Explore the Ostrai compliance workspace.

Navigate a live-style environment with pre-populated controls, evidence, and automated reminders. Every example here mirrors what shows up when your team signs in.

SOC 2, ISO 27001, HIPAA templates included Automated reminders & evidence tracking

Audit readiness

Compliance snapshot

High-level health indicators pulled from production integrations and evidence automation.

Continuous monitoring alerts open: 0

Next external audit window starts in 0 days (Jan 15, 2026)
Compliance score
94%
+2.0% vs last month
Open findings
3
Tracked in remediation program (F-2025-001 → F-2025-003)
Evidence ingested
18
Items verified over the past 30 days across AWS, PagerDuty, Okta
Reminders due
2
Scheduled follow-ups this compliance cycle
Controls by status
4 controls monitored across mapped frameworks
Ready
125.0%
Needs evidence
125.0%
In progress
125.0%
Scheduled
125.0%
Data freshness
Automated refresh cadence for compliance evidence
Nov 09, 2025, 07:35 UTC

Hourly automation captures access, provisioning, and IAM events. Daily jobs roll up encryption manifests and vendor attestations. Manual intervention is only triggered when automation flags drift.

  • Hourly: Okta group changes, AWS CloudTrail access, Jira remediation updates.
  • Daily: PHI encryption manifests, vendor risk monitoring, PagerDuty escalation checks.
  • Manual: Exception handling, policy signatures, evidence backfills.

Refresh cadence: hourly for access evidence, daily for encryption manifests.

Connected data sources
Required connectors and optional enrichment integrations.

AWS CloudTrail

Connected

Infrastructure & IAM eventsHourly automation job

Required connector

Okta

Connected

SSO groups & provisioningHourly automation job

Required connector

PagerDuty

Attention required

Incident response escalationsDaily sync

Optional enrichment

Jira

Connected

Remediation tasks & audit ticketsNear real-time webhooks

Optional enrichment

Status definitions
How status labels map to audit readiness and next steps.

Ready

Evidence validated within the current review window with owner attestation on file.

Updated

New evidence uploaded and in QA review prior to final attestation.

In progress

Control test or evidence refresh is underway with an assigned owner and target date.

Needs evidence

Evidence missing or out of date. Control will be flagged in the next readiness digest.

Scheduled

Automation job or task scheduled; no manual review required until generation completes.

Pending review

Evidence gathered but awaiting security/legal sign-off before marking Ready.

Signed

Historical designation for policies signed during previous cycle (no further action).

Compliance activity log
Audit trail
Immutable record of all compliance actions for auditors and internal reviewers.

2025-11-09 08:00 UTC

compliance-admin@ostrai.io

Reviewed breach notification runbook — no updates required after tabletop exercise.

2025-11-09 07:30 UTC

automation@ostrai.io

Uploaded AWS encryption manifest (hash verified)

2025-11-08 19:12 UTC

legal@ostrai.io

Acknowledged vendor SOC 2 request and assigned Jira SEC-REV-142

2025-11-08 16:48 UTC

security@ostrai.io

Closed finding F-2025-003 after evidence review

Risk & remediation tracker
Severity, owners, and remediation timelines for active findings.
F-2025-001Open

Vendor SOC report overdue

Severity: MediumTarget: 2025-12-06

Owner: Legal & Compliance

F-2025-002In progress

PHI encryption automation validation

Severity: HighTarget: 2025-11-14

Owner: Data Platform

F-2025-003Resolved

Incident response playbook updates

Severity: LowTarget: 2025-11-12

Owner: Security Operations

Framework coverage
Controls mapped per framework with upcoming evidence milestones.

SOC 2

28 controls
85%

Vendor SOC reports, access reviews

ISO 27001

32 controls
92%

Change management exports, risk register

HIPAA

18 controls
78%

Encryption manifests, BAA renewals, breach notification drills

PCI DSS

24 controls
67%

Network segmentation diagrams, quarterly vulnerability scans, penetration test reports

GDPR

26 controls
88%

Data processing agreements, privacy impact assessments, breach notification procedures

NIST CSF

35 controls
81%

Risk assessment reports, incident response plans, asset inventories

FedRAMP

42 controls
72%

System security plans, continuous monitoring reports, configuration baselines

CCPA

15 controls
90%

Consumer rights request logs, data inventory maps, vendor contracts

CIS Controls

38 controls
84%

Asset management reports, secure configuration baselines, audit logs

NIST 800-53

48 controls
76%

Security control assessments, authorization packages, POA&M tracking

Gap analysis by framework
Control implementation status and outstanding gaps requiring attention.

