Skip to main content

Trust · Compliance posture live

Compliance posture, measured — not curated.

Eighteen regulatory frameworks. Every score on this page is the latest live attestation per control, chain-stamped with HMAC-SHA3-512, regenerated by an automated engine every fifteen minutes. The page itself re-fetches every sixty seconds. Nothing is hand-written here — what you see is what the system has measured most recently against itself.

How to read this page. Each card shows a regulatory framework, the percentage of its automated controls that currently pass, and when the most-recent attestation for any of its criteria was written. The score uses the same weighting as our internal dashboard: a passing control counts as 1.0, a partial as 0.5, a failing as 0.0. Controls marked not applicable to our scope are excluded from the denominator. The chain envelope below the framework grid shows the total number of attestation rows we've written, the current tip sequence number, and how many distinct hosts have contributed evidence so far. When a remote host (redundancy node .232, edge AI node .53) joins the attestation set, its evidence appears here without us republishing this page.

Frameworks

Loading…

What the score means

We use a four-band visual language. Green ≥ 95% is audit-ready. Blue 85–94% is acceptable with minor gaps. Amber 70–84% means several controls are partially implemented and the framework would not yet pass a strict audit. Rust < 70% means substantive gaps that require remediation before we'd attest the framework. The colors are guidance, not a regulatory determination — the controls behind each card carry the canonical text, the live evidence, and the chain proof.

How this number is computed

From running system to public score.

Step 1 — Live check

Engines query the running system.

Seven engines (HIPAA, FISMA, ONC HTI-1, Section 508, Privacy Act, state healthcare law, and emergency-powers) execute SQL against the production database every fifteen minutes. They check actual state — schemas, policies, encryption keys, audit records — not configuration files or self-attestations.

Step 2 — Chain stamp

Result becomes a chain row.

The result of every check is written to compliance_attestations with a monotonically increasing sequence number, the previous row's HMAC, and a fresh HMAC over (seq, criterion_id, status, evidence_hash, attested_at, previous_hmac). The chain uses HMAC-SHA3-512 today; older rows used SHA-256, and the schema carries a hash_algo field so each row is verifiable under whichever algorithm signed it.

Step 3 — Public read

This page asks for the rollup.

When your browser loads this page it calls /api/v1/compliance/attestations/public/live-posture — an unauthenticated endpoint that returns only aggregate scores plus the chain envelope. No control codes, no evidence payloads, no internal hostnames. The detailed evidence lives behind authentication so an attacker cannot use it to map our defenses, but the aggregate posture is yours to verify.

Operating principle

Real-time posture, or it isn't posture.

A compliance "score" computed once a year by a consulting firm is a snapshot of a building that has already burned down. The only number that has meaning is one a regulator can recompute by recompiling the chain against the running system, at any moment, from the receipts. That is what this page is.

The integrity proof for every row on this page is the chain itself — see the proof index for the public verifier, or the identity stack page for the complementary login-event chain. The crypto-agility doctrine that lets us migrate hash algorithms without breaking the chain is documented at the SHA-3 cutover moment.