Not a checklist tool. Not a document library. A monitoring system that collects compliance evidence from your actual infrastructure — every day, automatically.
CompliRun does not replace your auditor — it gives them everything they ask for, before they ask.
OAuth or API key authorization for 34 supported integrations. Read-only access only. No agents installed.
Data sources automatically mapped to SOC 2 Trust Services Criteria (CC, A, PI, C, P) and ISO 27001 Annex A controls.
Daily collection jobs pull configuration exports, IAM reports, vulnerability findings, and change logs.
Gaps surface as actionable tasks with specific steps, owner assignments, and target dates.
Invite your auditor to the Evidence Room. They navigate controls independently, reducing back-and-forth by roughly 60%.
CompliRun connects to cloud providers through IAM roles with a specific read-only policy. For AWS, this covers CloudTrail, Config, GuardDuty, IAM Access Analyzer, and Security Hub findings. For GCP, it reads from Cloud Audit Logs and Security Command Center. Evidence is exported daily in JSON format, indexed by control, and stored with a SHA-256 integrity hash.
Supported platforms: AWS, Google Cloud, Microsoft Azure, DigitalOcean, and Heroku.
Privileged access is one of the most commonly questioned areas in both SOC 2 and ISO 27001 audits. CompliRun generates access review tasks on a configurable cadence (typically quarterly). Each task includes the current permission set from your identity provider — Okta, Azure AD, or Google Workspace — and routes to the responsible manager for approval or revocation.
Responses are timestamped, linked to the specific control, and stored as evidence. Overdue reviews escalate automatically after a configurable grace period.
CompliRun ingests findings from Snyk, Dependabot, Qualys, and Tenable. It does not run its own scans — it reads from your existing tools and maps findings to the relevant SOC 2 availability and confidentiality criteria or ISO 27001 A.12.6 (technical vulnerability management).
The platform tracks remediation timelines against your stated SLA — typically critical findings within 14 days, high within 30 days — and flags when a finding is approaching or past its due date.
CompliRun includes a policy library with 22 starter templates covering the documents most commonly requested in SOC 2 and ISO 27001 audits: information security policy, acceptable use, business continuity plan, incident response runbook, and others. Each policy has a version history and an employee acknowledgment workflow.
When auditors request evidence that a specific policy exists and was reviewed in the past 12 months, CompliRun produces a report showing the document, its current version, the last review date, and the acknowledgment log.
The readiness dashboard shows a control-by-control status for your selected framework. Each control is in one of four states: collected (evidence present and current), pending (collection scheduled but not yet complete), flagged (evidence collected but a gap was detected), or not started.
The gap analysis report groups flagged controls by severity and suggests remediation steps. It is generated fresh each week and can be exported as PDF for internal review or board reporting.
When your audit begins, you invite your external auditor through a time-limited access link. They see a read-only view organized by control family — the same organization your auditor expects from the trust services criteria or Annex A structure.
Within each control, they can see the collected evidence documents, timestamps, and any notes your team added during remediation. In a typical engagement, this reduces auditor fieldwork time by three to four days and cuts email-based evidence requests by roughly 60%.
Evidence stored with AES-256 encryption at rest. TLS 1.3 in transit. Each tenant's data is stored in isolated S3 buckets with separate encryption keys.
Evidence retained for 7 years by default to support multi-cycle SOC 2 Type II audits. Configurable retention policies available on Growth and Enterprise plans.
Role-based access control with four default roles: Owner, Admin, Contributor, and Auditor (read-only). SSO via SAML 2.0 available on Growth and Enterprise plans.
REST API available for Enterprise customers. Supports programmatic evidence uploads from custom internal tooling. API responses under 120ms at the 95th percentile.
SOC 2 Type I and Type II (all five Trust Services Criteria). ISO 27001:2022 (all 93 Annex A controls). HIPAA readiness mapping in beta.
Slack and email notifications for new gaps, overdue access reviews, and collection failures. Webhook support for routing alerts to PagerDuty or custom endpoints.
Connect your first integration at no cost. CompliRun will show you exactly which SOC 2 or ISO 27001 controls you have covered and which ones need work.
Request a Demo