SuiteCRM and compliance

Hi there, SuiteCRM experts!

I’m an IT Manager in a new role at a new gig. I’ve used SugarCRM in the past, but it’s been many years since I’ve touched it.

My new organization is undergoing SOC 2 compliance audit preparation, and part of that is making certain that customer data and Personally Identifiable Information is protected in transit and at rest, customer data is hard to leak, and that our access to that data is auditable.

We use SuiteCRM for sales opportunities as well as support tickets and I was looking to find best practices for securing our customer data, whether that be reconfiguring our CRM, adding 3rd party add-ons to help ensure things are safe and auditable, et cetera. We don’t store much there other than who the customer is, what thing they’ve bought, how to contact them (phones and emails), and their support ticket history.

I’m curious, what are you folks using to get SuiteCRM through your own SOC 2 or similar audits?
Are there good best practice settings built-in I can take a look at implementing, first-off?
It looks like I’ll need an add-on to handle DB encryption - is that correct? (Are there any that anybody can recommend?)

My main concerns are that:
Transport and storage are encrypted.
User access is auditable.

Nice to have:
Multi-factor auth
Manager-bait reports for execs and auditors

Apologies if this isn’t the right place for the questions.
Really appreciate your insights and knowledge!