Compliance Coverage Matrix
Auditors do not want to learn Tetrapus internals. The compliance subsystem ships hand-curated control catalogs for the four most-cited frameworks plus six evidence collectors that map platform state onto those controls — so a customer's compliance team can self-serve their evidence pack instead of waiting on a vendor questionnaire response.
What we ship vs what we do not claim
We ship the control-coverage matrix and the evidence collectors so customers' auditors can self-serve. We do not claim certifications — formal SOC 2 Type II reports and FedRAMP ATOs are customer engagements that involve their auditor walking the boundary, not a vendor assertion. The platform makes the evidence-gathering step cheap; the audit itself is the customer's process.
Frameworks
| Framework | Catalog id | Controls shipped | Typical buyer |
|---|---|---|---|
| SOC 2 (TSC) | soc2 | 13 | SaaS B2B procurement |
| ISO/IEC 27001 | iso27001 | 12 | EU enterprise, ISMS-driven |
| FedRAMP Moderate | fedramp_mod | 12 | US federal civilian agencies |
| DoD IL4 | dod_il4 | 10 | DoD CUI workloads |
Catalogs are hand-curated, not generated. Each control carries a stable id within its framework (FedRAMP and IL4 both define AC-2 — ids are unique per framework, not globally), a title, a description quoting the source publication, and a category for grouping in the report.
Evidence collectors
Each Collector is I/O-free — it accepts pre-fetched inputs from the server crate and returns Evidence with status pass / fail / manual. The server's run engine wires DB queries to feed each collector and persists the result.
| Collector | What it checks | Sample controls covered |
|---|---|---|
| MfaRequiredCollector | All admin users have an enrolled MFA factor | SOC2 CC6.1, FedRAMP IA-2 |
| AuditChainIntegrityCollector | Audit hash chain is unbroken; latest attestation root verifies | SOC2 CC7.2, ISO A.12.4 |
| EncryptionAtRestCollector | All Orgs in scope have an active data-scope CMEK binding | FedRAMP SC-28, IL4 SC-28 |
| AccessReviewCollector | Periodic access review attestations recorded for every role | SOC2 CC6.3, FedRAMP AC-2 |
| KeyRotationCollector | No CMEK binding has gone > rotation_max_days without rotation | FedRAMP SC-12, IL4 SC-12 |
| LegalHoldCheckCollector | No deletion succeeded against a principal under an open hold | SOC2 CC8.1 |
Run lifecycle
REST routes
All routes are mounted under /api/v1/admin/compliance.
| Method + path | Returns |
|---|---|
| GET /admin/compliance/frameworks | Available frameworks + catalog sizes |
| POST /admin/compliance/runs | Start a new run for {framework, org_id} |
| GET /admin/compliance/runs/{id} | Run header + summary |
| GET /admin/compliance/runs/{id}/report.json | Machine-readable evidence list (audit ingestion) |
| GET /admin/compliance/runs/{id}/report.md | Markdown report rendered by ReportRenderer |
Tables
CREATE TABLE compliance_runs (
id UUID PRIMARY KEY,
framework TEXT NOT NULL CHECK (framework IN ('soc2','iso27001','fedramp_mod','dod_il4')),
org_id UUID REFERENCES orgs(id) ON DELETE CASCADE,
started_at TIMESTAMPTZ NOT NULL DEFAULT now(),
finished_at TIMESTAMPTZ,
summary JSONB
);
CREATE TABLE compliance_evidence (
id UUID PRIMARY KEY,
run_id UUID NOT NULL REFERENCES compliance_runs(id) ON DELETE CASCADE,
control_id TEXT NOT NULL,
status TEXT NOT NULL CHECK (status IN ('pass','fail','manual')),
evidence JSONB NOT NULL,
captured_at TIMESTAMPTZ NOT NULL DEFAULT now()
);
CREATE INDEX compliance_evidence_run_idx ON compliance_evidence(run_id);Sample report
curl -H "Authorization: Bearer $TOKEN" \
https://tetrapus.example.com/api/v1/admin/compliance/runs/$RUN_ID/report.md \
-o acme-soc2-2026q2.md
# Renders one section per control: title, status, collector evidence,
# linked audit_log seq range. Hand to your auditor.Related
- – FIPS 140-3 — SC-12 / SC-28 prerequisite
- – CMEK / BYOK — encryption-at-rest evidence
- – JIT Elevation — AC-2 / CC6.3 evidence
- – Legal Hold — CC8.1 evidence
- – Back to Enterprise
Questions?
Reach out for help with integration, deployment, or custom domain codecs.