Where the platform stands today, what's partially wired, and what we genuinely intend to build next. No invented dates, no unshipped features presented as live.
"Shipped" means it's live in the product today. "In progress" means it's partially wired and visible in the schema or UI. "Planned" means it's a direction we intend to build — with no committed date until we've actually shipped it.
Live in the product today.
Homepage, product/solution pages, framework hubs, integrations directory, pricing estimator, and an ungated one-off website scanner at /scan.
Frameworks, controls, tests, and evidence, with a dedicated auditor workspace and audit-packet export.
A 5×5 heat grid with treatment plans and residual scoring.
Campaign-based user access certifications with evidence export.
Vendor tracking with SOC 2 report upload and parsing.
Upload a questionnaire, get RAG-drafted answers, then review and export.
Plan/entitlement management with Stripe checkout, customer portal, and webhook reconciliation.
12 native connectors in the dashboard's integrations surface — GitHub, AWS, GCP, Okta, Google Workspace, Rippling, GitLab, Datadog, Snyk, PagerDuty, Auth0, and CrowdStrike — plus a broader catalog of read-only connector templates for additional providers.
A public per-tenant trust page with NDA-gated document sharing, managed from an admin trust-center workspace.
An MCP endpoint (plus an API-tokens settings page) so AI clients can query a tenant's compliance data directly.
A RAG assistant over controls, evidence, policies, and risks.
Detects gaps between written policy and the evidence that backs it.
A centralized inbox for findings across scans, controls, and integrations.
Underway — surfacing before it's fully wired end-to-end.
Evidence records already carry provenance fields (collectedAt, sourceSystem, itemCount, contentHash), but computing contentHash/itemCount automatically from scanner and integration output is surfacing-only in the current release — the full writer wiring is the next step.
A real direction we intend to build. No committed date.
Tenant isolation is enforced today at the query layer via session helpers. Adding Postgres row-level security policies keyed on orgId is a planned hardening step, not yet present.
An append-only audit log for signature, evidence, and config changes — with no-UPDATE/DELETE database grants — is a planned addition as the product app matures.
The connector catalog keeps growing as we verify each provider's real, documented API surface. We add connectors deliberately, one verified integration at a time, rather than promising specific providers by name in advance.