Compliance

Continuous-control monitoring that maps every cloud configuration to SOC 2, ISO 27001, HIPAA and FedRAMP Low controls — and produces auditor-grade evidence packs in one click.

4 frameworks
100+ controls
Drift alerts

Start free

← All features

lumicost.com — compliance

By the numbers

Compliancein 4 numbers

SOC 2 · ISO 27001 · FedRAMP Low · HIPAA

frameworks reported

10 + 12 + 12 + 11

controls auto-evaluated

CSV · JSON · PDF

export formats

configurable per report

default lookback (days)

How it works

Three steps. No agents. No surprises.

Pick a framework

GET /compliance/frameworks returns the four supported frameworks (SOC 2, ISO 27001, FedRAMP Low, HIPAA), each with its full control catalogue (code · category · title) and the count of controls.

SOC 2 · ISO · FedRAMP · HIPAA

Generate the report

POST /compliance/reports/generate?framework=SOC2&lookbackDays=90 evaluates every control against your live posture (audit trail, RBAC, MFA, key rotation, encryption, …) and persists an immutable snapshot with a SHA-256 integrityHash. ADMIN+ only; emits a COMPLIANCE_REPORT_GENERATED audit event.

immutable · signed · audited

Download the evidence

GET /compliance/reports/{id}/download?format=csv|json|pdf returns the controls table (code · category · title · status · rationale · gaps) plus the report metadata. ComplianceFreshnessScheduler refreshes the latest snapshots automatically.

CSV · JSON · PDF · auto-refresh

What's inside

Continuous-control monitoring that maps every cloud configuration to SOC 2, ISO 27001, HIPAA and FedRAMP Low controls — and produces auditor-grade evidence packs in one click.

Map once, monitor forever

Each cloud control (e.g. S3 public access, IAM MFA, KMS rotation, K8s RBAC) is mapped to the relevant SOC 2 / ISO 27001 / HIPAA / FedRAMP control IDs — so a single drift event lights up every framework it affects.

Evidence on demand

Generate a per-framework evidence pack (PDF + raw JSON + screenshots) for any date range — useful for fieldwork, customer security reviews and certification surveillance audits.

Stale evidence is detected

Each evidence artefact has a freshness window. We surface controls whose evidence is about to expire — so the next audit doesn't open with 'this screenshot is 14 months old'.

Capabilities

Everything you need on day one.

SOC 2 · 10 controls (CC6 / CC7 / CC8)
ISO 27001 · 12 controls (A.5 / A.8 / A.12 / A.13)
FedRAMP Low · 12 controls (AC / AU / CA / CM / IR / RA / SC / SI)
HIPAA · 11 controls (§164.308 / 310 / 312)
SHA-256 integrityHash on every report
CSV · JSON · PDF download
ComplianceFreshnessScheduler auto-refresh
Pairs with Audit Trail · Custom Roles · SSO/SAML · SIEM Export

Before vs after Lumicost

Night and day.

Without Lumicost

Annual screenshot marathon for the auditor
Manual mapping of evidence to control codes
Reports live in someone's laptop

With Lumicost

On-demand, immutable, signed snapshot
45 controls auto-evaluated against live posture
Append-only AuditEvent + SHA-256 hash

Where teams use it

Three ways teams put it to work.

First SOC 2 Type I

Stand up evidence collection in under a week and walk into the auditor with a complete pack on day one.

Multi-framework org

Run SOC 2 + ISO 27001 + HIPAA on the same telemetry without three parallel evidence projects.

Vendor risk replies

Customer asks 'show me your S3 public-access posture last quarter' → exported PDF in 30 seconds.

From the field

“Compliance is not a PDF you produce once a year. Lumicost evaluates 45 controls across SOC 2, ISO 27001, FedRAMP Low and HIPAA against your live posture and signs the snapshot. The auditor downloads the same JSON your engineers do.”

The Lumicost teamdesign principle

Plays nice with your stack

AWSGCPAzureOracle CloudKubernetesTerraformPulumiSlackJiraLinearGitHubGitLabDatadogSplunkOpenTelemetryPagerDutyNetSuiteSAPAWSGCPAzureOracle CloudKubernetesTerraformPulumiSlackJiraLinearGitHubGitLabDatadogSplunkOpenTelemetryPagerDutyNetSuiteSAP

FAQ