Cendriix is pre-beta with no customers in production yet. We are preparing for SOC 2 Type I (target Q3 2026), not Type II, and no auditor has been engaged. The platform is being designed to map workflows to HIPAA, PCI DSS, SOX, GDPR, CCPA, ISO 27001, and FedRAMP. No certification has been earned; the table below shows roadmap and in-progress work only.
The design goal: Cendriix collects, signs, and stores evidence continuously , not two weeks before the audit. Certifications will be published as each audit completes; none have been earned yet.
SOC 2 Type IITrust Services
CC6.1CC6.6CC7.2CC8.1+2 more controls
Pre-audit, SOC 2 Type I planned Q3 2026; no report issued
DPA draft available on request, contact /contact?topic=dpa
CCPAPrivacy
Right to knowRight to deleteRight to opt-outNon-discrimination
Controls in design; not yet attested
ISO 27001:2022ISMS
A.5.14A.8.2A.8.15A.8.20+1 more controls
On roadmap, audit not yet started
ISO 27017Cloud Security
CLD.6.3.1CLD.8.1.5CLD.9.5.1CLD.12.1.5
On roadmap, planned jointly with ISO 27001
ISO 27018PII in Cloud
A.1A.5A.9A.10+1 more controls
On roadmap, planned jointly with ISO 27001
FedRAMP ModerateUS Federal
AC-2AU-2CM-6IA-2+1 more controls
Post-launch target, not yet started
What auto-mapping looks like (design preview)
Illustrative SOC 2 control layout, compliance automation is on the roadmap, not shipped.
SOC 2 Type II · AICPA TSC
CC6.1
Logical and Physical Access Controls
The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives.
Six steps from code change to re-attested evidence. Entirely automatic.
1
Code change is proposed
A PR is opened or a config change is pushed. Cendriix intercepts it before it reaches your CI queue.
0 s
2
Cendriix re-maps affected controls
The change is diffed against the compliance graph. Controls whose evidence depends on the changed component are flagged automatically.
< 30 s
3
Impacted evidence is flagged stale
Evidence artefacts (log extracts, config snapshots, policy YAML hashes) that are now out-of-date are marked pending re-collection.
< 30 s
4
Evidence is re-collected
Cendriix re-runs the evidence collectors for the affected controls: config probes, access-log samples, scan results, signed by the orchestrator key.
< 1 h
5
Auditor notified if the delta is material
If a named auditor has a read-only seat in this workspace, they receive an in-product notification with a diff of what changed and the new evidence bundle.
< 1 h
6
Annual attestation refreshed
The change is recorded in the attestation log. At the next renewal cycle, the auditor's evidence package is already current, no frantic evidence-gathering sprint.
Next cycle
Auditor mode
Give your auditor a read-only seat. Not a spreadsheet.
Cendriix can provision a time-limited, read-only login for your external auditor. They see evidence bundles, signed and timestamped, organised by control. They can drill into any artefact: log samples, config snapshots, policy YAML, scan results. All inside Cendriix. No email threads. No “let me pull that screenshot for you”.
Industry benchmarks suggest SOC 2 evidence gathering typically takes 4–8 weeks when done manually. Cendriix is designed to eliminate that sprint by collecting evidence continuously, though we have not yet completed our own audit to validate this claim with real data.
Evidence collection automation is on the roadmap, design goal: immutable, signed artefacts
Auditor session is fully logged in your own audit trail
Access expires automatically at the end of the audit engagement
What Cendriix does not do
Cendriix does not replace your Data Protection Officer, your legal counsel, or your external auditor. We make their jobs faster, by hours, in some cases by weeks. But the human judgement, the legal interpretation, and the final attestation signature remain yours.
Compliance frameworks change. Cendriix tracks public updates to NIST, AICPA, HHS, and ISO standards and alerts you when a control you rely on is revised. We do not interpret legal changes, we surface them with a recommendation and let your counsel decide.
Questions about our compliance roadmap?
We are building compliance in from day one and will share our progress plainly. Reach out to discuss our security posture, roadmap, or to request a DPA draft.