Compliance Standards

Turn every policy pack into auditor-ready control evidence

Map Growth policy packs to SOC 2, ISO 27001, and domain-specific evidence questions. This is standards alignment for audit packets and buyer reviews, not a certification claim.

Activate standards map Browse policy packs

Evidence matrix

policy packs

mapped controls

policy gates

SOC 2

4 evidence paths

ISO 27001

4 evidence paths

Domain Evidence

4 evidence paths

Moat layer

Demonstrable evidence for the controls auditors sample

The standards layer translates policy-pack decisions into audit questions, evidence artifacts, and non-repudiation posture before a buyer or auditor asks for backup.

Audit Log Protection

ISO 27001 A.8.34 alignment is expressed as protected, attributable, signed evidence rather than screenshots.

Non-Repudiation

Dossier signatures and public-key fingerprints make intent difficult to deny after a decision is shared.

Auditor Safe-View

Every mapped control can hand off to a read-only auditor view with policy trace and export posture.

Control evidence matrix

Each standard maps back to a policy pack and signed artifact

SOC 2

SOC 2 CC6.1

1 pack

Logical access controls for spend, entitlements, and privileged workflow.

Decision receipt showing actor, entitlement state, and approval gate.

Was access or spend approved before execution?

SaaS Ops Pack

SOC 2

SOC 2 CC6.2

1 pack

Sensitive access requests require authorization and revocation evidence.

Just-in-time access dossier with expiry, approver, and revocation trail.

Can the team show access was granted and removed correctly?

Enterprise IT and HR Pack

SOC 2

SOC 2 CC7.2

1 pack

Security events and anomalous agent behavior are evaluated under policy.

Agent execution receipt with blocked tool call or token-budget reason.

Was unsafe or unusual agent behavior detected and handled?

AI Agency Pack

SOC 2

SOC 2 CC8.1

1 pack

Change-management evidence for policy and approval-path updates.

Signed dossier trace with policy pack, actor, payload hash, and outcome.

Can the team prove each material change followed the approved path?

Fintech Starter Pack

ISO 27001

ISO 27001 A.5.15

1 pack

Access-control policy enforcement for operational automation.

Policy trace and reason code attached to the automation decision.

Which access policy governed the automated action?

SaaS Ops Pack

ISO 27001

ISO 27001 A.5.18

1 pack

Access rights are provisioned, reviewed, and removed under policy.

Offboarding or JIT-access receipt with policy version and actor.

Did access rights follow the approved access lifecycle?

Enterprise IT and HR Pack

ISO 27001

ISO 27001 A.8.34

1 pack

Audit-log protection against tampering, deletion, and ambiguous ownership.

Hash-linked receipt, public verify path, and immutable activity trail.

Is audit evidence protected and attributable after the decision is made?

Fintech Starter Pack

ISO 27001

ISO 27001 A.8.9

1 pack

Configuration and tool-use controls are enforced for client agents.

Tool-use whitelist dossier and client policy version.

Which configuration rule allowed or blocked this agent action?

AI Agency Pack

Domain Evidence

Access review evidence

1 pack

HR and IT changes produce evidence for access review packets.

Access-change dossier with HR event, system, and revocation status.

Which evidence supports this access review sample?

Enterprise IT and HR Pack

Domain Evidence

AML evidence trail

1 pack

Regulated payout decisions carry sanctions and velocity evidence.

AML decision receipt with counterparty, threshold, and escalation reason.

Why was this payout approved, blocked, or escalated?

Fintech Starter Pack

Domain Evidence

Change evidence

1 pack

Operational changes preserve blast radius and rollback evidence.

Signed change dossier with impact score and governing policy.

What changed, who approved it, and what was the blast radius?

SaaS Ops Pack

Domain Evidence

Client assurance

1 pack

Client-facing agents carry a visible proof path and signed assurance trail.

Zero Trust Badge sample dossier and public verify link.

Can the client independently inspect proof behind the agency claim?

