Trust · Compliance
Continuous evidence, first-attempt audit pass, procurement-ready documentation. Compliance is an engineering discipline at Prosigns, not a quarterly fire drill.
Operating discipline
Most firms treat compliance as a quarterly task. We treat it as an engineering practice with named owners, continuous evidence, and rehearsed responses to inquiry.
Control activity logs, change-management artifacts, access reviews, and vendor-risk records are produced as a side-effect of operating the system, not assembled in a panic two weeks before exam. Audit pulls run in days, not weeks.
Across SOC 2, ISO 27001, HITRUST CSF, and PCI-DSS engagements we've supported, the audit-pass rate on first attempt is 100%. The discipline is the difference, controls that work day-to-day pass an audit; controls that exist only on paper rarely do.
Compliance is an architectural concern designed in from kickoff, not a phase 2 we'll get to before launch. Audit logging granularity, encryption boundaries, access reviews, and BAA chain are settled in the discovery phase.
Audit pack: SOC 2 report, pen-test summary, BAA / DPA templates, security questionnaire response, subprocessor list, available under NDA in under one business day. Empanelled on Coupa, SAP Ariba, Oracle Sourcing, Ivalua.
Frameworks
Status terms are honest: In flight means the audit is underway. Alignedmeans we operate to the standard with documented evidence but aren’t formally certified. Supported / Co-piloted means engagements are scoped to the framework when the customer requires it.
Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) with continuous evidence collection. Audit window underway with a Big-4-equivalent CPA firm.
Artifact: Audit report (under NDA)
Information Security Management System mapped to Annex A controls. Annual internal audit, quarterly management review. Certification target: 2026 H2.
Artifact: Statement of Applicability + control evidence
Administrative, physical, and technical safeguards engineered into every healthcare engagement from kickoff. Documented risk analysis, incident response, workforce training, BAA chain.
Artifact: BAA + risk analysis summary
Level 1 merchant scope on engagements where cardholder data flows through our deliverables. Tokenization-first architecture; QSA-supportable evidence collection.
Artifact: Attestation of compliance (engagement-scoped)
Documented lawful bases per processing activity. Region-aware controls, Standard Contractual Clauses where applicable, subprocessor governance. Schrems II-aligned international transfers.
Artifact: DPA + subprocessor list
California rights (access, correction, erasure, opt-out of sale/share, limit sensitive PI use, non-discrimination) honored with documented response SLAs. GPC honored.
Artifact: Privacy notice + data-subject request flow
Canadian privacy frame. Cross-border transfer documentation for Canadian customers. PIPEDA-aware DPA addendum available.
Artifact: DPA Canadian addendum
We engineer to FedRAMP standards on workloads requiring Moderate/High alignment via AWS GovCloud or Azure Government. Partner with FedRAMP-authorized providers; do not hold our own ATO.
Artifact: Architecture review + ATO support documentation
Standard reference for U.S. financial-services engagements. IT controls integrated with model deployment, change management, access management, business continuity, information security.
Artifact: Control mapping evidence
Electronic records / signatures, audit trails, role-based authority, time-stamped record integrity for eClinical and life-sciences workloads. IEC 62304 lifecycle for SaMD where applicable.
Artifact: Validation evidence + traceability matrix
National Cybersecurity Authority Essential Cybersecurity Controls engineered around KSA platform and cloud engagements: identity and access, encryption in transit and at rest, network segmentation, private connectivity, logging, and monitoring mapped to the ECC domains.
Artifact: ECC control mapping + architecture review
National Data Management Office standards (NDMG, DAMA-DMBOK aligned): data catalog and metadata, automated lineage, classification, data-quality scorecards, and master data delivered as platform evidence rather than policy documents.
Artifact: Data-governance control mapping
Digital Government Authority standards for government digital platforms, data sharing, and interoperability engineered into public-sector integrations and government-system APIs.
Artifact: Interoperability + integration design review
Kingdom of Saudi Arabia Personal Data Protection Law: documented lawful basis, data minimization, data-subject rights, and in-Kingdom data residency engineered into data handling. Masking, tokenization, and DLP on personal data by default.
Artifact: PDPL data-handling assessment
Saudi Data & AI Authority AI Ethics Principles applied to AI and GenAI workloads: transparency, fairness and non-discrimination, accountability, privacy, and human oversight, with model documentation and evaluation evidence.
Artifact: AI ethics + model documentation pack
Request the pack
Each request below is fulfilled under NDA, typically within one business day. Standard NDA available; custom NDA redlines accepted.
Latest audit report under NDA, with the auditor’s opinion and full control narrative.
RequestAnnual third-party pen-test executive summary. Full report on case-by-case basis under tighter NDA.
RequestStandard DPA template covering GDPR / UK GDPR / Swiss / CCPA processing, with regional addenda.
RequestHIPAA BAA template for healthcare engagements. Custom redlines accepted in 1–3 business days.
RequestCurrent subprocessor inventory with purpose, region, and BAA / DPA status per entry. Updated quarterly.
RequestPre-filled responses for SIG, CAIQ, VSAQ, and most enterprise security questionnaires.
RequestFor procurement
Empanelled on Coupa, SAP Ariba, Oracle Sourcing, Ivalua, and most enterprise procurement frameworks. Audit pack under NDA in under one business day.