Skip to content
← Docs

Compliance evidence

Produce the evidence an auditor asks for, on demand: a point-in-time access review signed off by a named reviewer, and a downloadable evidence pack for SOC 2, ISO 27001, HIPAA or PCI — gathered from data you already have.

Reviews and packs live on the Compliance page in the console at app.subnomic.com.

Access reviews

Generate review freezes an immutable snapshot of every member and their effective access: role, effective permissions and high-risk capabilities, MFA status, last sign-in, and active just-in-time grants.

  • The snapshot is immutable — the auditable record of exactly what access existed at that moment.
  • Attest it to record a named sign-off (who reviewed it, when, with an optional note) — the evidence that a human reviewed access.
  • Export CSV of the members × access table.

Evidence pack

Pick a framework and a date range and export a single ZIP an auditor can open and cross-check:

manifest.json        framework, period, generated-by, integrity proof
access-review.csv    members × effective access
activity-log.csv     the audit log for the period (with seq + sealed)
sessions.csv         SSH + database session inventory
access-grants.csv    active just-in-time grants
configuration.json   guardrail rules + RBAC roles
README.txt           what each file is
The manifest carries an integrity proof: the result of verifying the tamper-evident audit chain plus the head hash — so the exported activity log is provably the real, unaltered one. The framework you pick frames the manifest/README; the underlying evidence is shared (the frameworks overlap on access-control and audit controls).

Permissions

compliance.read compliance.manage

compliance.read views and exports reviews + packs; compliance.manage generates and attests reviews. Both are owner/admin-level.