AI Agency Pack

Export posture

Give auditors a concise standards packet

{
  "packs": 4,
  "controls": 12,
  "soc2": 4,
  "iso27001": 4,
  "posture": "alignment evidence, not certification claim"
}

Loading…

Compliance Standards

Turn every policy pack into auditor-ready control evidence

Map Growth policy packs to SOC 2, ISO 27001, and domain-specific evidence questions. This is standards alignment for audit packets and buyer reviews, not a certification claim.

Activate standards map Browse policy packs

Evidence matrix

policy packs

mapped controls

policy gates

SOC 2

4 evidence paths

ISO 27001

4 evidence paths

Domain Evidence

4 evidence paths

Moat layer

Demonstrable evidence for the controls auditors sample

The standards layer translates policy-pack decisions into audit questions, evidence artifacts, and non-repudiation posture before a buyer or auditor asks for backup.

Audit Log Protection

ISO 27001 A.8.34 alignment is expressed as protected, attributable, signed evidence rather than screenshots.

Non-Repudiation

Dossier signatures and public-key fingerprints make intent difficult to deny after a decision is shared.

Auditor Safe-View

Every mapped control can hand off to a read-only auditor view with policy trace and export posture.

Control evidence matrix

Each standard maps back to a policy pack and signed artifact

SOC 2

SOC 2 CC6.1

1 pack

Logical access controls for spend, entitlements, and privileged workflow.

Decision receipt showing actor, entitlement state, and approval gate.

Was access or spend approved before execution?

SaaS Ops Pack

SOC 2

SOC 2 CC6.2

1 pack

Sensitive access requests require authorization and revocation evidence.

Just-in-time access dossier with expiry, approver, and revocation trail.

Can the team show access was granted and removed correctly?

Enterprise IT and HR Pack

SOC 2

SOC 2 CC7.2

1 pack

Security events and anomalous agent behavior are evaluated under policy.

Agent execution receipt with blocked tool call or token-budget reason.

Was unsafe or unusual agent behavior detected and handled?

AI Agency Pack

SOC 2

SOC 2 CC8.1

1 pack

Change-management evidence for policy and approval-path updates.

Signed dossier trace with policy pack, actor, payload hash, and outcome.

Can the team prove each material change followed the approved path?

Fintech Starter Pack

ISO 27001

ISO 27001 A.5.15

1 pack

Access-control policy enforcement for operational automation.

Policy trace and reason code attached to the automation decision.

Which access policy governed the automated action?

SaaS Ops Pack

ISO 27001

ISO 27001 A.5.18

1 pack

Access rights are provisioned, reviewed, and removed under policy.

Offboarding or JIT-access receipt with policy version and actor.

Did access rights follow the approved access lifecycle?

Enterprise IT and HR Pack

ISO 27001

ISO 27001 A.8.34

1 pack

Audit-log protection against tampering, deletion, and ambiguous ownership.

Hash-linked receipt, public verify path, and immutable activity trail.

Is audit evidence protected and attributable after the decision is made?

Fintech Starter Pack

ISO 27001

ISO 27001 A.8.9

1 pack

Configuration and tool-use controls are enforced for client agents.

Tool-use whitelist dossier and client policy version.

Which configuration rule allowed or blocked this agent action?

AI Agency Pack

Domain Evidence

Access review evidence

1 pack

HR and IT changes produce evidence for access review packets.

Access-change dossier with HR event, system, and revocation status.

Which evidence supports this access review sample?

Enterprise IT and HR Pack

Domain Evidence

AML evidence trail

1 pack

Regulated payout decisions carry sanctions and velocity evidence.

AML decision receipt with counterparty, threshold, and escalation reason.

Why was this payout approved, blocked, or escalated?

Fintech Starter Pack

Domain Evidence

Change evidence

1 pack

Operational changes preserve blast radius and rollback evidence.

Signed change dossier with impact score and governing policy.

What changed, who approved it, and what was the blast radius?

SaaS Ops Pack

Domain Evidence

Client assurance

1 pack

Client-facing agents carry a visible proof path and signed assurance trail.

Zero Trust Badge sample dossier and public verify link.

Can the client independently inspect proof behind the agency claim?

AI Agency Pack

Export posture

Give auditors a concise standards packet

{
  "packs": 4,
  "controls": 12,
  "soc2": 4,
  "iso27001": 4,
  "posture": "alignment evidence, not certification claim"
}