Notes

1. SOC 2’s Requirement

• SOC 2 doesn’t dictate how your DR architecture should be built — it evaluates whether your systems and processes meet your stated commitments in the Availability and Processing Integrity criteria.
• If you commit in your policy that “we can recover from a database outage within 4 hours,” you need a tested plan that shows you can do that.
• Daily backups + tested restore process can meet SOC 2 if your stated RTO/RPO align with that capability.

---

2. Where Cross-Region Replication Comes In

• If your customers expect high availability (HA) even in a full AWS region outage, SOC 2 will expect your architecture to reflect that.
• Cross-region replication + automated failover is a design choice based on your customer SLAs, not a hard SOC 2 mandate.
• Without it, you can still pass SOC 2 — as long as:
  • You’ve documented the limitation.
  • Your contracts/SLA don’t promise more than you can deliver.
  • You have backup & restore tested regularly.

---

3. Cost Implication Reality

• Single RDS + daily snapshot: Low cost, meets SOC 2 if your RTO/RPO are in line.
• Multi-AZ failover in same region: +~50–70% cost, improves uptime for single-AZ failures.
• Cross-region replication: +100–200% cost (another full DB + inter-region traffic), for rare but large outages.