Skip to main content

Compliance Frameworks

Proofarc automatically maps your test results, scan findings, and engineering practices to compliance framework controls. No manual evidence collection.

Supported Frameworks

FrameworkControlsFocus
SOC 2 Type IICC6.1, CC7.1, CC7.2, CC8.1Access control, vulnerability management, monitoring, change management
PCI-DSS v4.0Req 6.2, 6.3, 8.2, 11.2Secure development, vulnerability remediation, authentication, scanning
ISO 27001:2022A.8.5, A.8.8, A.8.25, A.8.29, A.8.32Authentication, vulnerability management, secure SDLC, testing, change mgmt
NIST SSDFPO.1, PW.7, PW.8, RV.1, RV.2Security requirements, code review, testing, vulnerability identification

How It Works

  1. You run tests and scans — API tests, security scans, performance tests
  2. Evidence auto-maps — each result maps to applicable controls across ALL frameworks simultaneously
  3. Compliance scored — per-framework score computed from control evaluation
  4. Gaps identified — specific controls that need attention, with remediation guidance
  5. Release gate — APPROVED or BLOCKED based on minimum framework thresholds

Example

A security scan finding zero critical vulnerabilities simultaneously satisfies:

  • SOC 2 CC7.1 (vulnerability management)
  • PCI-DSS Req 11.2 (vulnerability scanning)
  • ISO 27001 A.8.8 (technical vulnerability management)
  • NIST SSDF RV.1 (identify vulnerabilities)

One scan, four frameworks, one piece of evidence.

Evidence Freshness

Compliance evidence decays over time. A scan from yesterday is stronger evidence than one from 90 days ago. When evidence goes stale, the control status transitions from MET to STALE, prompting re-execution.

API

# Evaluate compliance for an application
curl -s -X POST -H "Authorization: Bearer $TOKEN" \
http://readiness:8082/api/readiness/compliance/1

Returns per-framework scores, control statuses, drift alerts, and release gate decision.