Technical Overview

How Proveably Works

Compliance through evidence, not attestation. We continuously prove your organisation's adherence to SOC 2, ISO 27001, HIPAA, and PCI DSS through quantitative, machine-verified evidence.

The Closed Loop

The platform operates as a closed loop: scans produce findings, findings map to framework controls, controls accumulate evidence, evidence determines compliance status, gaps trigger remediation — and the cycle repeats continuously. Every control in every framework either has proof or a clear gap.

graph TB subgraph Inputs["Evidence Sources"] SC["Security Scans"] PO["Policies & Rules"] CL["Cloud Posture / CSPM"] CM["Change Management"] TR["Training Completion"] VR["Vendor Assessments"] IN["Incident Response"] BC["Business Continuity Tests"] HR["HRIS Employee Data"] MU["Manual Uploads"] end subgraph Engine["Compliance Intelligence Engine"] MAP["Framework Mapping"] CE["Control Status Calculator"] EV["Evidence Store"] TH["Thresholds & Exceptions"] end subgraph Outputs["Unified Compliance View"] DASH["Live Dashboard"] AP["Auditor Portal"] TC["Trust Center"] REP["PDF / ZIP Reports"] WH["Slack / Teams / Email Alerts"] end SC --> MAP PO --> CE CL --> MAP CM --> EV TR --> EV VR --> CE IN --> EV BC --> EV HR --> CE MU --> EV MAP --> CE EV --> CE TH --> CE CE --> DASH CE --> AP CE --> TC CE --> REP CE --> WH
10 Evidence Sources

Security scans, cloud posture, policies, training, vendor assessments, incidents, change management, business continuity, HR data, and manual uploads all feed into one engine.

4 Framework Mappings

SOC 2, ISO 27001, HIPAA, and PCI DSS controls are mapped from YAML configuration. A single finding can satisfy controls across multiple frameworks simultaneously.

5 Output Channels

Live dashboard, read-only auditor portal, public trust center, downloadable reports, and real-time webhook alerts to Slack, Teams, and email.

Security Scanning

When you run a scan, 12+ security tools execute in parallel against your target. Each tool's findings are tagged with the compliance controls they prove or disprove. You select which frameworks to evaluate against — a single scan generates evidence for dozens of controls across all selected frameworks simultaneously.

flowchart LR subgraph Scan["Scan Execution"] T["Target URL or Code"] TOOLS["Parallel Tools\nNmap, Nuclei, Nikto,\nSSLyze, Trivy, Semgrep,\nGitleaks, SQLMap..."] F["Findings\nseverity + control codes"] end subgraph Mapping["Framework Mapping"] S2["SOC 2\nCC6.1, CC6.7, CC7.1..."] ISO["ISO 27001\nA.8.3, A.8.9, A.8.24..."] HIP["HIPAA\n§164.312a, §164.312e..."] PCI["PCI DSS\nReq 1, Req 2, Req 6..."] end subgraph Result["Per-Control Outcome"] EFF["EFFECTIVE\nClean scan = evidence"] FAIL["NOT_EFFECTIVE\nCritical findings"] RISK["UNDER_REVIEW\nMedium findings"] end T --> TOOLS TOOLS --> F F --> S2 F --> ISO F --> HIP F --> PCI S2 --> EFF S2 --> FAIL S2 --> RISK ISO --> EFF HIP --> EFF PCI --> FAIL

Supported Security Tools

Nmap

Network & port scanning

CC6.1, CC7.1

Nuclei

Template-based vuln scanner

CC6.1, CC6.8, CC7.1

Nikto

Web server vulnerabilities

CC6.8, CC7.1

SSLyze

SSL/TLS configuration

CC6.7

Trivy

Container & dependency scanning

CC6.8

Semgrep

Static code analysis

CC6.1, CC7.1

Gitleaks

Secret detection

CC6.1, CC6.7

SQLMap

SQL injection testing

CC6.1

FFuf

Directory fuzzing

CC6.1, CC7.1

Gobuster

Directory brute-forcing

CC6.1, CC7.1

Subfinder

Subdomain enumeration

CC6.6

HTTPX

HTTP analysis & probing

CC7.2

How Mapping Works

Each framework has a YAML configuration that defines which tools detect which controls. When a tool runs clean, it produces positive evidence for those controls. When it finds issues, it produces findings that degrade the control's status.

