SOC 2 · ISO 27001 · HIPAA Compliance
ComplianceGuard scans your machines and AWS environment to generate auditor-ready evidence packs for SOC 2, ISO 27001, and HIPAA — without sending a single byte to our servers. Free to start. $49/month to finish an audit.
Tap to see full score →
Built on open standards trusted by security teams·FastAPI·React·TypeScript·SQLite·PostgreSQL·Electron·Docker·Ed25519
The Gap
Your cloud is covered.
Your endpoints are not.
Vanta doesn't scan your machines. We do.
The Problem
Vanta starts at $10,000/year. Drata starts at $10,000/year. Secureframe won't even show you a price until you book a call.
If you're a 3-person SaaS doing $8K MRR trying to close your first enterprise deal, this is extortion with a compliance badge on it.
Average cost of Vanta or Drata per year
Typical setup time for cloud-based compliance tools
Of your evidence uploaded to their servers
Watch It Work
ComplianceGuard reads your OS directly. No setup. No configuration. Run it once and see exactly where you stand.
Output shown is illustrative. Your actual results depend on your machine configuration.
Frameworks
ComplianceGuard maps evidence directly to the controls auditors check. Whether you need SOC 2 for enterprise deals, ISO 27001 for European contracts, or HIPAA for healthcare clients — the same OS-level scan covers all three.
SOC 2 Type II
The standard for enterprise SaaS deals. All 29 TSC controls scored automatically.
Available NowISO 27001:2013
All 14 Annex A domains (A.5–A.18) mapped and evaluated. Required for European enterprise contracts.
Available NowHIPAA Security Rule
All five 45 CFR Part 164 sections including required and addressable safeguards. For healthcare and health-tech clients.
Available NowEndpoint Scanning
ComplianceGuard reads directly from the Windows Registry, event logs, firewall configuration, and user accounts. No agent to install. No API key. No cloud permission required. Evidence collected in 30 seconds.
Cloud Evidence
Connect your AWS account once. ComplianceGuard pulls CloudTrail logs, IAM configurations, S3 bucket policies, and security group rules into your evidence pack automatically on every scan.
Real-Time Scoring
Your compliance score updates the moment a scan completes. See which of the 29 SOC 2 Trust Services Criteria you're passing and which need work — before you engage an auditor.
Auditor-Ready Export
Every evidence pack exports as PDF, CSV, and JSON in the exact format used in successful SOC 2 Type I and Type II audits. No reformatting. No back-and-forth.
Data Privacy
AWS credentials are encrypted at rest using HKDF-SHA256 derived Fernet keys before being stored locally. They are never transmitted to ComplianceGuard servers. Your evidence stays in your local database.
Air-Gap Ready
ComplianceGuard runs fully offline. No internet connection required to collect evidence or generate reports. Works in air-gapped environments and restricted networks.
How We Compare
| ComplianceGuard | Vanta | Drata | |
|---|---|---|---|
| Starting price | $49/month | $10,000+/year | $10,000+/year |
| Data stays on your machine | |||
| Works offline | |||
| Per-seat pricing | No | Yes | Yes |
| OS-level evidence collection | |||
| Compliance frameworks | SOC 2 · ISO 27001 · HIPAA | SOC 2 · ISO 27001 | SOC 2 · ISO 27001 |
| Setup time | 60 seconds | Weeks | Weeks |
| Auditable codebase | BSL 1.1 | Proprietary | Proprietary |
| Free tier |
Competitor pricing based on publicly available information as of 2026.
The Math
Enter your team size. See what Vanta and Drata would charge you — versus what ComplianceGuard costs.
Pro plan is $49/month flat. Same price for 1 engineer or 200.
Architecture
Every byte of evidence stays inside the boundary you control. We don't have a database for your data, because we never see it.
bytes uploaded to our servers
data stays on your machine
credential encryption
All 29 Controls
Search and filter the AICPA Trust Services Criteria ComplianceGuard evaluates on every scan.
Organization demonstrates a commitment to integrity and ethical values.
Board of directors demonstrates independence from management and exercises oversight.
Management establishes structures, reporting lines, and authorities aligned with objectives.
Organization demonstrates a commitment to attract, develop, and retain competent individuals.
Organization holds individuals accountable for their internal control responsibilities.
Uses relevant, quality information to support internal control function.
Internally communicates information necessary to support internal control.
Communicates with external parties on matters affecting internal control.
Specifies objectives with sufficient clarity to identify and assess risks.
Identifies risks to achieving objectives and analyzes risks as a basis for managing them.
Considers the potential for fraud in assessing risks.
Identifies and assesses changes that could significantly impact the system.
Selects, develops, and performs ongoing evaluations to ascertain whether controls are present.
Evaluates and communicates internal control deficiencies to those responsible for corrective action.
Selects and develops control activities that contribute to risk mitigation.
Selects and develops general control activities over technology.
Deploys control activities through policies that establish what is expected and procedures that put policies into action.
Implements logical access security software, infrastructure, and architectures.
