Built for security teams
who treat compliance seriously

Multi-tenant identity — JWT tokens, RBAC roles, OIDC federation, SCIM, API key management, billing, and webhooks.

• JWT + httpOnly cookie session management
• OIDC federation (Okta, Auth0, Azure AD)
• SCIM auto-provisioning
• RBAC: Owner / Admin / Editor / Viewer
• Webhook delivery with HMAC-SHA256 signing

The compliance core — manages policies, controls, audits, gap analyses, supply chain, and the open policy library.

• Policy lifecycle: draft → review → approved → published
• ISO 27001:2022 Annex A control library (93 controls)
• GraphQL API with DataLoader batching
• Bulk policy import (CSV / JSON)
• Audit programme and finding management

Comprehensive risk intelligence — 5×5 risk matrix, AI inventory, supply chain risk, and treatment workflow.

• 5×5 likelihood/impact matrix with heat-map
• AI-BOM generation with ISO 42001 mapping
• Treatment workflow: accept / mitigate / transfer / avoid
• Risk owner assignment and due-date tracking
• Residual risk scoring post-treatment

Multi-source evidence collection, quality scoring, review workflow, and integration management.

• Integrations: AWS Config, GitHub, Jira, Confluence, Slack
• Quality scoring: completeness, recency, specificity, relevance
• Review queue with approve / reject / request-changes
• Retention and expiry tracking
• Evidence–control mapping

Real-time compliance health scoring, drift detection, alert rules, and 90-day trend tracking.

• Compliance drift detection with configurable thresholds
• Alert rules: score drop, evidence expiry, drift exceeded
• 90-day trend graphs per framework
• Service health polling at 30-second intervals
• Snapshot timeline for baseline comparisons

Claude-powered AI pipeline — policy generation, chat, gap analysis, threat intel, and async job queue.

• Async job queue via Redis with worker pool
• Policy generation in < 2 minutes using Claude
• Multi-turn chat with control/policy context injection
• Threat intelligence aggregation (MITRE, CISA, NVD)
• Competitive benchmarking data pipeline

Multi-channel notification delivery — email, Slack, Teams, and in-app — with preference management and delivery tracking.

• Email via SMTP/SES with per-user preferences
• Slack and Microsoft Teams integrations
• In-app notification inbox
• Delivery receipts and retry logic
• Alert rule evaluation and fan-out

The backend-for-frontend — routes API calls to the right microservice, injects auth headers, and serves the React UI.

• API proxy rewrites to 7 backend services
• httpOnly cookie auth — no tokens in localStorage
• Authorization header injection on every proxied request
• React Query for data fetching with SWR semantics
• Server-side rendering for public marketing pages

Row-Level Security

PostgreSQL RLS policies enforce tenant isolation at the database layer — no application-level filtering can be bypassed to access another tenant's data.

Zero-Trust Auth

httpOnly cookies prevent XSS token theft. The BFF injects Authorization headers server-side — browser JavaScript never touches a bearer token.

RBAC with 4 roles

Owner, Admin, Editor, Viewer — each with scoped permissions. Custom roles add granular read/write/admin grants per resource type.

Immutable Audit Trail

Every event is hash-chained so any modification is detectable. No user, including owners, can alter or delete audit log entries.

TLS 1.3 everywhere

All external and internal service communication enforced over TLS 1.3 minimum. mTLS between microservices coming in Q2 2025.

API key security

Keys are hashed with bcrypt at creation — the secret is shown once and cannot be retrieved. Scoped per endpoint with configurable expiry.

Fully managed — we handle infra, updates, backups, and uptime. 99.9% SLA. Available immediately.

Run all 8 services with a single docker compose up. Ideal for teams with data residency requirements.

Production-grade K8s deployment with Helm charts, HPA configuration, and PodDisruptionBudgets. Coming Q3 2025.