# soc2_mappings.yaml
- code: "CC6.7"
  description: "Transmission Data Protection"
  tools: ["sslyze", "testssl", "nuclei", "nmap"]

- code: "CC6.1"
  description: "Logical Access Security"
  tools: ["nmap", "nuclei", "nikto", "zap"]

The Compliance Engine

Every framework control goes through the same evaluation. The engine gathers all inputs — open findings, active exceptions, uploaded evidence, and threshold configuration — then calculates whether the control is operating effectively. This runs after every scan, policy check, and evidence upload.

stateDiagram-v2 [*] --> PENDING_EVIDENCE: Control activated PENDING_EVIDENCE --> EFFECTIVE: Evidence uploaded + no critical findings PENDING_EVIDENCE --> NOT_EFFECTIVE: Critical/high findings detected EFFECTIVE --> NOT_EFFECTIVE: New critical finding or stale evidence EFFECTIVE --> UNDER_REVIEW: Medium findings detected NOT_EFFECTIVE --> COMPENSATING: Compensating control approved NOT_EFFECTIVE --> EFFECTIVE: Findings remediated + evidence refreshed UNDER_REVIEW --> EFFECTIVE: Findings resolved UNDER_REVIEW --> NOT_EFFECTIVE: Severity escalated COMPENSATING --> EFFECTIVE: Root cause fixed EFFECTIVE --> PENDING_EVIDENCE: Evidence older than 90 days

Control Effectiveness Levels

Effective 100%

Control is operating with valid evidence and no critical or high findings. This is the target state.

Compensating 100%

Findings exist but are mitigated by an approved compensating control. Scores the same as effective.

Partially Effective 50%

Some evidence exists and some gaps remain. The control is operating but not at full confidence.

Under Review 25%

Medium-severity findings have been detected. Investigation is needed to determine if the control is at risk.

Pending Evidence 10%

No evidence has been uploaded or existing evidence has expired (older than 90 days). Scan or upload required.

Not Effective 0%

Critical or high-severity findings are open. The control is failing and requires immediate remediation.

What the Engine Evaluates

For each control, the engine gathers four inputs and produces a status with a rationale:

Open Findings

Critical and high findings cause immediate failure. Medium findings trigger review.

Active Exceptions

Risk acceptances, compensating controls, and not-applicable designations.

Uploaded Evidence

Documents, scan artifacts, and automated proof. Must be less than 90 days old.

Severity Thresholds

Configurable per-tool, per-severity thresholds determine what counts as a failure.

Evidence Collection

Evidence flows into the platform from multiple pathways and is linked to the specific framework controls it supports. All evidence is stored in S3 with full audit trail. Evidence expires after 90 days — forcing continuous collection through recurring scans and fresh uploads.

flowchart TB subgraph Auto["Automated Evidence"] SCAN_CLEAN["Clean Scan Results\nNo critical findings = proof"] SCAN_FIND["Scan Findings JSON\nMachine-readable detail"] POLICY_PASS["Policy Check Pass\nMFA enabled, encryption on"] TRAIN_DONE["Training Completion\nQuiz passed = awareness proof"] GIT_COMMIT["Signed Commits\nBranch protection verified"] end subgraph Manual["Manual Evidence"] UPLOAD["File Upload\nPen test reports, certificates,\nSOC 2 reports, contracts"] end subgraph Store["Evidence Store"] S3["S3 — Versioned, Encrypted"] META["Metadata\ncriteria, mapped_criteria,\nuploaded_by, expires"] end subgraph Link["Control Linkage"] PRIMARY["Primary Control\ne.g. CC6.1"] SECONDARY["Mapped Controls\ne.g. CC6.2, A.8.3"] end SCAN_CLEAN --> S3 SCAN_FIND --> S3 POLICY_PASS --> S3 TRAIN_DONE --> S3 GIT_COMMIT --> S3 UPLOAD --> S3 S3 --> META META --> PRIMARY META --> SECONDARY PRIMARY --> CE["Compliance Engine\nrecalculates status"] SECONDARY --> CE

Automatic Evidence

  • Clean scan artifacts — when a tool finds no critical issues, the result is stored as positive proof that the control is operating
  • Policy check passes — automated checks for MFA, encryption, access reviews, branch protection create evidence when they pass
  • Training completions — quiz passes generate evidence for security awareness controls
  • Integration events — signed commits, approved change requests, and cloud configuration events

Manual Evidence

  • Direct upload — PDF, DOCX, CSV, images. Penetration test reports, insurance certificates, vendor SOC 2 reports
  • Multi-control linking — each upload maps to a primary control and optionally to additional mapped controls
  • 90-day lifecycle — evidence expires and must be refreshed, ensuring continuous compliance rather than point-in-time

Continuous Monitoring

The platform doesn't scan once and stop. Scheduled scans, automated policy checks, and system jobs run continuously to detect drift. When a control degrades — whether from a new finding, stale evidence, or a failed policy check — the system immediately alerts your team and updates the compliance dashboard.

