Compliance Frameworks
Proofarc automatically maps your test results, scan findings, and engineering practices to compliance framework controls. No manual evidence collection.
Supported Frameworks
| Framework | Controls | Focus |
|---|---|---|
| SOC 2 Type II | CC6.1, CC7.1, CC7.2, CC8.1 | Access control, vulnerability management, monitoring, change management |
| PCI-DSS v4.0 | Req 6.2, 6.3, 8.2, 11.2 | Secure development, vulnerability remediation, authentication, scanning |
| ISO 27001:2022 | A.8.5, A.8.8, A.8.25, A.8.29, A.8.32 | Authentication, vulnerability management, secure SDLC, testing, change mgmt |
| NIST SSDF | PO.1, PW.7, PW.8, RV.1, RV.2 | Security requirements, code review, testing, vulnerability identification |
How It Works
- You run tests and scans — API tests, security scans, performance tests
- Evidence auto-maps — each result maps to applicable controls across ALL frameworks simultaneously
- Compliance scored — per-framework score computed from control evaluation
- Gaps identified — specific controls that need attention, with remediation guidance
- Release gate — APPROVED or BLOCKED based on minimum framework thresholds
Example
A security scan finding zero critical vulnerabilities simultaneously satisfies:
- SOC 2 CC7.1 (vulnerability management)
- PCI-DSS Req 11.2 (vulnerability scanning)
- ISO 27001 A.8.8 (technical vulnerability management)
- NIST SSDF RV.1 (identify vulnerabilities)
One scan, four frameworks, one piece of evidence.
Evidence Freshness
Compliance evidence decays over time. A scan from yesterday is stronger evidence than one from 90 days ago. When evidence goes stale, the control status transitions from MET to STALE, prompting re-execution.
API
# Evaluate compliance for an application
curl -s -X POST -H "Authorization: Bearer $TOKEN" \
http://readiness:8082/api/readiness/compliance/1
Returns per-framework scores, control statuses, drift alerts, and release gate decision.