Launched this week

Scorifya Controls
Self-hosted SOC 2 readiness, $99/mo, RFC 3161 timestamps
7 followers
Self-hosted SOC 2 readiness, $99/mo, RFC 3161 timestamps
7 followers
Self-hosted SOC 2 compliance for teams that can't justify Vanta's $10K-$15K/year. 33 automated checks across AWS, GitHub, GCP, Azure mapped to AICPA TSC 2017. 20 manual controls with evidence. RFC 3161 timestamps on every attestation (DigiCert, verifiable offline with OpenSSL). Deploys in one docker-compose. Flat tiers from $99/mo. First 25 buyers per tier get 20% off forever.






Quick update for anyone who saw the launch: Controls now maps every check to PCI DSS 4.0.1, not just SOC 2.
Same deployment, same price. The 38 automated checks (AWS, GCP, Azure, GitHub) and the manual controls each carry both an AICPA TSC 2017 criterion and a PCI DSS 4.0.1 requirement code now. There's a framework filter too, so you can flip between "SOC 2 only," "PCI only," or both and watch the posture score recompute.
The thing I actually care about here is PCI scope. If you use a hosted SaaS compliance platform, that vendor becomes a third-party service provider inside your cardholder data environment, so you end up tracking it and collecting an AoC from it every year. Controls runs on your own servers, so it never adds a third party to your CDE scope. For SAQ A and A-EP merchants (the ones who outsource card capture to a hosted payment page) that keeps the scope story a lot simpler.
To be clear about what it is not: it does not complete your SAQ or replace a QSA or ASV. It gets you audit-ready and hands your assessor clean, timestamped evidence.
No per-framework upcharge. It is included on every tier. Happy to answer anything.
Finally a compliance tool that doesn't assume I'm a Fortune 500 company. Got it running with the docker-compose in about ten minutes and the RFC 3161 timestamps worked exactly as advertised when I verified them offline.