SevenBelow logoSevenBelow
ProductResourcesAboutContact
Get Early Access
Roadmap

Where ComplyOS is going

Audience-first. Framework-broad. OSCAL-native. Built so a vCISO, a Fractional Compliance Officer, an External Auditor, and an Internal Auditor can all do their best work in one place.

Stage

Pre-revenue, pre-launch

Code

~540 backend / ~390 UI commits

Closed beta

June 2026

Public beta

August 2026

Built for six roles, one workspace

Every product decision starts with which of these roles benefits and how cleanly we can support all of them in the same multi-tenant system.

Customer Org Admin

Compliance / security owner inside the company.

Capability: Run the company’s ISMS, frameworks, evidence, and audit prep.

Authorized User

Employee inside a Customer Org.

Capability: Contribute documents, evidence, and control work.

vCISO

Outsourced CISO operating across multiple client orgs.

Capability: Cross-tenant control plane. Manage every client portfolio from one workspace.

Fractional Compliance Officer

Part-time compliance lead, often layered on top of clients already using Vanta or Drata.

Capability: Document-management spine across the portfolio. Manage SOPs and POLs in ComplyOS while evidence collection stays in Vanta or Drata.

External Auditor

Independent firm performing SOC 2 / ISO attestation.

Capability: Read-only auditor portal across engagements. PBC lists, sampling, walkthroughs.

Internal Auditor

In-house audit function performing operational and compliance audits.

Capability: Audit plans, test workpapers, finding lifecycle, immutable trail.

The wedge

Document spine on top of Vanta and Drata.

Vanta and Drata won the evidence-collection war. They lost the document-management one. Their customers run SOPs and policies in Confluence, Notion, or Google Docs disconnected from the evidence engine.

ComplyOS is the document-management and ISMS spine that plugs into Vanta or Drata, gives Fractional Compliance Officers and vCISOs a single workspace across all their Vanta / Drata clients, and inherits the customer base of both incumbents.

Short term: ride them. Long term: replace them.

What we ship and when

Shipped

Shipped (nonprod, May 2026)

Working software in nonprod. ~540 backend commits, ~390 UI commits, 4 months solo.

Core platform

  • Document lifecycle (POL / SOP / WIS / FOR with versioning, approval workflows, audit trail)
  • 5-state evidence-driven control coverage model
  • SOC 2 framework + control mapping
  • Vendor management with Vendor Qualification Review (VQR) Activity Runs
  • Recurring Activity Run scheduler with idempotent fan-out
  • Hard multi-tenant isolation: application + PostgreSQL row-level security + composite foreign keys
  • Tenant cross-org switching foundation

Infrastructure & integrations

  • Stripe billing
  • Clerk authentication (SSO, MFA, password)
  • Sentry error monitoring
  • OneSignal transactional + push delivery
  • Svix webhooks
Now

May – August 2026 · Capstone + Beta + Security Hardening

Multi-agent onboarding, closed beta in June, public beta in August. Field-level encryption ships before closed beta opens.

Capstone (May 10, 2026)

  • Multi-agent onboarding wizard — Coordinator, Discovery, Document, Controls, and Vendor agents

Frameworks shipping during this window

  • NIST CSF 2.0 framework + control mapping
  • GDPR framework + control mapping

Database field-level encryption (KEK / DEK envelope)

  • GCP Cloud KMS as KEK source (CMEK on Cloud SQL + envelope encryption at app layer)
  • Per-tenant Data Encryption Keys (DEKs) with KEK-wrapped storage
  • AES-256-GCM authenticated encryption on PII, customer content, evidence, audit payloads, integration secrets
  • Deterministic encryption + blind indexes for searchable encrypted fields
  • KMS-audited decrypt operations as control evidence
  • Crypto-shredding on tenant deletion (GDPR Article 17 satisfaction)

Beta launch surface

  • Closed beta admit flow (June 2026)
  • Public beta (August 2026)
  • Per-tenant AI usage caps and observability
  • Customer data export with 30-day post-termination window
  • Privacy center: DSAR self-service, consent ledger
  • Cookie consent + Global Privacy Control (GPC) handling on marketing site
  • Loops.so waitlist with double opt-in
  • Harness feature flags
Q3 – Q4 2026

MultiOrg + Auditor + OSCAL + Trust Center + BYOD

Open the channel for vCISOs and Fractional Compliance Officers. Open the door for external auditors. Ship OSCAL-native artifacts. Bring Your Own Documents.