flowchart TB subgraph Schedules["Scheduled Jobs"] CRON["Cron Scheduler"] USER_SCHED["User Schedules\nDaily / Weekly / Monthly"] SYS_EVIDENCE["Evidence Collection\nAuto-gather from integrations"] SYS_MONITOR["Control Monitoring\nDetect degradation"] SYS_POLICY["Policy Checks\nMFA, encryption, access review"] SYS_DIGEST["Weekly Digest\nEmail summary"] end subgraph Detection["Drift Detection"] STALE["Stale Evidence\nOlder than 90 days"] NEW_FINDING["New Finding\nFrom scheduled scan"] POLICY_FAIL["Policy Violation\nCheck failed"] CONTROL_DRIFT["Control Drift\nStatus degraded"] end subgraph Response["Response"] ALERT["Webhook Alert\nSlack / Teams"] EMAIL["Email Notification"] STATUS["Control Status Update\nEFFECTIVE → NOT_EFFECTIVE"] end CRON --> USER_SCHED CRON --> SYS_EVIDENCE CRON --> SYS_MONITOR CRON --> SYS_POLICY CRON --> SYS_DIGEST USER_SCHED --> NEW_FINDING SYS_EVIDENCE --> STALE SYS_MONITOR --> CONTROL_DRIFT SYS_POLICY --> POLICY_FAIL NEW_FINDING --> ALERT STALE --> STATUS CONTROL_DRIFT --> ALERT POLICY_FAIL --> EMAIL NEW_FINDING --> STATUS POLICY_FAIL --> STATUS
User Schedules

Create daily, weekly, or monthly recurring scans against any target. Each scheduled scan runs with your chosen tools and compliance frameworks.

Drift Alerts

When a control's status degrades, webhooks fire to Slack, Teams, or email. Critical findings trigger immediate notifications.

Weekly Digest

Automated weekly email to stakeholders summarising compliance posture, new findings, and controls that need attention.

Policy Enforcement

Policies are more than documents — they're enforceable rules. AI extracts testable rules from your policy text, then the platform verifies them automatically against your real infrastructure. A passing check creates evidence. A failing check creates a finding.

flowchart LR subgraph Define["Policy Definition"] DOC["Policy Document\nAccess Control Policy,\nEncryption Policy, etc."] AI["AI Rule Extraction\nGemini parses document\ninto testable rules"] RULES["Enforceable Rules\nMFA required for all admins\nAES-256 at rest\n90-day access review cycle"] end subgraph Check["Automated Checks"] MFA["MFA Enabled?"] ENC["Encryption On?"] ACC["Access Review Done?"] BRANCH["Branch Protection?"] end subgraph Outcome["Outcome"] PASS_EV["Pass → Evidence Created\nAuto-linked to control"] FAIL_FIND["Fail → Finding Created\nControl degraded"] end DOC --> AI AI --> RULES RULES --> MFA RULES --> ENC RULES --> ACC RULES --> BRANCH MFA --> PASS_EV MFA --> FAIL_FIND ENC --> PASS_EV ACC --> PASS_EV BRANCH --> FAIL_FIND

Automated Policy Checks

  • MFA enabled for all users
  • Encryption at rest configured
  • Access reviews completed within cycle
  • Branch protection rules enforced
  • Signed commits required
  • Cloud logging enabled

AI-Powered Workflow

  • 1. Upload or generate a policy document
  • 2. AI extracts enforceable rules with severity and SLA
  • 3. Rules are evaluated against live infrastructure
  • 4. Pass → evidence auto-created and linked to controls
  • 5. Fail → finding created, control status degraded
  • 6. Checks re-run on schedule to detect drift

Audit Portal & Trust Center

Compliance proof is delivered to two audiences: your auditors get a detailed, token-authenticated portal with full control status, evidence, and exceptions. Your customers see a public trust center with your security profile and embeddable compliance badges.

flowchart TB subgraph Internal["Your Dashboard"] DASH["Compliance Dashboard\nPer-framework scores,\nfailing controls, actions"] FIND["Findings Management\nTriage, assign, remediate"] EVID["Evidence Library\nUpload, browse, link"] end subgraph Auditor["Auditor Portal"] AP_AUTH["Token Authentication\nNo account needed"] AP_SUM["Controls Summary\nEffective / Not Effective counts"] AP_CTRL["Control Details\nStatus, rationale, evidence"] AP_EV["Evidence Download\nFull evidence package"] AP_EX["Exceptions\nApproved risk acceptances"] AP_TIME["Timeline\nHistorical status changes"] end subgraph Trust["Public Trust Center"] TC_PAGE["Trust Center Page\nPublic security profile"] TC_BADGE["Embeddable Badge\nSVG / JS widget"] TC_NDA["Self-Service NDA\nSign and access reports"] end DASH --> AP_SUM FIND --> AP_CTRL EVID --> AP_EV AP_AUTH --> AP_SUM AP_SUM --> AP_CTRL AP_CTRL --> AP_EV AP_CTRL --> AP_TIME AP_SUM --> AP_EX DASH --> TC_PAGE TC_PAGE --> TC_BADGE TC_PAGE --> TC_NDA

Auditor Portal

A secure, read-only portal for your auditors. Share a link with a token — no account creation needed.

