Multi-agent DAG orchestration, purpose-built for enterprise engineering teams Learn more →

Compliance

Built for compliance from day one.

Cendriix is pre-beta with no customers in production yet. We are preparing for SOC 2 Type I (target Q3 2026), not Type II, and no auditor has been engaged. The platform is being designed to map workflows to HIPAA, PCI DSS, SOX, GDPR, CCPA, ISO 27001, and FedRAMP. No certification has been earned; the table below shows roadmap and in-progress work only.

Frameworks the platform is being built to support

The design goal: Cendriix collects, signs, and stores evidence continuously , not two weeks before the audit. Certifications will be published as each audit completes; none have been earned yet.

SOC 2 Type IITrust Services
CC6.1CC6.6CC7.2CC8.1+2 more controls
Pre-audit, SOC 2 Type I planned Q3 2026; no report issued
HIPAAHealthcare
§164.312(a)(1)§164.312(e)(2)(i)§164.308(a)(1)§164.308(a)(5)
On roadmap, BAA not yet available
PCI DSS v4.0Payment
Req 2.2Req 6.2Req 8.2Req 10.2+1 more controls
On roadmap, not yet attested
SOX ITGCFinancial
Change managementAccess provisioningAudit loggingBackup & recovery
Controls designed; not yet audited
GDPRPrivacy
Art. 5Art. 17Art. 25Art. 32+1 more controls
DPA draft available on request, contact /contact?topic=dpa
CCPAPrivacy
Right to knowRight to deleteRight to opt-outNon-discrimination
Controls in design; not yet attested
ISO 27001:2022ISMS
A.5.14A.8.2A.8.15A.8.20+1 more controls
On roadmap, audit not yet started
ISO 27017Cloud Security
CLD.6.3.1CLD.8.1.5CLD.9.5.1CLD.12.1.5
On roadmap, planned jointly with ISO 27001
ISO 27018PII in Cloud
A.1A.5A.9A.10+1 more controls
On roadmap, planned jointly with ISO 27001
FedRAMP ModerateUS Federal
AC-2AU-2CM-6IA-2+1 more controls
Post-launch target, not yet started

What auto-mapping looks like (design preview)

Illustrative SOC 2 control layout, compliance automation is on the roadmap, not shipped.

SOC 2 Type II · AICPA TSC
CC6.1
Logical and Physical Access Controls

The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.

Cendriix-collected evidence
ControlCC6.1, Logical Access Security (illustrative)
Evidence typeAccess log sample + IAM policy export
Collected atExample only, pre-beta
CollectorPlanned compliance automation (not shipped)
Policy YAML hashsha256:… (sample layout)
Log extract[sample] iam.assumeRole … result=allow mfa=true
Signed byPlanned, orchestrator signing key
StatusDesign preview, not live evidence

What happens when you change something material

Six steps from code change to re-attested evidence. Entirely automatic.

1
Code change is proposed
A PR is opened or a config change is pushed. Cendriix intercepts it before it reaches your CI queue.
0 s
2
Cendriix re-maps affected controls
The change is diffed against the compliance graph. Controls whose evidence depends on the changed component are flagged automatically.
< 30 s
3
Impacted evidence is flagged stale
Evidence artefacts (log extracts, config snapshots, policy YAML hashes) that are now out-of-date are marked pending re-collection.
< 30 s
4
Evidence is re-collected
Cendriix re-runs the evidence collectors for the affected controls: config probes, access-log samples, scan results, signed by the orchestrator key.
< 1 h
5
Auditor notified if the delta is material
If a named auditor has a read-only seat in this workspace, they receive an in-product notification with a diff of what changed and the new evidence bundle.
< 1 h
6
Annual attestation refreshed
The change is recorded in the attestation log. At the next renewal cycle, the auditor's evidence package is already current, no frantic evidence-gathering sprint.
Next cycle

Auditor mode

What Cendriix does not do

Cendriix does not replace your Data Protection Officer, your legal counsel, or your external auditor. We make their jobs faster, by hours, in some cases by weeks. But the human judgement, the legal interpretation, and the final attestation signature remain yours.

Compliance frameworks change. Cendriix tracks public updates to NIST, AICPA, HHS, and ISO standards and alerts you when a control you rely on is revised. We do not interpret legal changes, we surface them with a recommendation and let your counsel decide.

Questions about our compliance roadmap?

We are building compliance in from day one and will share our progress plainly. Reach out to discuss our security posture, roadmap, or to request a DPA draft.