MultiOrg control plane

  • Cross-tenant dashboard for vCISO and Fractional Compliance Officer
  • Per-tenant access approval gating (Owner Org admin authorization)
  • Portfolio-wide control library reuse
  • Aggregated readiness scoring across clients

Vanta + Drata wedge integrations

  • Vanta API: ingest evidence + control state
  • Drata API: ingest evidence + control state
  • ComplyOS becomes the document-management spine for Vanta / Drata customers
  • Fractional Compliance Officer manages SOPs and POLs in ComplyOS while evidence collection continues in Vanta or Drata

External Auditor portal (preview)

  • Read-only auditor role
  • Evidence sampling + walkthrough workpapers
  • PBC (provided-by-client) request lists
  • Cross-engagement access scoped per audit

OSCAL-native evidence generation

  • System Security Plan (SSP) export in OSCAL JSON / XML / YAML
  • Security Assessment Plan (SAP) and Assessment Results (SAR)
  • Plan of Action & Milestones (POA&M)
  • Component Definitions
  • Native NIST 800-53 catalog support; FedRAMP profile support

Trust Center v1 (internal use)

  • security.sevenbelow.com public security portal
  • Sub-processor list auto-synced from /legal/subprocessors
  • Compliance status: SOC 2 progress, ISO 27001 target
  • Public security questionnaire responses
  • SOC 2 report request gate (NDA + signed-link delivery)

BYOD — Bring Your Own Documents

  • OCR + AI ingest of uploaded PDFs, DOCX, MD, scans
  • Auto-classification (POL / SOP / WIS / FOR / Evidence)
  • Suggested control mapping with HITL approval
  • Embedding-based search across imported corpus
  • GCP Document AI + Claude + pgvector stack

New frameworks + modules

  • ISO 27001:2022 framework + control mapping
  • Risk Register v2 (NIST 800-53 alignment)
  • Business Impact Analysis (BIA) module
  • Change Management module
  • Data Classification module
  • SOC 2 Type 1 readiness package

SSO + ticketing integrations

  • Customer SSO: Okta, Microsoft Entra ID, Google Workspace, OneLogin, JumpCloud, Duo (SAML / OIDC / SCIM)
  • Ticketing: Jira, Linear, GitHub Issues, ServiceNow, Asana
Q1 2027

Evidence Automation + AI Governance + CSPM

Day-1 integrations across 25+ critical evidence sources. AI Governance core domain. Cloud posture built on open source.

Automated evidence collection

  • Identity: Okta, Entra ID, Google Workspace, JumpCloud, OneLogin
  • Cloud: AWS (Config, CloudTrail, IAM, Security Hub, GuardDuty), GCP (Audit Logs, IAM, Security Command Center), Azure (Defender, Sentinel, Active Directory)
  • Code: GitHub, GitLab, Bitbucket, Snyk, Dependabot, Mend, Semgrep, SonarCloud
  • CI/CD: Buildkite, CircleCI, GitHub Actions, GitLab CI
  • Observability: Datadog, Sumo Logic, Splunk, New Relic, Honeycomb
  • Security: Crowdstrike, SentinelOne, Microsoft Defender, Wiz, Lacework
  • MDM / endpoint: Kandji, Jamf, Mosyle, Microsoft Intune
  • HR / IT service: Rippling, Gusto, BambooHR, Workday
  • Storage: Google Drive, Microsoft 365 / SharePoint, Dropbox, Box, Notion, Confluence
  • Communication (evidence-of-discussion): Slack, Microsoft Teams
  • Training / awareness: KnowBe4, Hoxhunt, Proofpoint, SANS
  • Cloudflare, Digital Ocean, Linode

CSPM module (open-source engine)

  • Built on Steampipe + Powerpipe + Prowler
  • CIS Benchmarks for AWS, GCP, Azure
  • NIST 800-53, PCI DSS, HIPAA mappings
  • Findings auto-converted to evidence, control failures, and remediation tasks

