Audit-ready compliance outcomes, engineered like software. Bring your framework—we return verifiable evidence, mapped controls, and a signed report. Your data never persists on our side.
Infra snapshot ingested into an air-gapped, single-tenant workspace.
Controls pinned to your framework. Same inputs → same output, every run.
Evidence returned as a signed report. Workspace is shredded on completion.
framework
SOC 2 · TYPE II
controls
127 / 127 mapped
evidence
48 artifacts signed
retention
0.0 MB · purged
Built for every serious framework · BYOF supported
Three structural flaws keep modern teams stuck in a 1990s audit cycle — manual, subjective, and dangerously over-permissioned.
Traditional audits require long-term access to production data, credentials, and infrastructure. That access itself becomes a compliance liability.
of breach-driven penalties involve third-party access
Subjective audit methods produce non-reproducible results. Same infrastructure, different findings — because every auditor interprets controls differently.
variance observed between independent audit findings
Annual re-audits discard prior context. You pay, again, for someone to learn your environment from scratch — instead of diffing what changed.
higher cost vs. delta-only reassessments
CPLT runs every engagement through the same deterministic pipeline. Your infrastructure is never exposed. Your evidence is never stored. Your report is signed and reproducible.
No shared infrastructure, no lingering sessions. Each engagement spins up an isolated environment — cryptographically sealed, scoped to a single run, destroyed on completion.
Your raw evidence is mapped to framework controls through a rule-based, reproducible pipeline. No junior-auditor interpretation. No subjective grading. Just verifiable, diff-able output.
The signed Architect Report contains everything your auditor or board needs. The raw evidence, credentials, and workspace are cryptographically shredded before hand-off. Nothing persists on our side.
Every engagement produces a single, signed deliverable: the CPLT Architect Report. It is the finished artifact your board, regulator, or customer needs — not a dashboard you have to operate.
Framework-aligned control mapping, severity-weighted risk scoring, and audit-ready narrative sections — ready to submit.
Prioritized roadmap with implementation specs. Every finding ships with the exact fix, verifiable post-remediation.
Every artifact is cryptographically signed. Regulators and counter-parties can verify authenticity without contacting CPLT.
architect-report_soc2_ACME.pdf
SIGNED ✓
FINDING · CTRL-IAM-04
framework
SOC 2 CC6.3
iso map
A.5.15 / A.8.2
evidence
3 artifacts
status
open · priority 1
REMEDIATION · DETERMINISTIC
Your evidence is destroyed before the report ships. Not a policy — an architectural guarantee with a verifiable shred log.
Rule-based control mapping means two runs produce byte-identical output. Findings are reproducible by design.
SOC 2, ISO 27001, HIPAA, PCI — or your internal control set. CPLT maps your evidence to your chosen framework, not ours.
Infrastructure operated from the EU with GDPR-native processing boundaries. Data residency is a design choice, not a checkbox.
Every artifact in the Architect Report carries a cryptographic signature. Third parties verify authenticity without a single CPLT call.
Every engagement is reviewed by a senior practitioner. No junior auditor interpretation, no outsourced review queues.
Most compliance products force you to adopt their control taxonomy. CPLT inverts that. Supply any framework — public, private, contractual, or bespoke — and the pipeline maps to it deterministically.
DROP-IN FRAMEWORK
Upload your control set as JSON, XLSX, or PDF. CPLT parses and pins every control to your raw evidence.
CROSS-MAPPING
One engagement can produce multiple mapped reports — SOC 2 and ISO 27001 simultaneously, from the same evidence.
SECURITY & PRIVACY
REGULATED INDUSTRIES
DATA PROTECTION
YOUR OWN RULES
DON’T SEE YOURS?
If you can express your controls in text, CPLT can map them. Send your framework — we’ll confirm fit within 48 hours.
Supported frameworks include SOC 2 Type II, ISO/IEC 27001:2022, ISO/IEC 27701, HIPAA, GDPR, PCI DSS v4.0, NIST CSF 2.0, NIS 2, CIS Controls v8, HITRUST CSF, Custom Control Set, Internal Policy.
CPLT is a third category: a productized, deterministic audit engagement. Priced per outcome, not per seat, not per hour.
CPLT
Productized engagement
Compliance SaaS
Vanta / Drata / etc.
Traditional audit
Big-4 / boutique
Every engagement ships with a signed Project Anchor — a cryptographic fingerprint of your environment’s control state. The next assessment runs a delta, not a full re-audit. You pay for what changed, not for what already passed.
1×
First engagement: full scope
0.2–0.4×
Follow-ups: delta only
−60%
Typical reassessment time
DELTA ANALYSIS · PROJECT ANCHOR
checked
127
unchanged
118
changes
9
Only 9 controls need reassessment. Your next engagement is priced accordingly.
Three non-negotiables that define how every CPLT engagement runs.
ARCHITECT-VALIDATED
Every finding is reviewed and signed by an engagement architect — not a junior analyst running a checklist tool. If it’s in your report, a senior practitioner staked their name on it.
SOVEREIGN INFRASTRUCTURE
CPLT operates on EU-resident compute with cryptographically enforced data boundaries. No transatlantic transfers, no standard-contractual-clause gymnastics, no legal hedge.
TRANSPARENT ENGAGEMENT
One engagement, one price, one signed deliverable. No per-seat licensing, no SKU stacking, no auto-renewed subscription paying for access to your own compliance history.
Still unsure? Scope a 30-minute technical call with the engagement architect. No sales layer.
— READY WHEN YOU ARE
No sales engineers. No decks. Just the architect who will run your engagement, scoping the framework and environment directly with you.