SOC2-07: Production Error Tracking — Compliance Finding & Remediation Guide
SOC2-07: Production Error Tracking — Compliance Finding & Remediation Guide
Control: SOC2-07 · Framework: SOC 2 · Release: v0.1.149
Summary
A SOC 2 audit of the error-handling pipeline identified that production error capture relies on a custom SaaS Factory ingest endpoint (src/lib/capture-error.ts) rather than a standard error tracking service. This falls short of the observability and auditability expectations required by SOC 2 availability and processing-integrity criteria.
Current State
The custom endpoint at src/lib/capture-error.ts provides basic error forwarding but has several significant gaps:
| Capability | Custom capture-error.ts | SOC 2 Expectation |
|---|---|---|
| Error rate limit | 5 errors / minute (drops above threshold) | Unlimited / queued |
| Error grouping | ❌ None | ✅ Required for triage |
| Release tracking | ❌ None | ✅ Required for regression detection |
| Source map support | ❌ None | ✅ Required for readable stack traces |
| User-impact visibility | ❌ None | ✅ Required for incident severity scoring |
| Audit log retention | Limited | Long-term retention required |
Risk
Without a standard error tracking service:
- High-volume error events during an incident are silently dropped after the rate limit is reached.
- Minified production stack traces cannot be resolved, making root-cause analysis slow and unreliable.
- There is no way to determine how many users were affected by a given error, making incident severity assessment unreliable.
- Release-to-regression correlation is not possible, slowing post-deployment validation.
Recommended Remediation
Integrate Sentry via the official @sentry/nextjs SDK. The steps below outline the expected implementation.
1. Install the SDK
npm install @sentry/nextjs
2. Configure the DSN
Add the Sentry DSN as an environment variable. Do not hard-code it.
SENTRY_DSN=https://<key>@o<org>.ingest.sentry.io/<project>
This value is available from your Sentry project's Settings → Client Keys (DSN) page.
3. Server-side initialisation — instrumentation.ts
import * as Sentry from '@sentry/nextjs';
export async function register() {
if (process.env.NEXT_RUNTIME === 'nodejs') {
Sentry.init({
dsn: process.env.SENTRY_DSN,
tracesSampleRate: 0.2,
beforeSend(event) {
// Scrub PII before the event leaves the application
if (event.user) {
delete event.user.email;
delete event.user.ip_address;
}
return event;
},
});
}
}
4. Client-side initialisation — layout.tsx
import * as Sentry from '@sentry/nextjs';
Sentry.init({
dsn: process.env.NEXT_PUBLIC_SENTRY_DSN,
tracesSampleRate: 0.1,
beforeSend(event) {
if (event.user) {
delete event.user.email;
delete event.user.ip_address;
}
return event;
},
});
Note: For client-side access, expose the DSN as
NEXT_PUBLIC_SENTRY_DSN. This value is not secret — it is safe to expose in the browser bundle.
5. Retain capture-error.ts as a secondary sink
The existing custom ingest endpoint can remain active. Forward errors to it after Sentry capture so the internal pipeline is not disrupted:
import * as Sentry from '@sentry/nextjs';
import { captureError } from '@/lib/capture-error';
export function trackError(err: Error, context?: Record<string, unknown>) {
Sentry.captureException(err, { extra: context });
captureError(err, context); // secondary sink
}
PII Scrubbing Requirements
Because this platform screens individuals against the OFSI sanctions list, error payloads may contain names, entity identifiers, or reference numbers submitted by compliance users. The beforeSend hook must be configured to strip any fields that could contain personal data before events are transmitted to Sentry's servers.
Minimum fields to redact:
event.user.emailevent.user.ip_address- Any custom breadcrumb or extra data containing
name,dob,address, ornational_idfields
Environment Variables
| Variable | Required | Description |
|---|---|---|
SENTRY_DSN | Yes (server) | Sentry DSN for server-side (Node.js) error capture |
NEXT_PUBLIC_SENTRY_DSN | Yes (client) | Sentry DSN for client-side (browser) error capture |
References
- Sentry Next.js SDK documentation
- SOC 2 Trust Service Criteria — Availability (A1.2), Processing Integrity (PI1.4)
- Internal:
src/lib/capture-error.ts