AI Governance core domain

  • NIST AI RMF + ISO 42001 framework
  • AI inventory + model registry
  • Model risk assessment workflow
  • Policy → control → evidence chain for AI systems

AI capability expansion

  • SOC 2 report analysis for vendor qualification — auto-extract carve-outs, CUECs, exceptions, sub-processors
  • "Significant change" detector on Controlled Document edits — semantic diff + impact analysis
  • Control gap analysis vs. uploaded organizational context
  • Evidence quality scoring (HITL-gated)

Internal Auditor module

  • Audit plan, test workpapers, finding lifecycle
  • Engagement scoping + scheduling
  • Workpaper review chain
Q2 – Q3 2027

Continuous Monitoring + Risk + Public Disclosure

Continuous Control Monitoring, real-time threat alignment, third-party risk, and the executive layer.

Continuous + threat

  • Continuous Control Monitoring (CCM) v1 — daily / hourly evidence freshness, drift detection
  • Real-time security & threat analysis — SIEM integrations (Sumo, Datadog, Splunk, Sentinel) with MITRE ATT&CK overlay and control alignment
  • Vulnerability assessment integrations — Snyk, Qualys, Tenable, Wiz — finding ingest → control state
  • Penetration test result ingest as evidence

Third-Party Risk + Vendor Contracts

  • Third-Party Risk Management v2 — supply chain risk, vendor assessment lifecycle, continuous vendor monitoring
  • Vendor contract management — DPA / BAA / MSA registry with renewal tracking; AI extraction of obligations and termination terms

Customer-deployable Trust Center

  • Every Customer Org publishes a branded trust.{customer}.com from their ComplyOS data
  • Public-facing security questionnaire response
  • NDA-gated SOC 2 report distribution

External Auditor portal (GA, white-label)

  • White-label deployments for audit firms
  • Multi-engagement view
  • Sampling automation

Public Disclosure / Bug Bounty registry

  • Coordinated disclosure inbox
  • Researcher portal with PGP key
  • Disclosure timeline tracking
  • Ties into Trust Center

Compliance Calendar

  • Per-tenant + per-portfolio (vCISO) calendar
  • Board reporting cadence
  • Audit milestone tracking
  • Training due dates
  • Control test schedule
  • Renewal + recurring activity surfacing

Board Reporting + Exec Dashboards

  • Exportable PDF for board meetings
  • Notion / Confluence embed
  • Quarterly compliance scorecard
  • Risk heatmap snapshots
  • Executive narrative auto-draft (HITL-gated)

OSCAL deepening

  • OSCAL ingest — accept catalogs / profiles from NIST OSCAL Content repo and FedRAMP
  • Control implementation by-component traceability
  • Parameter value management

SOC 2 Type 2 evidence engine

  • Operating effectiveness sampling automation
  • Period-of-coverage evidence rollups
Q4 2027

Healthcare + Financial entry

Open up regulated verticals.

Healthcare

  • HIPAA framework + Business Associate Agreement (BAA) program
  • HITRUST CSF mapping

Financial

  • PCI DSS framework
  • SOX framework foundations
  • GLBA framework foundations

Resilience

  • Business Continuity + Disaster Recovery module
  • Tabletop simulation tooling
2028

Vertical + Scale + Vanta / Drata Replacement

Long-term: become the AICPA-aligned compliance OS that replaces tick-the-box automation.

Federal + on-prem

  • FedRAMP framework (Low / Moderate)
  • On-prem / private-cloud deployment for regulated buyers
  • GovCloud path (IL2 → IL4 / IL5)

Vertical packs

  • Family Office / wealth management vertical
  • Multi-language UI (en, es, fr, de, ja)

Vanta / Drata replacement

  • Net-new evidence engine and continuous monitoring — replace, not just complement
  • Continuous control attestation

Marketplace

  • Fractional Compliance Officer / vCISO marketplace
  • Customer ↔ advisor matching

Want a seat in the closed beta?

We are admitting early users in waves. vCISOs, Fractional Compliance Officers, and audit firms are first.

Get Early Access

Roadmap is forward-looking and subject to change. Dates reflect current intent, not commitments. We prioritize what unblocks the most users in our six target roles.