  • Controls summary with effectiveness counts
  • Per-control status, rationale, and evidence
  • Evidence package download
  • Approved exceptions and risk acceptances
  • Control timeline showing historical changes
  • In-portal chat for auditor questions

Trust Center

A public-facing security profile your customers can visit. Shows your compliance posture transparently.

  • Public security profile page
  • Embeddable compliance badge (SVG / JS widget)
  • Self-service NDA signing workflow
  • Gated report access requests
  • No account required for visitors

Multi-Framework Compliance

Your organisation selects which frameworks to comply with. Every scan, policy check, and evidence upload is evaluated against all selected frameworks simultaneously. Cross-framework mappings mean that evidence for one control often satisfies controls in other frameworks automatically.

flowchart TB subgraph Org["Organisation"] SELECT["Selected Frameworks\nSOC 2 + HIPAA + ISO 27001"] end subgraph Single["Single Scan"] SCAN["URL Scan\nAll frameworks evaluated simultaneously"] end subgraph Controls["Parallel Control Evaluation"] SOC["SOC 2\nCC6.1 ✅ CC6.7 ✅ CC7.1 ⚠️"] HIP["HIPAA\n§164.312a ✅ §164.312e ✅"] ISO["ISO 27001\nA.8.3 ✅ A.8.9 ❌ A.8.24 ✅"] end subgraph Scores["Framework Scores"] S_SOC["SOC 2: 87%"] S_HIP["HIPAA: 92%"] S_ISO["ISO 27001: 78%"] end SELECT --> SCAN SCAN --> SOC SCAN --> HIP SCAN --> ISO SOC --> S_SOC HIP --> S_HIP ISO --> S_ISO

Supported Frameworks

S2

SOC 2 Type II

Trust Service Criteria

CC5.2, CC6.1–CC6.8, CC7.1–CC7.2. Common Criteria covering security, availability, processing integrity, confidentiality, and privacy.

HIPAA

HIPAA Security Rule

Protected Health Information

§164.312(a)–(e). Technical safeguards for access control, audit controls, integrity, authentication, and transmission security.

ISO

ISO 27001 Annex A

Information Security Management

A.5–A.8 series. Organisational, people, physical, and technological controls for information security management systems.

PCI

PCI DSS v4.0

Payment Card Industry

Requirements 1–6. Network security, cardholder data protection, vulnerability management, access control, monitoring, and testing.

Platform Modules

Every module feeds into the compliance engine. Scans produce findings. Training produces evidence. Vendor assessments inform risk. Incidents prove response capability. Nothing exists in isolation — everything contributes to your organisation's provable compliance posture.

Security Scanning

12+ parallel security tools. URL and SAST scanning with automatic finding-to-control mapping.

Feeds: Findings → control mapping

Cloud Posture (CSPM)

AWS, Azure, GCP scanning via Prowler. Cloud misconfigurations detected and mapped to compliance controls.

Feeds: Cloud findings → control mapping

Policy Management

AI-drafted policies with enforceable rules. Auto-extracted from documents, evaluated against real infrastructure.

Feeds: Policy checks → evidence or findings

Evidence Management

S3-backed evidence store with 90-day expiry. Auto-generated from scans and policy checks, or manually uploaded.

Feeds: Direct evidence → control status

Security Training

Modules with quizzes. Completions auto-generate evidence for security awareness controls in each framework.

Feeds: Completion → evidence for awareness controls

Vendor Management

Third-party risk scoring, questionnaires, and vendor portal for self-assessment. Risk tiers feed compliance view.

Feeds: Vendor risk → control assessments

Incident Management

Full lifecycle tracking with MTTD/MTTR metrics. Incidents with root cause analysis and postmortem evidence.

Feeds: Incident records → response control evidence

Change Management

GitHub and GitLab integration. Branch protection, signed commits, and PR reviews tracked as change control evidence.

Feeds: Commit evidence → change control compliance

Business Continuity

Backup policies with RTO/RPO tracking. DR test results verified and stored as availability control evidence.

Feeds: Test results → availability control evidence

HRIS Integration

BambooHR, Gusto, and Rippling. Employee data synced for access reviews and security attestations.

Feeds: Access reviews → identity control evidence

Ready to prove your compliance?

Stop filling spreadsheets. Start proving compliance with real, machine-verified evidence. Run your first scan in under 30 seconds.

Start Free Trial Talk to Us

Report a Bug

Help us improve by reporting issues

Screenshot
Page:
Browser:
Time:

Bug Report Submitted

Thank you! We'll investigate this issue.