Loading…
Loading…
Scorifya Controls · Coverage
The complete catalog: 54 automated checks across AWS, GCP, Azure, and GitHub, each mapped to specific criteria with an honest severity, plus the 49 manual controls and everything that turns check results into an audit-ready evidence trail. Where a check has no honest framework mapping, it shows none — your assessor will notice we didn't pad it.
54 checks run against your live cloud accounts, each mapped to specific AICPA Trust Services Criteria 2017 points of focus and PCI DSS 4.0.1 requirements.
49 manual controls with evidence tracking
Non-automatable controls across Governance, HR, Access Management, Risk, Change Management, Incident Response, Business Continuity, Vendor Management, and Physical Safeguards: 8 PCI-specific controls for SAQ A / A-EP merchants (cardholder data flow diagram, payment-page script inventory, TPSP agreements), 8 HIPAA-specific controls (ePHI risk analysis, security official designation, BAA inventory, device and media controls), and 5 CMMC Level 1 controls including the annual SPRS affirmation record. Each has a named owner, next review date, overdue alerts, and file evidence upload (PDF, DOCX, PNG, XLSX up to 10 MB).
Findings, remediation, and sealed exceptions
A failing check opens a tracked finding automatically, with an owner, a ticket link, and a due date from your own remediation targets (defaults: critical 7 days, high 30, medium 60, low 90, and they are your policy, not a framework mandate). The next passing run verifies it. Risks you choose to accept get a documented exception with an approver and a hard expiry of at most one year, sealed with an RFC 3161 timestamp so the decision cannot be backdated. The audit package exports the full trail: findings.csv shows time-to-remediate, exceptions.csv ships with verifiable timestamp tokens.
Posture score trend chart
Every check run is stored and grouped. A 30-run line chart shows your posture score over time, useful for demonstrating to auditors that controls operated effectively across the observation window, not just on the day of the audit.
Drift detection and Slack alerts
After every check run, results are compared against the previous run. New failures trigger a Slack notification. The dashboard surfaces "New failures since last run" and "Fixed since last run" banners so you always know what changed.
Audit period tracking
SOC 2 Type II requires a defined observation window (typically 6–12 months). Create a named audit period with start and end dates. The dashboard shows days elapsed, total days, and a progress bar so you always know where you stand.
Cryptographic attestation timestamps
Every manual attestation, adopted policy, and completed check run is sealed with an RFC 3161 timestamp from DigiCert or Sectigo. Evidence file contents are hashed into the attestation envelope, so replacing a file after attestation invalidates the stamp. Auditors verify offline with OpenSSL, no Scorifya account required. See the full trust model →
Auditor read-only portal
Generate a time-limited shareable link (30, 60, or 90 days) and send it directly to your CPA firm. They see live check history, all manual controls with evidence files, and per-attestation DigiCert timestamp verification, no login required, no PDF filtering, nothing to install.
Print-to-PDF audit report
A print-optimized report shows org name, report date, pass/fail summary, and a full controls table with TSC criteria. Browser → Print → Save as PDF produces a document auditors can review.
This is the reference catalog. For what Scorifya Controls is, who it's for, and what it costs, head back to the product page, or see how evidence integrity works on the trust page.