Loading…
Loading…
SOC 2 compliance · self-hosted
Scorifya Controls runs 33 automated checks across AWS, GitHub, GCP, and Azure, tracks manual controls with evidence, and generates audit-ready reports — all self-hosted on your own infrastructure, with no per-seat licensing. Built for seed-stage startups and small SaaS teams preparing for their first SOC 2 audit.
See it before you buy
Live screenshots from a running instance — not mockups. What you see is what ships on day one.
The dashboard shows your live compliance posture score, a trend chart across every check run, and a precise count of what's passing and failing right now. The drift detection banner surfaces exactly what changed since your last run — what broke, what you fixed. When your auditor asks how controls performed across the observation window, you show them this chart. No spreadsheet. No manual assembly.
Every check maps directly to a Trust Services Criterion — the same taxonomy your CPA firm uses. AWS checks run against your live account and return results in minutes. GitHub checks verify the controls protecting your codebase. Each failing check shows the specific TSC criterion and severity so you know exactly which gaps to close first. Your auditor sees labels they already recognize. No translation required between what you've built and what they need to certify.
Vanta and Drata start at $10,000–$15,000/year and are built for Series B+ companies with dedicated security teams. Below that, teams either pay for tools they barely use or manage SOC 2 readiness through spreadsheets and manual screenshots.
Controls targets the $0–$7,500/year bracket: the team that just landed their first enterprise customer asking for a SOC 2, and needs a real tool — not a spreadsheet.
33 checks run against your live cloud accounts, mapped to specific AICPA Trust Services Criteria 2017 points of focus.
20 manual controls with evidence tracking
Non-automatable SOC 2 controls across Governance, HR, Access Management, Risk, Change Management, Incident Response, Business Continuity, and Vendor Management — each with a named owner, next review date, overdue alerts, and file evidence upload (PDF, DOCX, PNG, XLSX up to 10 MB).
Posture score trend chart
Every check run is stored and grouped. A 30-run line chart shows your posture score over time — useful for demonstrating to auditors that controls operated effectively across the observation window, not just on the day of the audit.
Drift detection and Slack alerts
After every check run, results are compared against the previous run. New failures trigger a Slack notification. The dashboard surfaces "New failures since last run" and "Fixed since last run" banners so you always know what changed.
Audit period tracking
SOC 2 Type II requires a defined observation window (typically 6–12 months). Create a named audit period with start and end dates. The dashboard shows days elapsed, total days, and a progress bar so you always know where you stand.
Print-to-PDF audit report
A print-optimized report shows org name, report date, pass/fail summary, and a full controls table with TSC criteria. Browser → Print → Save as PDF produces a document auditors can review.
Controls ships as a Docker image. You run it on your own infrastructure — your own VPS, cloud account, or internal server. AWS credentials, GitHub tokens, check results, evidence files, and attestation records never leave your environment. There is no external telemetry.
Compare that to SaaS compliance platforms: Vanta and Drata connect to your AWS and GitHub accounts and store your compliance data on their servers. For teams with data residency requirements or customers who ask where your audit evidence lives, Controls gives you a clean answer: on your server.
One license key, flat fee. No per-seat pricing, no per-check pricing, no additional charges as your team grows.
The primary deployment artifact is a docker-compose.yml. On first boot, the database is pre-seeded with all 19 automated checks and 20 manual controls — no additional setup required.
# 1. Download the compose file
curl -O https://www.scorifya.com/docker-compose.yml
# 2. Set SESSION_SECRET and LICENSE_KEY in docker-compose.yml
# 3. Run
docker compose up -d
The image is published to ghcr.io/scorifya/controls:latest. Pin a specific version by replacing :latest with a semver tag (e.g., :1.2.0).
Docker
Any machine that runs Docker. The image includes Node.js and Python — no separate installs needed.
AWS IAM credentials (for AWS checks)
An IAM user or role with the SecurityAudit managed policy attached. Read-only — no write permissions used.
GitHub personal access token (for GitHub checks)
Token with repo, admin:org, and security_events scopes. Works with GitHub personal accounts and organizations.
GCP service account JSON (for GCP checks)
A service account with the Security Reviewer role. Download the JSON key from IAM → Service Accounts → Keys. Optionally configure domain-wide delegation for MFA enforcement checks.
Azure service principal (for Azure checks)
An app registration in Azure AD with Reader and Security Reader roles on the subscription. Requires Tenant ID, Client ID, Client Secret, and Subscription ID.
License key
Issued at scorifya.com. Without a key, the dashboard is read-only (existing data is visible, new runs and attestations are paused).
One flat fee for the license key — no per-seat charges, no usage-based billing. Priced well under $7,500/year, the bracket where Vanta and Drata don't compete.
Launch pricing — 25 of 25 spots left
30-day money-back guarantee. If Controls doesn't work for your environment, email team@scorifya.com within 30 days for a full refund — no questions asked.
License key delivered by email within minutes. Annual subscription — renews automatically each year. Cancel any time before renewal from your email confirmation or by contacting us. Existing customer? Recover your license key or change your registered domain.
Need to check your public security posture first? Run a free Scorifya scan →
Automated checks cover roughly half of what a SOC 2 audit touches. The rest is people, process, and policy: security awareness training, vendor reviews, incident response procedures, background checks. Each manual control gets a named owner, a next review date, and an evidence file upload. Overdue items surface immediately. Nothing slips through the cracks the week before your auditor shows up — because the system has been tracking it the entire observation period.
Connect AWS, GitHub, GCP, and Azure from a single integrations page. Every credential you enter — your AWS access key, GitHub personal access token, GCP service account JSON — is stored encrypted in the SQLite database running on your own infrastructure. It never transits Scorifya's servers. Compare that to Vanta: their OAuth authorization stores your AWS read access on their platform. If your customers ever ask where your audit evidence lives, your answer with Controls is two words: our server.
When your CPA firm requests evidence, you hand them this. Your organization name. Report date. Overall posture summary. A complete table mapping every check to its Trust Services Criterion with pass/fail status. No waiting on a support ticket to generate your own report. File → Print → Save as PDF in your browser, and you have a document your auditor can open and review in their own workflow. The audit report is the reason everything else in Controls exists — and it's generated from data that has never left your server.