New internal and external users are registered and authorized prior to issuing credentials.
Removes access to protected information assets when access is no longer required.
Implements logical access security measures to protect against threats from outside the system boundary.
Restricts the transmission, movement, and removal of information to authorized users.
Implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software.
Detects and monitors for new vulnerabilities and changes that introduce new vulnerabilities.
Monitors system components for anomalies indicative of malicious acts or processing errors.
Evaluates security events to determine whether they could or have resulted in a failure.
Responds to identified security incidents by executing a defined response program.
Identifies, develops, and implements activities to recover from identified security incidents.
Authorizes, designs, develops, configures, documents, tests, approves, and implements changes.
Showing 29 of 29 controls
How It Works
Run the installer for Windows or Mac. No admin privileges required. No API keys. Opens immediately.
ComplianceGuard scans your machine in the background: password policy, firewall, disk encryption, audit logging. Results in 30 seconds.
Add your AWS credentials once (encrypted locally). ComplianceGuard pulls CloudTrail, IAM, and S3 evidence automatically.
Generate your evidence pack as PDF, CSV, or JSON. Send it directly to your auditor or use it to self-certify.
See exactly where you fail SOC 2 before you pay a cent.
or $399/year — save 32%
Everything you need to hand an auditor a complete evidence pack.
For consultants managing SOC 2 for multiple clients.
ComplianceGuard evidence packs are mapped to the AICPA Trust Services Criteria. The exact format we export is what real auditors accept for SOC 2 Type I and Type II reports.
Every control mapped to the official Trust Services Criteria framework.
License verification uses public-key cryptography. Zero trust architecture.
You can read the code that reads your system. No black boxes.
Honest Positioning
We'd rather be honest about what we don't do than waste your time later. Here's what ComplianceGuard intentionally leaves out.
We don't take a cut for sending you to an auditor. Use whoever you want.
If you need 40 integrations, you're not our customer. We do SOC 2 evidence — that's it.
Your evidence is stored locally in SQLite. Export it anytime as PDF, CSV, or JSON. Switch tools whenever you want — your data leaves with you.
Download the free tier and try it. If it works, pay us. If not, walk away.
Pro is $49/month for everyone. There is no hidden tier you'll get pushed into.
Other tools call this 'cloud-native.' We call it a contradiction for a privacy product.
One Command
A note from the founder
I built ComplianceGuard because I got quoted $11,200 for Vanta when our team was doing $8K MRR. There was no version of reality where we paid that. Four months later, this exists.
If you're a bootstrapped founder facing the same wall, this is for you. Email me directly if anything is broken — I read every message.
FAQ
Yes. ComplianceGuard now supports all three frameworks. SOC 2 Type II (29 controls), ISO 27001:2013 (47 Annex A controls), and the HIPAA Security Rule (47 safeguards across all five 45 CFR Part 164 sections). The same OS-level evidence collection feeds all three.
Every evidence pack is mapped to the AICPA Trust Services Criteria — the exact framework SOC 2 auditors use. The PDF, CSV, and JSON exports follow the format used in successful SOC 2 Type I and Type II reports. You hand it to your auditor; they don't ask you to reformat anything.
Then you should buy Vanta. ComplianceGuard is built for teams who don't have $10K to spend on an auditor marketplace and 40 SaaS integrations they won't use. If your compliance gap is 'I need a Slack integration', we are not the right tool. If your gap is 'I need an evidence pack and I refuse to pay $10K for one', we are.
You shouldn't trust me — you should trust the code. ComplianceGuard is BSL 1.1 source-available: read every line that touches your machine. The crypto uses Ed25519 signing and HKDF-derived Fernet encryption (industry standard). 530+ tests run on every commit. And critically: we never receive your evidence, so even if I disappeared tomorrow, your data is on your disk, not on a server I control.
You can. Most first SOC 2 audits start that way. ComplianceGuard doesn't replace that process — it automates the collection part. Instead of manually checking firewall settings, running PowerShell scripts, and copying output into a spreadsheet, ComplianceGuard reads it all in 30 seconds and formats it exactly how your auditor needs it.
Nothing. It stays on your machine. ComplianceGuard reads from your OS and your AWS account, writes to a local SQLite database, and exports a PDF when you ask. There is no upload step. There is no telemetry. There is no 'sync to cloud' unless you explicitly enable the optional Pro fleet dashboard.
Credentials are encrypted at rest using a Fernet key derived via HKDF-SHA256 from your local SECRET_KEY. They never leave your machine and are decrypted in-memory only when collecting evidence. Source code is open so you can verify this yourself — see app/core/license.py and the evidence collector.
Switch to Vanta or Drata when you can afford the $10K. We'll consider that a win — we got you to the point where you have $10K for compliance tooling. The evidence pack format is auditor-standard, so nothing is locked in.
Stop losing deals to a compliance gap. ComplianceGuard gets you audit-ready without the $10,000 bill.
No account required. No cloud storage. No credit card for the free tier.