SOC 2-ready controls, SSO, RBAC, encryption at rest and in transit, data residency options, and PII minimization.