Compliance, done in weeks. Not months.
We don't sell you software and walk away. SOC 2, HIPAA, ISO 27001, PCI DSS, GDPR and more — wired into the platform we host for you, with our team doing the work. You ship the product. We ship the audit.
Why us, not Vanta
Four reasons we ship audits faster
We do the work
Vanta and Drata sell software and you do the work. We do the work. You get a managed service that delivers your audit, not another SaaS to learn.
Done in weeks, not months
SOC 2 Type I in 4–6 weeks. HIPAA in 3–5. ISO 27001 in 8–12. We've automated the busywork so you spend hours, not weeks, on compliance.
Built into your platform
We host you, we operate you, we make you compliant. One vendor, one contract, one throat to choke when something breaks.
No SaaS lock-in
Evidence lives in your cloud accounts. Policies live in your repo. Cancel any time and walk away with everything — no platform to migrate off.
Most-requested frameworks
Pick a framework, see the plan
Setup gets you to the report. The retainer keeps you compliant year-round.
SOC 2
Service organizations and SaaS
The de facto trust signal for B2B SaaS. We get you from zero to Type II observation period in weeks.
HIPAA
Health tech, telehealth, digital therapeutics
PHI handling done right. BAA, Security Rule, Privacy Rule, and Breach Notification — all wired up.
ISO 27001
Global SaaS and enterprise
The international standard for information security. Required for most EU enterprise deals.
PCI DSS
Anyone storing, processing, or transmitting cardholder data
PCI DSS v4.0.1 done right. We scope your CDE narrowly so you don't pay for compliance you don't need.
GDPR
Anyone processing EU/UK personal data
EU/UK personal data protection. ROPA, DPAs, DPIA, breach response — everything Article 30 + 32 requires.
And 9 more frameworks
Government, healthcare, AI, fintech — if there's a framework you need, talk to us.
NIST CSF
Voluntary framework that's becoming mandatory for federal supply chain. CSF 2.0 added Govern function.
NIST 800-53
The full federal control catalog. The basis for FedRAMP, used by federal agencies and their contractors.
NIST 800-171
Required for DoD contractors handling CUI. Rev. 3 is now in effect — Rev. 2 sunset in 2025.
CMMC
DoD CMMC 2.0 Level 2 = NIST 800-171 with a third-party C3PAO assessment. Becoming contract-mandatory.
FedRAMP
The big one. 12-18 month effort, 6-figure investment. We only take FedRAMP work via direct conversation.
HITRUST
The gold standard in healthcare compliance. Often required by large health systems and payers.
ISO 42001
The first AI Management System standard. Increasingly asked for by enterprise AI buyers.
CCPA
California consumer privacy. Often bundles cleanly with GDPR — most controls overlap.
Custom
Have an industry-specific framework we don't list? Tell us what you need and we'll scope it.
What's included
Every add-on ships with the same foundation
Pick a framework above to see what's specific to that one. Below is what comes standard, on every engagement.
Pre-mapped control libraries
Every framework comes with a pre-built control catalog mapped to your specific cloud (AWS, Azure, GCP) and tooling.
Continuous evidence collection
Automated control tests run hourly. Evidence is gathered, tagged, and timestamped — no screenshot scavenger hunts.
All policies drafted for you
Information Security, Acceptable Use, Incident Response, Change Management, BCP/DR — written, version-controlled, and acknowledged.
Quarterly access reviews
Vendor inventory, access reviews, risk assessments — scheduled, assigned, completed, and evidenced.
Auditor portal + intros
We have working relationships with vetted, fixed-fee auditors. They review evidence in our portal — no email back-and-forth.
Drift remediation included
When a control fails, our team fixes it. You don't get an alert and a help article — you get a closed ticket.
Stack frameworks, save money
Your second framework is 60–80% cheaper
Most controls overlap across frameworks. SOC 2 evidence covers most of ISO 27001 (~80%), most of HIPAA (~65%), and a chunk of GDPR (~40%). Once we've built one program for you, adding the next is a fraction of the work and cost.
Frequently asked questions
Framework-specific questions live on each sub-page.
Those are SaaS tools. You buy a license, log in, and do the work yourself — write your own policies, configure your own integrations, chase your own evidence, prep for your own audit. We are a managed service. We do all of that for you. The platform we ship is the byproduct, not the product.
Depends on the framework. SOC 2 Type I in 4–6 weeks. HIPAA-ready in 3–5 weeks. ISO 27001 Stage 1 in 8–12 weeks. PCI DSS AOC in 6–10 weeks. GDPR Article 30 ready in 3–4 weeks. The retainer kicks in immediately so you stay compliant without a re-engagement.
Strongly preferred but not required. If we host you, we have direct access to evidence sources and can move much faster. If you self-host, we still wire it up — we just need read-only access to your cloud accounts and dev tooling. Hosting + compliance is the cleanest setup; that's why we recommend it.
Yes — and the second framework is dramatically cheaper than the first. SOC 2 evidence covers ~80% of ISO 27001, ~65% of HIPAA, ~40% of GDPR. Once we've built one, adding the next is a fraction of the work. The framework cards above show our overlap math.
Continuous control monitoring, evidence refresh, quarterly access reviews, policy updates, vendor re-assessments, drift remediation, and on-call audit support. You stay audit-ready year-round, not just before the next renewal. Cancel any time — you keep everything.
Cancel any time. All evidence lives in your cloud accounts and your repo, all policies live in your repo, all integrations are tied to your accounts. We hand you a transition packet. There is no platform we operate that you depend on — that's the point.
The audit fee itself (paid directly to your auditor — we don't mark it up; we negotiate fixed-fee quotes from our auditor network). Hardware purchases (laptops, MDM licenses). Penetration testing for PCI DSS (we coordinate it but the pentest firm bills separately). Anything outside the framework's scope — e.g., we don't do tax audits or HR investigations.
Tell us your framework and your timeline.
We'll scope the work, give you a fixed price, and have you audit-ready in weeks. No SaaS demos. No annual contracts.