Compliance
Supported Frameworks
EchelonGraph continuously evaluates your infrastructure against 9 compliance frameworks with hundreds of automated controls:
| Framework | Category | Key Focus |
|---|---|---|
| SOC 2 Type II | Trust Services | Security, availability, processing integrity, confidentiality, privacy |
| GDPR | Privacy | Data protection, consent, data subject rights, breach notification |
| ISO 27001:2022 | International | Information security management system (ISMS) |
| NIST CSF 2.0 | Federal | Identify, Protect, Detect, Respond, Recover |
| PCI DSS 4.0 | Payment | Cardholder data protection, network segmentation |
| HIPAA | Healthcare | Protected health information (PHI), safeguards |
| CIS v2.0 | Benchmarks | 440+ cloud misconfiguration rules mapped by scanner |
| DPDP Act (India) | Privacy | Digital personal data protection |
| ISMS-P (Korea) | Regional | Korean information security management certification |
How Scoring Works
1. Discovery
Scanners inventory your entire cloud infrastructure — compute, network, storage, identity, databases, and certificates — using read-only API access.
2. Control Mapping
The compliance engine maps each framework's controls to specific infrastructure checks. For example, encryption-in-transit controls map to TLS on load balancers, HTTPS-only storage policies, and encrypted database connections.
3. Evaluation
Each control is evaluated as:
- Pass: All associated checks pass
- Fail: One or more critical checks fail
- Partial: Some checks pass, non-critical checks fail
- N/A: Control is not applicable to your infrastructure
4. Trending
Historical scores enable 30/60/90-day trend analysis, compliance drift detection, and audit-ready reporting.
Continuous Monitoring
The compliance engine continuously re-evaluates all controls for every tenant. When a compliance score changes, you're notified instantly via:
- Real-time dashboard push: Connected dashboards update automatically
- Webhook notifications: Events sent to your registered endpoints
- Email alerts: Configurable notifications for score drops below your thresholds
- Audit log: Every score change is recorded with timestamp and cause
Evidence Collection
EchelonGraph automates evidence collection for audit preparation, generating the documentation your auditors need:
- Security scan results: Automated scanning results captured per deployment
- Audit log exports: On-demand export of all security events
- System health reports: Continuous monitoring data for availability evidence
- Compliance score history: Stored automatically for historical trend analysis
SOC 2 Type II Readiness
EchelonGraph addresses all five Trust Services Criteria:
| Criteria | What EchelonGraph Provides |
|---|---|
| Security | Role-based access control, MFA, encrypted tokens, field-level encryption |
| Availability | Auto-scaling infrastructure, health monitoring, automated recovery |
| Processing Integrity | Input validation, tenant isolation, immutable audit trail |
| Confidentiality | AES-256 encryption at rest, TLS in transit, secrets management |
| Privacy | Data minimization, configurable retention, GDPR compliance |
GDPR Compliance
Data Subject Rights
EchelonGraph supports all GDPR data subject rights:
| Right | Article | How It Works |
|---|---|---|
| Access | Art. 15 | Users can view their profile and activity history |
| Rectification | Art. 16 | Users and admins can update profile information |
| Erasure | Art. 17 | Admins can delete users; full tenant deletion available on request |
| Restrict Processing | Art. 18 | Tenant scanning can be paused while preserving data |
| Data Portability | Art. 20 | Export compliance reports and data in JSON, PDF, or CSV |
| Object | Art. 21 | Users can unsubscribe from communications |
Privacy by Design
- Data minimization: We only collect data necessary for cloud security analysis
- Purpose limitation: Data is used solely for security posture management
- Configurable retention: Set your own retention periods with automated data purge
- Pseudonymization: Security scan data is decoupled from personal identifiers
Report Generation
Generate audit-ready compliance reports in PDF, CSV, or JSON:
- Executive summary: Overall posture score and trend
- Per-control evidence: Pass/fail status with supporting data for each control
- Remediation guidance: Prioritized action items for failing controls
- Historical comparison: Score changes over the reporting period
Available report types: executive, compliance, vulnerability, and asset inventory.