Skip to content

Compliance toolkit

Evidence the auditors already ask for.

OpenSyber turns every workspace session, MCP tool call, GitHub action, and egress decision into structured evidence your auditor can read. Designed for fintech and distributed engineering teams who hand AI agents the keys.

We map to frameworks — we are not certified. 32 controls across 4 frameworks ship today; PSD3, DORA, FFIEC and EU AI Act mapping arrives Q3 2026.

Book a compliance walkthrough Open evidence console

Frameworks live

4

Evidence mapping shipping today

Controls covered

32

From packages/compliance — verifiable in repo

Open source

MIT

mcp-watch CLI and control schemas

Frameworks

Each card maps to real controls.

SOC 2 Type II

AICPA Trust Services Criteria (2017, rev. 2022)

Global
Shipping

Security, Availability, Processing Integrity, Confidentiality, Privacy. OpenSyber covers logical access, change, and monitoring criteria for the contractor workspace surface.

Key articles

  • CC5.2
  • CC6.1
  • CC6.6
  • CC6.7
  • CC7.2
  • CC7.3
  • CC8.1
  • CC9.2

Evidence we generate

  • Workspace session lifecycle

    CC6.1 authorised access with device enrolment and contractor invite trail.

  • Egress and policy snapshots

    CC6.6 blocked egress tied to versioned SWG policy templates.

  • Step-up challenge audit

    CC6.7 / CC7.3 every privileged action requires step-up; failures captured.

  • Change management trail

    CC8.1 GitHub actions on production with step-up receipts for merges.

  • Anomaly evidence

    CC7.2 blocked MCP tool calls and egress decisions correlated to rules.

Plan tier

Growth fintech

Controls

8

ISO/IEC 27001:2022

ISO/IEC 27001:2022 Information Security Management

Global
Shipping

Annex A organisational (A.5) and technological (A.8) controls relevant to AI workspaces — identity lifecycle, monitoring, cryptography, cloud governance.

Key articles

  • A.5.7
  • A.5.15
  • A.5.16
  • A.5.23
  • A.5.34
  • A.8.16
  • A.8.20
  • A.8.24

Evidence we generate

  • Identity lifecycle records

    A.5.16 contractor invite to device enrolment to revocation, signed.

  • PII / DLP evidence

    A.5.34 DLP rule hits and egress redactions per category.

  • Monitoring artefacts

    A.8.16 MCP calls, shell commands, GitHub actions, and egress events.

  • Cryptographic posture

    A.8.24 device-bound ECDSA P-256 keys, TokenForge signatures, DBSC bindings.

  • Cloud service controls

    A.5.23 egress decisions tagged with cloud provider category.

Plan tier

Bank compliance

Controls

8

HIPAA Security Rule

45 CFR Part 164, Subpart C — Security Standards for ePHI

United States
Shipping

Administrative and technical safeguards for ePHI. OpenSyber does not classify PHI — it produces evidence that access, audit, and integrity controls operate continuously.

Key articles

  • 308(a)(1)(ii)(D)
  • 308(a)(3)(ii)(C)
  • 308(a)(4)(ii)(B)
  • 308(a)(5)(ii)(C)
  • 312(a)(1)
  • 312(b)
  • 312(c)(1)
  • 312(e)(1)

Evidence we generate

  • Information system activity review

    §164.308(a)(1)(ii)(D) full audit chain with monthly aggregates.

  • Termination evidence

    §164.308(a)(3)(ii)(C) revoked devices and workspace sessions on exit.

  • Unique user identification

    §164.312(a)(1) device public-key thumbprint plus workspace JWT jti.

  • Audit and integrity

    §164.312(b)/(c)(1) append-only audit with manifest SHA-256.

  • Transmission security

    §164.312(e)(1) SSL bump posture and TLS metadata per session.

Plan tier

Bank compliance

Controls

8

GDPR

Regulation (EU) 2016/679

European Union
Shipping

DLP, egress, and processor-control evidence for Articles 5, 25, 28, 30, 32, 33, 35 — data protection by design, records of processing, breach readiness.

Key articles

  • Art. 5(1)(f)
  • Art. 25
  • Art. 28
  • Art. 30
  • Art. 32
  • Art. 32(1)(d)
  • Art. 33
  • Art. 35

Evidence we generate

  • Data protection by design

    Art. 25 DLP defaults, deny categories, step-up triggers as policy snapshots.

  • Records of processing

    Art. 30 MCP calls, GitHub actions, egress events as RoPA evidence.

  • Security of processing

    Art. 32 encryption, TLS, device-bound sessions documented per workspace.

  • Breach readiness

    Art. 33 failed step-up and suspended devices feed 72-hour notification.

  • Processor controls

    Art. 28 contractor lifecycle audit and workspace JWT scope per sub-processor.

Plan tier

Growth fintech

Controls

8

PSD3

EU Payment Services Regulation (proposed)

European UnionTrilogue 2026 — national transposition 2027
Q3 2026

Strong customer authentication, transaction monitoring, fraud reporting (Art. 84/85). Formal OpenSyber mapping Q3 2026.

Key articles

  • SCA
  • Art. 84
  • Art. 85

Evidence we generate

  • TokenForge device-bound sessions

    Substrate for SCA shipping today; formal PSD3 mapping Q3 2026.

  • Real-time agent monitoring

    Transaction-touching agent actions captured; PSD3 schema in development.

Plan tier

Bank compliance

DORA

Regulation (EU) 2022/2554

European UnionIn force since 17 Jan 2025
Q3 2026

ICT risk management, 24-hour incident reporting (Art. 19), third-party register (Art. 28). Mapping Q3 2026.

Key articles

  • Art. 8
  • Art. 19
  • Art. 28

Evidence we generate

  • Continuous ICT risk monitoring

    Workspace audit chain shipping; DORA Art. 19 report template in development.

  • Third-party agent register

    Contractor and MCP-source inventory captured; Art. 28 export Q3 2026.

Plan tier

Bank compliance

FFIEC

FFIEC IT Examination Handbook

United States
Q3 2026

US federal financial regulator examination guidance for AIO and Information Security. Formal mapping Q3 2026.

Key articles

  • AIO Booklet
  • Information Security Booklet

Evidence we generate

  • Contractor access controls

    Workspace session and device records aligned to examination requests.

  • Change management evidence

    GitHub change trail captured; FFIEC packet template Q3 2026.

Plan tier

Bank compliance

EU AI Act

Regulation (EU) 2024/1689

European UnionHigh-risk obligations apply 2 Aug 2026
Q3 2026

Risk management, technical documentation, record-keeping, transparency, human oversight for high-risk AI. Mapping Q3 2026.

Key articles

  • Art. 9
  • Art. 12
  • Art. 14
  • Art. 15

Evidence we generate

  • Continuous risk monitoring

    Detection chain feeds Art. 9 risk-management evidence.

  • Record-keeping

    Art. 12 append-only audit captured; AI Act schema Q3 2026.

  • Human oversight trail

    Step-up plus deny-decision audit support Art. 14 oversight evidence.

Plan tier

Tier-1

Sample output

What an evidence pack looks like.

Open the sample below to see the shape of a regulator-facing narrative generated from a live OpenSyber workspace. Every field is reproducible from the underlying audit chain.

Your auditor is already calling.

Pilot OpenSyber against your next SOC 2 or ISO 27001 cycle and bring receipts instead of spreadsheets.

Book a compliance walkthrough See pricing

OpenSyber is a compliance toolkit, not a legal opinion. The customer and their auditor remain responsible for scope and adequacy.