GitHub org admin grants are older than the 90-day rotation policy. The agent fetches the failing test detail, reads the access control clause from the linked InfoSec Policy doc in Dock, and writes row ctrl-8821 proposing revocation with the policy citation attached. Because revoking admin access is a dangerous operation, the row routes to Sarah as security owner. Sarah reviews the policy citation, approves, and the agent calls the GitHub API to revoke. The revocation itself is logged as a two-key handshake because it is not reversible without a re-grant. The auditor packet, generated quarterly, exports every ctrl-* row with agent identity, reviewer, timestamp, and the policy clause the agent read at decision time.
Why this matters for SOC 2
Auditors increasingly ask who made the call, not just whether the control passed. A green check in Vanta tells the auditor the control state at the moment of the test. It does not tell the auditor that an agent read clause 4.2 of the InfoSec Policy, recommended revocation, and a named human approved before the action ran. That chain of reasoning is what agent audit trails are for, and it is what SOC 2 CC1.4 reviewers want to see when an agent is in the loop.
The interpretation layer also catches the case Vanta cannot catch on its own: an agent that hallucinates a remediation, cites the wrong policy version, or routes around a reviewer. Because the agent's identity is bound to a lifecycle record and every decision row carries that ID, an auditor can ask "show me every control finding agent_v3 closed in Q1" and get a real answer in one query.
This is the same backbone we describe in Dock for security operations: platform stays raw, Dock stores reasoning, humans stay accountable.
Get started
Connect Vanta or Drata to Dock and route your next control review through the agent. The auditor packet writes itself.
FAQ
Does Dock replace Vanta or Drata? No. Vanta and Drata remain the system of record for control state. Dock stores the agent's interpretation, the policy citation, the reviewer, and the decision timestamp. The two layers are designed to coexist.
What if the control state in Vanta changes after the agent writes a Dock row? The agent re-fetches the current Vanta test status when the reviewer opens the row. The Dock row records the state the agent saw at decision time, not a cached truth. Auditors get both: the historical reasoning and a fresh status pull.
Can the agent close a finding without human review? No. Every Dock control row routes to a named reviewer before any remediation runs. Dangerous operations like access revocation require an explicit two-key approval. The agent proposes; the human disposes.
Which SOC 2 trust services criteria does this pattern fit? Primarily Security (CC6), Change Management (CC8), and Risk Mitigation (CC9), where automated detection plus human-attributed remediation is the auditor's expected shape. The same Dock surface extends to Availability and Confidentiality controls without schema changes.