SOC 2

64 total controls

95.3%

complete

61

Implemented

2

In progress

1

Not started

Outstanding gaps

CC3.3Vendor risk assessments

Status: In progress • Due: 2025-11-16

In progress

CC7.2System monitoring logs

Status: Not started • Due: 2025-11-25

Not started

HIPAA

42 total controls

90.5%

complete

38

Implemented

3

In progress

1

Not started

Outstanding gaps

164.312(a)(2)(iv)PHI encryption verification

Status: In progress • Due: 2025-11-14

In progress

164.308(a)(6)Security incident procedures

Status: In progress • Due: 2025-11-12

In progress

164.308(b)(3)Business associate agreements

Status: Not started • Due: 2025-12-01

Not started

ISO 27001

93 total controls

97.8%

complete

91

Implemented

1

In progress

1

Not started

Outstanding gaps

A.8.28Secure coding practices

Status: In progress • Due: 2025-11-20

In progress

A.17.1Business continuity planning

Status: Not started • Due: 2025-12-15

Not started

PCI DSS

329 total controls

91.5%

complete

301

Implemented

18

In progress

10

Not started

Outstanding gaps

1.2.1Network segmentation documentation

Status: In progress • Due: 2025-11-18

In progress

11.3.1Quarterly external penetration test

Status: In progress • Due: 2025-12-05

In progress

6.5.3Secure coding training

Status: Not started • Due: 2025-12-20

Not started

GDPR

38 total controls

92.1%

complete

35

Implemented

2

In progress

1

Not started

Outstanding gaps

Art. 30Records of processing activities

Status: In progress • Due: 2025-11-22

In progress

Art. 35Privacy impact assessment

Status: Not started • Due: 2025-12-10

Not started

NIST CSF

108 total controls

88.0%

complete

95

Implemented

8

In progress

5

Not started

Outstanding gaps

ID.RA-3Threat and vulnerability identification

Status: In progress • Due: 2025-11-17

In progress

PR.DS-5Data-at-rest protection

Status: In progress • Due: 2025-11-19

In progress

DE.CM-7Monitoring for unauthorized activity

Status: Not started • Due: 2025-12-08

Not started

FedRAMP

325 total controls

85.5%

complete

278

Implemented

32

In progress

15

Not started

Outstanding gaps

AC-2Account management

Status: In progress • Due: 2025-11-21

In progress

CA-2Security assessments

Status: In progress • Due: 2025-12-01

In progress

IR-4Incident handling

Status: Not started • Due: 2025-12-15

Not started

CCPA

24 total controls

91.7%

complete

22

Implemented

1

In progress

1

Not started

Outstanding gaps

1798.100Consumer rights request process

Status: In progress • Due: 2025-11-15

In progress

CIS Controls

153 total controls

92.2%

complete

141

Implemented

8

In progress

4

Not started

Outstanding gaps

5.4Secure configuration baselines

Status: In progress • Due: 2025-11-19

In progress

8.2Audit log management

Status: In progress • Due: 2025-11-23

In progress

13.1Network monitoring

Status: Not started • Due: 2025-12-05

Not started

NIST 800-53

421 total controls

86.7%

complete

365

Implemented

38

In progress

18

Not started

Outstanding gaps

AC-6Least privilege

Status: In progress • Due: 2025-11-20

In progress

AU-6Audit review and reporting

Status: In progress • Due: 2025-11-25

In progress

SC-7Boundary protection

Status: Not started • Due: 2025-12-12

Not started

Control testing & validation

Continuous control testing results.

Automated and manual testing outcomes with remediation tracking.

Recent control tests
Testing results for key controls across all frameworks.
CC6.1SOC 2ISO 27001NIST CSFCIS Controls

Access control policy reviewed

Owner: IT Security Lead

Passed

Tested: 2025-10-02

Test notes

Policy signed and distributed. All access reviews completed on schedule.

CC3.3SOC 2ISO 27001GDPRNIST CSF

Vendor risk assessments

Owner: Legal Reviewer

Pending

Tested: 2025-09-15

Test notes

Awaiting updated SOC 2 report from primary vendor. Follow-up scheduled.

CC1.2ISO 27001NIST CSFSOC 2FedRAMP

Incident response tabletop test

Owner: Security Operations Lead

Passed

Tested: 2025-10-24

Test notes

Tabletop exercise completed. Minor playbook updates identified and documented.

HIPAA 164.312HIPAANIST 800-53PCI DSS

PHI encryption verification

Owner: Data Platform Lead

Not tested

Test notes

Automated testing scheduled for 2025-11-14.

Live compliance checklist

Every control mapped, every owner accountable.

Cross-framework control view
Actively monitored controls with mapped owners, evidence and review cadence.
ControlOwnerFrameworkEvidenceStatus
Access control policy reviewed
CC6.1
IS

IT Security Lead

Access provisioning owner

SOC 2ISO 27001NIST CSFCIS Controls
Access_Control_Policy.pdfReady
Vendor risk assessments
CC3.3
LR

Legal Reviewer

Director, Legal & Compliance

SOC 2ISO 27001GDPRNIST CSF
Vendor_Assessment.xlsxNeeds evidence
Incident response tabletop test
CC1.2
SO

Security Operations Lead

Director, Security Operations

ISO 27001NIST CSFSOC 2FedRAMP
Tabletop_Test_Report.docxIn progress
PHI encryption verification
HIPAA 164.312
DP

Data Platform Lead

Engineering Manager, Data Platform

HIPAANIST 800-53PCI DSS
Encryption_Report.pdfScheduled
Automated reminders
Upcoming compliance tasks scheduled for this review period.

