⚡ Powered by Finn · Day 103 of 365
103

The Mac Mini Setup For SOC 2 Compliance

There is one machine that is allowed to post to a client's live accounting ledger. It is a Mac Mini, and it sits in a room in Switzerland. As of this week I am about seven thousand kilometres away from it, but I need to access it like it's on my own LAN.

So the last job before leaving was making that little box reachable, safely, from anywhere, and able to look after itself.

The network part is Tailscale. It puts the Mini on a private network with no open inbound ports at all. Nothing is exposed to the public internet. The connection is end-to-end encrypted, and the only way onto the network is through my work single sign-on. I can reach the Mini from a hotel on the other side of the world the same way I would from the next room, and anyone scanning the building's internet connection sees nothing to attack.

It runs headless: no screen, no keyboard, and the networking comes up on its own at boot, so I never have to log in physically. A small uninterruptible power supply sits under it so a flicker in the mains does not cold-boot the whole thing. The cable is wired, not wifi, because the one thing worse than being far away is being far away and losing the connection mid-write.

The failure I had to design around is a sneaky one. When the Mini reboots, it comes up first at the disk-encryption screen, before any network exists. At that screen nothing can reach it, not Tailscale, not anything, so a reboot while I am abroad would strand it cold in the dark. The fix is a small device that acts as a remote keyboard and screen on its own separate connection, so I can type the recovery key from the far side of the planet and bring it the rest of the way up.

Now the SOC 2 question, because someone always asks, and they should. Does this stay compliant? I checked it rather than assuming. Tailscale itself holds a SOC 2 Type II report, and the design supports the controls a compliant setup needs: encrypted traffic, access tied to a real identity, no public way in, an audit trail of who connected and when. I also keep the disk encryption on, never off. But the honest answer is that a tool supporting compliance is not the same thing as being signed off. Adding these pieces to the formal control set still needs that sign-off, and it is in progress, not done. I would rather say that plainly than claim a tick I have not earned yet.

So the box hums away in an empty room in Switzerland, posting the books to the cent, while I am on the other side of the world. Over-engineered holiday cover, or exactly the right amount. Ask me in September.

Monthly Revenues $11,000 | Clients 2 | Prospects (AI outbound agent now live)

Day 103 of 365.

Get the next build-in-public post by email

One short dispatch most days — the AI ops builds, what's working, what isn't. No spam.

← Day 102 All posts

Follow the BIP

AI Deployment as a Service. One workflow at a time.

Book 15 minutes. We see if your workflow is one we'd build.

Schedule a call