
Scorifya Controls
SOC 2, PCI DSS, and ISO 27001 compliance · self-hosted
6 followers
SOC 2, PCI DSS, and ISO 27001 compliance · self-hosted
6 followers
Scorifya Controls runs 54 automated checks across AWS, GitHub, GCP, and Azure, each mapped to SOC 2, PCI DSS 4.0.1, and ISO/IEC 27001:2022 Annex A, tracks 36 manual controls with evidence, and generates audit-ready reports plus a Statement of Applicability, all self-hosted on your own infrastructure, with no per-seat licensing. Built for seed-stage startups and small SaaS teams preparing for their first SOC 2 audit, a SAQ A / A-EP PCI assessment, or an ISO 27001 certification.






Quick update for anyone who saw the launch: Controls now maps every check to PCI DSS 4.0.1, not just SOC 2.
Same deployment, same price. The 38 automated checks (AWS, GCP, Azure, GitHub) and the manual controls each carry both an AICPA TSC 2017 criterion and a PCI DSS 4.0.1 requirement code now. There's a framework filter too, so you can flip between "SOC 2 only," "PCI only," or both and watch the posture score recompute.
The thing I actually care about here is PCI scope. If you use a hosted SaaS compliance platform, that vendor becomes a third-party service provider inside your cardholder data environment, so you end up tracking it and collecting an AoC from it every year. Controls runs on your own servers, so it never adds a third party to your CDE scope. For SAQ A and A-EP merchants (the ones who outsource card capture to a hosted payment page) that keeps the scope story a lot simpler.
To be clear about what it is not: it does not complete your SAQ or replace a QSA or ASV. It gets you audit-ready and hands your assessor clean, timestamped evidence.
No per-framework upcharge. It is included on every tier. Happy to answer anything.
Update: Scorifya Controls runs 54 automated checks across AWS, GitHub, GCP, and Azure, each mapped to SOC 2, PCI DSS 4.0.1, and ISO/IEC 27001:2022 Annex A, tracks 36 manual controls with evidence, and generates audit-ready reports plus a Statement of Applicability, all self-hosted on your own infrastructure, with no per-seat licensing. Built for seed-stage startups and small SaaS teams preparing for their first SOC 2 audit, a SAQ A / A-EP PCI assessment, or an ISO 27001 certification.
Finally a compliance tool that doesn't assume I'm a Fortune 500 company. Got it running with the docker-compose in about ten minutes and the RFC 3161 timestamps worked exactly as advertised when I verified them offline.