But how is this related to the internet being archivable? This sort of proves the point that URLs were always a terrible idea to reference in your compliance docs, the answer was always to get the actual docs.

IME compliance tools will take a doc and or a link. What's acceptable is up to the auditor. IMO both a link and doc are best.

Links alone can be tempting as you've to reference the same docs or policies over and over for various controls.

Wayback machine URLs are much more likely to be stable.

Even if the content is taken down, changed or moved, a copy is likely to still be available in the Wayback Machine.

I would never rely on this vs just downloading the SOC2 reports, which almost always aren't public anyways and need to be requested explicitly. I suspect that that compliance page would have just linked to a bunch of PDF downloads or possibly even a "request a zip file from us after you sign an NDA" anyways.

I just want to clarify how extremely standard and often required it is to download and store your SOC2s and other such documents when going through compliance. You almost never can actually just link to a public pentest report or SOC2 etc, you almost always need to go through an NDA. It's just not really meaningful to say "but the web archive is reliable" when it's virtually never an actual option to begin with.