Governance & Compliance
Seven compliance tools purpose-built for startups — from SOC 2 control tracking and vendor risk management to PII inventory, DPA lifecycle, security incidents, and compliance calendars. Wired into AI Contract Analyzer for automated risk extraction across your vendor agreements.
SOC 2 ready
GDPR compliant
Auditor-ready exports
CC1–CC9
SOC 2 controls baseline
Art. 30
GDPR records ready
AAL2
NIST 800-63B + MFA
Auditor
JSON export ready
From SOC 2 control tracking to vendor risk, PII inventory, DPA management, security incidents, training tracking, and compliance calendars — every tool feeds the next. AI Contract Analyzer integration is one click away.
Track SOC 2 Common Criteria (CC1–CC9) evidence in one place. Seed a 30-control baseline, attach evidence per control, export auditor-ready JSON.
CC1–CC9 baseline seeded in one click
Inline status + evidence attachment
Readiness % scoreboard by category
Auditor-ready JSON export
Track every SaaS vendor and subprocessor — DPA status, renewal dates, regions, data classes. Satisfies GDPR Art. 28 disclosure.
DPA lifecycle (pending/signed/expired)
Subprocessor flag for public /trust page
Renewal alerts
Data-class tagging
Log and triage security incidents, distinct from ops incidents. Severity tracking, postmortem URL, regulatory notification clock.
Severity + status workflow
Mean-time-to-resolve
Detection-source tagging
Postmortem links
GDPR Art. 30 records of processing activities. Data classification, retention schedules, legal basis, owner teams.
Public / internal / confidential / restricted
Retention-day tracking
GDPR Art. 6 legal-basis capture
Owner-team attribution
Data Processing Agreements with vendors and customers. Signature lifecycle, renewal tracking, SCC version capture.
Draft → signed → expired lifecycle
Counterparty type (vendor/customer/subprocessor)
Renewal alerts
Standard Contractual Clauses version
Track team security training completion — phishing, SOC 2 awareness, GDPR, password hygiene. Overdue detection.
Per-user completion tracking
Due-date alerts
Completion-rate reporting
Certificate URL capture
Deadline tracker for SOC 2 / GDPR / CCPA / HIPAA events. Recurring milestones, renewal alerts, auto-overdue flagging.
Framework-tagged events
Recurring cadences
Auto-overdue detection
Per-event assignment
GDPR / CCPA DSR queue for the platform-global contact graph. Public submission with magic-link verification; admin processing erases shared rows in one transaction and fans out suppression entries across the platform.
Public submission + magic-link verification
Erasure: redact + cascade-delete identifiers/sources/cache
Auto-populate suppression list per request
Statutory window tracking (30d EU/UK · 45d CA)
Identifiers that must never be re-sourced. Auto-populated by erasure DSRs; manually editable by platform admins for hard bounces and known opt-outs. Checked on every sourcing lookup.
Email / LinkedIn / GitHub / phone / domain types
Hashed display option for redacted identifiers
Reason tagging (DSR / opt-out / bounce / spam / manual)
Resolver short-circuits on suppression hit — no spend
Identity, audit, privacy, and application security — every claim below maps to a feature you can demo. Drop this page into your security questionnaire response.
NIST SP 800-63B
Digital Identity Guidelines (AAL2)
Multi-factor authentication, password rules, session management, and re-authentication thresholds aligned to Authenticator Assurance Level 2.
Evidence: TOTP MFA · refresh-token rotation · session idle/absolute timeouts · sessionVersion atomic revoke
OWASP ASVS L2
Application Security Verification Standard
V2 Authentication, V3 Session Management, V7 Cryptography. Verified against the level required for SaaS handling business-critical data.
Evidence: PBKDF2-SHA256 (100k iter) · device fingerprint · idle timeout · concurrent-session cap
RFC 6238
TOTP — Time-based One-Time Passwords
Time-based 6-digit codes for MFA, compatible with Google Authenticator, Authy, 1Password, etc.
Evidence: Self-service TOTP enrollment · backup codes (Phase 4) · per-device trust
RFC 6749 §10.4
OAuth 2.0 Refresh-Token Rotation
Every refresh issues a new token; reuse of a rotated token revokes the entire session family. Token-theft detection per the OAuth Security BCP.
Evidence: Family-id chain · automatic family revoke on reuse · hashed tokens at rest
OWASP Top 10 — A07
Identification & Authentication Failures
Mitigations for credential stuffing, brute force, session hijacking, and weak recovery flows.
Evidence: Email enumeration prevention · double-verify email change · MFA · sessionVersion bump on password change
SOC 2 Type II
Trust Services Criteria (CC1–CC9)
Evidence collection across all five Common Criteria categories — control environment, communication, risk, monitoring, and access.
Evidence: 30-control baseline · evidence attachment · auditor JSON export
ISO/IEC 27001:2022
Information Security Management System
Annex A control mapping for access control, cryptography, supplier relationships, and incident management.
Evidence: Vendor register · incident register · access reviews · audit trail
ISO/IEC 27002:2022
Information Security Controls
Implementation guidance for the 93 controls referenced by ISO 27001:2022 Annex A.
Evidence: Mapped to product features in the Compliance Calendar
GDPR (EU 2016/679)
General Data Protection Regulation
Art. 30 records of processing, Art. 28 subprocessor disclosure, Art. 32 security of processing, 72-hour breach notification.
Evidence: PII inventory · DPA lifecycle · subprocessor /trust page · incident clock
CCPA / CPRA
California Consumer Privacy Act
Data subject access, deletion, and opt-out rights for California residents.
Evidence: DSR portal · suppression list · right-to-delete workflow
ISO/IEC 27701:2019
Privacy Information Management
Extension to ISO 27001 covering controllers and processors of PII.
Evidence: Data inventory · processing-purpose tagging · retention schedules
OWASP Top 10 — A01
Broken Access Control
RBAC + multi-tenant scoping enforced at the route layer; per-route permission checks.
Evidence: Role-based access control · account+company dual-key scoping · per-feature gates
NIST SP 800-53 (selected)
Security & Privacy Controls
Mapped subset for AC (Access Control), AU (Audit), IA (Identification), and IR (Incident Response).
Evidence: Audit log · access reviews · MFA · incident register
Need this in a questionnaire format?
Export the full standards matrix as JSON or PDF fromSOC 2 Control Tracker.
How does BurnRateOS help with SOC 2 compliance?
How does the Vendor Register support subprocessor management?
Does BurnRateOS support GDPR compliance?
How are security incidents tracked?
What does the Compliance Calendar do?
Which authentication standards does BurnRateOS implement?
How do you handle session security and trusted devices?
Join startups using our governance and compliance suite to track SOC 2 controls, manage vendor risk, and pass security audits with confidence.
No credit card required • Free forever plan • Setup in 2 minutes