00 · Compliance
Evidence that
holds up at the audit.
Espada isn't a compliance tool that decides you're compliant. It produces the action-side evidence auditors look for, in a chain they can verify without us in the loop. Below is the map: which audit-chain entries satisfy which controls, in which framework, for AI-agent actions in AWS.
How this works
Every decision Espada makes lands in an append-only,
hash-chained log. KMS-signed checkpoints; optional RFC-3161
TSA anchors; WORM-mirror to your S3 or Azure Blob. Your
auditor exports the chain (in their tenant, on their
timeline), runs verifyChain, and reads the
entries against the control set below.
# In the customer's environment
espada audit export \
--framework soc2-2017-tsc \
--range 2026-01-01..2026-06-30 \
--to /tmp/q2-evidence.zip
# In the customer's environment
espada audit verify --bundle /tmp/q2-evidence.zip
# verifyChain: PASS (X entries; 0 integrity failures)Frameworks we pre-map
| Framework | Audit-chain mapping | Pilot-ready? |
|---|---|---|
| SOC 2 (2017 TSC) | CC6.8, CC7.2, CC7.3, CC8.1 | Yes |
| ISO/IEC 27001 (2022) | A.5.10, A.8.2, A.8.3, A.8.16, A.8.25, A.9.4 | Yes |
| ISO/IEC 42001 (AI MS) | A.6, A.8, A.10 | Yes |
| NIST 800-53 (Rev 5) | AC-2, AC-3, AC-6, AU-2, AU-9, AU-10, AU-12, CM-3, IA-2, SI-4, SC-39 | Yes |
| NIST 800-171 (Rev 2) | 3.1.1, 3.1.2, 3.3.1, 3.3.2, 3.3.5, 3.4.5 | Yes |
| PCI-DSS v4.0 | 10.2.1, 10.2.2, 10.3.1, 10.6, 10.7.1, 7.2, 7.3 | Yes |
| HIPAA Security Rule | 164.308(a)(1), 164.308(a)(3), 164.312(a)(1), 164.312(b), 164.312(c)(1) | Yes |
| CIS Controls v8 | 3.3, 3.10, 4.1, 4.3, 6.1, 6.5, 8.5 | Yes |
| NIST AI RMF | Manage, Measure (per AI Governance) | Yes |
| EU AI Act Art. 14 | Human oversight evidence | Yes |
Full per-control mapping at
docs/compliance/mapping.md. If your auditor
wants a custom mapping (CCPA, GDPR Art. 32, FedRAMP
Moderate, CMMC), email
compliance@espadafirewall.com
and we'll build it (typical turnaround: 1-2 weeks).
What we don't claim
- We do not claim a customer is "SOC 2 compliant" by installing Espada. The audit is an external attestation; Espada produces evidence for that audit.
- We do not claim to replace your CSPM (Wiz, Snyk, Prisma) or your CASB. Those tools cover different control families.
- We do not provide a HIPAA Business Associate Agreement because we do not handle PHI by default. If you wire Espada to handle PHI (e.g. through a custom WORM sink that retains it), you remain the Covered Entity.
Our own posture
Espada Labs, Inc. is in SOC 2 Type 1 readiness (target: Q3 next year). Our own controls are documented at docs/compliance/soc2-readiness.md . ISO 27001 roadmap at docs/compliance/iso27001-roadmap.md . We will publish the SOC 2 attestation when issued.
Want a question pre-answered?
Common vendor-security questions are pre-answered at
docs/compliance/security-questionnaire-package.md.
If yours isn't there, send it — we add common items to the
package as they come up.