Loading…
Trust · Compliance
How we prove it.
Continuous evidence, first-attempt audit pass, procurement-ready documentation. Compliance is an engineering discipline at Prosigns — not a quarterly fire drill.
- SOC 2 Type II
- In flight
- ISO 27001
- Aligned · cert 2026 H2
- HIPAA · PCI · FedRAMP
- Engineered
- Audit pass rate
- 100% first attempt
Operating discipline
Compliance as continuous engineering.
Most firms treat compliance as a quarterly task. We treat it as an engineering practice with named owners, continuous evidence, and rehearsed responses to inquiry.
- 01
Continuous evidence, not audit-time scrambling
Control activity logs, change-management artifacts, access reviews, and vendor-risk records are produced as a side-effect of operating the system — not assembled in a panic two weeks before exam. Audit pulls run in days, not weeks.
- 02
First-attempt audit pass
Across SOC 2, ISO 27001, HITRUST CSF, and PCI-DSS engagements we've supported, the audit-pass rate on first attempt is 100%. The discipline is the difference — controls that work day-to-day pass an audit; controls that exist only on paper rarely do.
- 03
Engineered, not retrofitted
Compliance is an architectural concern designed in from kickoff — not a phase 2 we'll get to before launch. Audit logging granularity, encryption boundaries, access reviews, and BAA chain are settled in the discovery phase.
- 04
Procurement-ready documentation
Audit pack — SOC 2 report, pen-test summary, BAA / DPA templates, security questionnaire response, subprocessor list — available under NDA in under one business day. Empanelled on Coupa, SAP Ariba, Oracle Sourcing, Ivalua.
Frameworks
10 frameworks, status named.
Status terms are honest: In flight means the audit is underway. Aligned means we operate to the standard with documented evidence but aren’t formally certified. Supported / Co-piloted means engagements are scoped to the framework when the customer requires it.
- 01
SOC 2 Type II
Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) with continuous evidence collection. Audit window underway with a Big-4-equivalent CPA firm.
In flightArtifact: Audit report (under NDA)
- 02
ISO 27001
Information Security Management System mapped to Annex A controls. Annual internal audit, quarterly management review. Certification target: 2026 H2.
AlignedArtifact: Statement of Applicability + control evidence
- 03
HIPAA / HITECH
Administrative, physical, and technical safeguards engineered into every healthcare engagement from kickoff. Documented risk analysis, incident response, workforce training, BAA chain.
Co-pilotedArtifact: BAA + risk analysis summary
- 04
PCI-DSS
Level 1 merchant scope on engagements where cardholder data flows through our deliverables. Tokenization-first architecture; QSA-supportable evidence collection.
SupportedArtifact: Attestation of compliance (engagement-scoped)
- 05
GDPR · UK GDPR · Swiss FADP
Documented lawful bases per processing activity. Region-aware controls, Standard Contractual Clauses where applicable, subprocessor governance. Schrems II-aligned international transfers.
AlignedArtifact: DPA + subprocessor list
- 06
CCPA · CPRA
California rights (access, correction, erasure, opt-out of sale/share, limit sensitive PI use, non-discrimination) honored with documented response SLAs. GPC honored.
AlignedArtifact: Privacy notice + data-subject request flow
- 07
PIPEDA
Canadian privacy frame. Cross-border transfer documentation for Canadian customers. PIPEDA-aware DPA addendum available.
AlignedArtifact: DPA Canadian addendum
- 08
FedRAMP / StateRAMP
We engineer to FedRAMP standards on workloads requiring Moderate/High alignment via AWS GovCloud or Azure Government. Partner with FedRAMP-authorized providers; do not hold our own ATO.
SupportedArtifact: Architecture review + ATO support documentation
- 09
FFIEC IT examination handbook
Standard reference for U.S. financial-services engagements. IT controls integrated with model deployment, change management, access management, business continuity, information security.
AlignedArtifact: Control mapping evidence
- 10
21 CFR Part 11 · GxP
Electronic records / signatures, audit trails, role-based authority, time-stamped record integrity for eClinical and life-sciences workloads. IEC 62304 lifecycle for SaMD where applicable.
SupportedArtifact: Validation evidence + traceability matrix
Request the pack
What procurement can ask for.
Each request below is fulfilled under NDA, typically within one business day. Standard NDA available; custom NDA redlines accepted.
SOC 2 Type II report
Latest audit report under NDA, with the auditor’s opinion and full control narrative.
RequestPenetration test summary
Annual third-party pen-test executive summary. Full report on case-by-case basis under tighter NDA.
RequestData Processing Agreement
Standard DPA template covering GDPR / UK GDPR / Swiss / CCPA processing, with regional addenda.
RequestBusiness Associate Agreement
HIPAA BAA template for healthcare engagements. Custom redlines accepted in 1–3 business days.
RequestSubprocessor list
Current subprocessor inventory with purpose, region, and BAA / DPA status per entry. Updated quarterly.
RequestSecurity questionnaire response
Pre-filled responses for SIG, CAIQ, VSAQ, and most enterprise security questionnaires.
Request
For procurement
Need our pack for vendor risk?
Empanelled on Coupa, SAP Ariba, Oracle Sourcing, Ivalua, and most enterprise procurement frameworks. Audit pack under NDA in under one business day.