Vendor risk review

Due in 5 days

Collect 2025 SOC 2 report for Acme Analytics and attach signed BAA addendum.

Owner: Legal reviewerEscalation: Escalates to compliance-admin@ostrai.io after 48hDependency: Blocked by Jira SEC-REV-142 (vendor evidence upload)Methodology: Automation fetch + legal attestation required

Encryption verification

Due in 12 days

Validate PHI encryption manifest and rerun automation validation job.

Owner: Data platform leadEscalation: Escalates to on-call security engineer if automation fails twiceDependency: Depends on AWS automation job `rds-encryption-audit`Methodology: Automated export + security review note

Policy attestations

Scheduled

Distribute quarterly policy acknowledgement to engineering and support staff.

Owner: Compliance automation botEscalation: Reminders to team leads after 24h without responseDependency: Awaiting policy assistant draft (Access Control v2.4)Methodology: DocuSign envelope + evidence archive
Compliance activity log
Audit trail
Immutable record of all compliance actions for auditors and internal reviewers.

2025-11-09 08:00 UTC

compliance-admin@ostrai.io

Reviewed breach notification runbook — no updates required after tabletop exercise.

2025-11-09 07:30 UTC

automation@ostrai.io

Uploaded AWS encryption manifest (hash verified)

2025-11-08 19:12 UTC

legal@ostrai.io

Acknowledged vendor SOC 2 request and assigned Jira SEC-REV-142

2025-11-08 16:48 UTC

security@ostrai.io

Closed finding F-2025-003 after evidence review

Risk & remediation tracker
Severity, owners, and remediation timelines for active findings.
F-2025-001Open

Vendor SOC report overdue

Severity: MediumTarget: 2025-12-06

Owner: Legal & Compliance

F-2025-002In progress

PHI encryption automation validation

Severity: HighTarget: 2025-11-14

Owner: Data Platform

F-2025-003Resolved

Incident response playbook updates

Severity: LowTarget: 2025-11-12

Owner: Security Operations

Evidence vault
Versioned artifacts with audit trails and ownership.

Access_Control_Policy.pdf

Updated 2 hours ago

Signed

Policy

Size: 248 KBUploader: Compliance automationRetention: 24 months
SHA-256 • 53a6f3b1…1189
Referenced in Appendix A — Evidence index (A-1.1)View evidence

AWS_VPC_Diagram.png

Updated 1 day ago

Pending review

Architecture

Size: 612 KBUploader: Network engineeringRetention: 18 months
SHA-256 • 9e4d7c1a…5f44
Referenced in Section 6 — Network safeguardsView evidence

Vendor_Assessment.xlsx

Updated 3 days ago

Updated

Vendor

Size: 1.2 MBUploader: Legal & compliance teamRetention: Current year + 3
SHA-256 • ad3c5b9f…cf12
Referenced in Section 3 — Control alignment (CC3.3)View evidence

BG_Check_Results.pdf

Updated 1 week ago

Ready

HR

Size: 342 KBUploader: People operationsRetention: 5 years
SHA-256 • 1f0e7b44…20cf
Referenced in Appendix C — Workforce controlsView evidence

Business_Associate_Agreement.pdf

Updated 4 days ago

Pending review

HIPAA

Size: 512 KBUploader: Vendor managementRetention: Duration of partnership + 6 years
SHA-256 • 6ab1f9d2…9b0c
Referenced in Section 7 — HIPAA administrative safeguardsView evidence
AI policy assistant
Draft policies, map controls, and export deliverables for auditors.

Demo simulation — generated drafts persist for this session only

Role-based access
Demonstrates how least-privilege access is enforced across the demo workspace.

Compliance admin

Full access to evidence, control mappings, and automation settings

Members: Compliance automation service account, Policy owners

Control owner

View/edit assigned controls and upload evidence (no global settings access)

Members: Security operations leads, Legal reviewers

Auditor (view-only)

Read-only access to evidence, control history, audit logs

Members: External auditor accounts

Policy version history
Changes captured through policy assistant with evidence of approvals.
v2.32025-10-02

Compliance automation

Access Control Policy updated with quarterly review procedure

v2.22025-07-15

Policy assistant

Added Okta provisioning checklist appendix

v2.12025-04-10

Security

Initial release with DocuSign attestations

Ready to stay ahead of every audit?

Join teams who swapped spreadsheets for proactive compliance automation. Start with the free plan, then scale when you’re ready.