Compliance as machine-checked
evidence.
Compliance artifacts are generated from runtime signals — not reverse-engineered at audit. Every control maps to events the runtime already produces.
This page is the operator memory: every certification listed with scope, last audit date, auditor of record, and a downloadable report. Sub-processors, residency, and the evidence pipeline are below. No marketing claims — only the paperwork an auditor will actually accept.
Four reports your auditor
already knows by name.
Each report ships with a controls matrix, the most recent penetration test summary, and management responses. Reissued annually by independent third parties — no self-assessments stand alone, no internal-only audits.
The whole register.
Every row, every reissue.
The unabridged compliance register. Scope, period, auditor of record, last reissue, and next assessment. FedRAMP Moderate is under 3PAO assessment with target authorization in Q3 2026 — tracked here in the same line as everything else.
| Certification | Scope | Status | Period | Auditor | Last reissued | Next assessment | Report |
|---|---|---|---|---|---|---|---|
| SOC 2 Type II | Security · Availability · Confidentiality · Privacy | ● Operational | Apr 2025 – Mar 2026 | A-LIGN | 14 Mar 2026 | Apr 2026 – Mar 2027 | download.pdf |
| ISO 27001:2022 | ISMS · Annex A · 93 controls | ● Operational | Feb 2025 – Feb 2027 | Schellman | 02 Feb 2026 | Surveillance · Feb 2027 | download.pdf |
| ISO 27701:2019 | Privacy IMS · GDPR aligned | ● Operational | Feb 2025 – Feb 2027 | Schellman | 02 Feb 2026 | Surveillance · Feb 2027 | download.pdf |
| HIPAA Security Rule | PHI · BAA · 45 CFR §164 | ● Operational | Annual · 2026 | Coalfire | 09 Jan 2026 | Jan 2027 | download.pdf |
| PCI DSS 4.0 (Level 1) | SAQ-D · scoped tenants | ● Operational | Annual · 2026 | Coalfire | 21 Feb 2026 | Feb 2027 | download.pdf |
| GDPR · DPF | EU-US Data Privacy Framework | ● Operational | Self-certified · 2026 | TrustArc · oversight | 11 Apr 2026 | Apr 2027 | download.pdf |
| CCPA | Cal. Civ. Code §1798.100 et seq. | ● Operational | Continuous | Internal · TrustArc-attested | 08 Mar 2026 | Continuous | download.pdf |
| FedRAMP Moderate | NIST 800-53 · 325 controls | ○ In progress | 3PAO assessment Q3 2026 | Coalfire (3PAO) | ATO target Q3 2026 | Continuous monitoring | request |
| Cyber Essentials Plus (UK) | NCSC five-control baseline | ● Operational | Annual · 2026 | IASME · accredited | 27 Jan 2026 | Jan 2027 | download.pdf |
Evidence is emitted,
not collected.
Every auditable event is hashed, signed, and streamed to your SIEM in machine-readable form. The control matrix maps directly onto the events the runtime already produces — no spreadsheet reconciliation, no quarterly screenshot campaigns.
Auditors traditionally receive a folder. Screenshots, CSV exports, hand-curated tickets pulled from five systems and flattened into a binder. exAI inverts that. The runtime emits a structured event for every action that touches a control — workspace boot, agent step, KMS unwrap, IdP claim, model invocation, file access. The event itself is the evidence.
Each event is hashed with SHA-256, chained to the previous event in the same tenant log, and signed with a per-region ed25519 key resident in your KMS. The chain is stored on S3-Iceberg with object-lock retention, and a copy streams in real time to your SIEM connector — Datadog, Splunk, Sentinel, Chronicle, or a customer-pull endpoint. Tampering breaks the chain; missing events break the chain. The auditor verifies the chain, not the spreadsheet.
Mapping is explicit. Every event carries a control-id field that points at the framework clause it satisfies — CC6.1 for SOC 2, A.9.4.1 for ISO 27001, §164.312(a)(1) for HIPAA. The auditor queries by control-id, gets the population back, and walks the sample with hash verification. The whole pipeline takes minutes, not weeks.
- event-idevt_01HK6F8Q4M2RX7C5N9TZ1A0BWE
- control-idCC6.1 · logical access
- actork.mori@customer.com
- resourcewks-prod-01 / agent.exec
- timestamp2026-04-18T10:41:07.214Z
- hashsha256:9f4c…b27e (chained)
- evidence-uris3://exai-evidence/2026/04/18/evt_01HK6F8Q4M.json
- signatureed25519:a3e1…7c92 · attestation kms-prod-eu-west-1
Every vendor named.
Every region pinned.
The complete sub-processor list is published — not gated, not redacted. DPAs are on file for every entry. Residency is pinned per workspace at provisioning time and enforced by the control plane; data does not migrate without an explicit, signed customer action.
| Sub-processor | Purpose | Region | DPA on file |
|---|---|---|---|
| Anthropic | Foundation model inference | us-east-1 · eu-west-1 | |
| OpenAI | Foundation model inference (opt-in) | us-east-1 · eu-west-1 | |
| Google AI | Foundation model inference (opt-in) | us-central1 · europe-west4 | |
| AWS | Compute · KMS · object-lock evidence | us-east-1 · us-west-2 · eu-west-1 · ap-southeast-1 | |
| GCP | Compute · KMS · BigQuery sink (opt-in) | us-central1 · europe-west4 · asia-southeast1 | |
| Azure | Compute · Key Vault · sovereign tenants | eastus2 · westeurope · sweden-central | |
| Cloudflare | Edge networking · DDoS · TLS | Global · regional WAF | |
| Datadog | Telemetry · SIEM forwarding | us-east-1 · eu-west-1 (regional) | |
| Sentry | Error reporting · scoped tenants | us-east-1 · eu-west-1 | |
| PagerDuty | Incident on-call · 24×7 SRE rotation | us-east-1 |
- us-east-1Data at rest pinned to region · KMS-local · 3AZ
- us-west-2Data at rest pinned to region · KMS-local · 3AZ
- eu-west-1Data at rest pinned to EU · DPF · KMS-local
- ap-southeast-1Data at rest pinned to region · KMS-local · 2AZ
- customer-VPCBYOK · BYOC · single-tenant control plane
Bring your audit through.
We'll already have the evidence.
The evidence packet ships under NDA inside one business day. It includes the controls matrix, sample populations, the penetration test executive summary, the management response file, and a chain-verification script your auditor can run against your tenant log themselves.