SOC 2 Type II
1–2 days
Most controls already implemented. Minimal gap.
Built-in
Ed25519 signed audit log
RBAC (7 roles, 29 permissions)
AES-256-GCM encryption
Backup/restore
PSK authentication
Policy engine
Needs
SAST in CI pipeline
Access review UI
Data retention policy doc
ISO 27001
2–3 days
Strong security foundation. Documentation gap only.
Built-in
Vault (secrets management)
Audit trail with signatures
Authentication & authorization
Encrypted transport (gRPC TLS)
Approval workflow
Needs
Risk register (documentation)
Incident response plan
SAST integration
HIPAA
3–5 days
Self-hosted = you control the data. Air-gap capable.
Built-in
Encryption at rest & in transit
Audit log (who accessed what)
Access controls (RBAC)
Self-hosted (no cloud dependency)
Needs
BAA template
PHI data classification
Breach notification procedure
GDPR
2–3 days
Data sovereignty built-in — runs on your infrastructure.
Built-in
Self-hosted (data stays on-prem)
Audit log
Encryption
Needs
Data export API
Right to delete implementation
Privacy policy page
PCI DSS
1–2 weeks
Requires SAST + DAST + quarterly scanning.
Built-in
Encryption (AES-256-GCM)
Signed audit trail
Strong authentication
Vault for secrets
Needs
SAST + DAST in pipeline
Network segmentation
Quarterly vulnerability scan
WAF for gRPC-Web
FedRAMP
3–4 weeks
US government cloud. Highest bar — FIPS crypto required.
Built-in
Audit log with signatures
RBAC & policy engine
Encryption
Air-gap capable
Needs
FIPS 140-2 crypto module
SAST + DAST + continuous monitoring
3rd party penetration test
System Security Plan (SSP)