Compliance Library

Compliance documentation for your open-source stack.

Audit-ready attestations and evidence packages for SOC 2, PCI DSS, HIPAA, ISO 27001, DORA, and FedRAMP.

Request documentationView all services

Supported frameworks

Six compliance frameworks, one OSS-native approach

We map your open-source component controls to the specific requirements auditors care about — and deliver evidence packages that hold up under scrutiny.

SOC 2 Type II

Trust Services Criteria

CC6.1 — Logical & Physical Access Controls

What OSSeva provides

  • Evidence matrix mapping OSS component controls to Trust Services Criteria
  • Sample audit narrative for Kubernetes RBAC and network policy configurations
  • Change management evidence templates for OSS version upgrades
  • Monitoring and alerting configuration attestation for Prometheus/Grafana stacks

PCI DSS v4.0

Payment Card Industry

Req 6 — Secure Systems & Software

What OSSeva provides

  • OSS component vulnerability disclosure and patch cadence documentation
  • Network segmentation evidence for containerized payment processing workloads
  • Encryption-in-transit configuration attestation for message brokers and databases
  • Access control matrix for OSS operator and admin roles

HIPAA

Health Insurance Portability

§164.312 — Technical Safeguards

What OSSeva provides

  • Technical safeguard matrix mapping OSS controls to HIPAA §164.312 requirements
  • Audit log configuration evidence for PostgreSQL, Kafka, and RabbitMQ
  • Encryption key management documentation for OSS-based PHI workloads
  • Minimum necessary access documentation for OSS platform operators

ISO 27001:2022

Information Security

Annex A.8 — Technological Controls

What OSSeva provides

  • Control objective mapping for OSS components against Annex A.8 controls
  • Asset inventory templates for containerized OSS infrastructure
  • Vulnerability management process documentation aligned to ISO requirements
  • Supplier relationship evidence for upstream OSS project governance

DORA

Digital Operational Resilience

Art. 9 — ICT Security

What OSSeva provides

  • ICT risk assessment templates for OSS-dependent financial services infrastructure
  • Incident classification and response documentation for OSS platform events
  • Third-party risk documentation covering OSS project governance and upstream dependencies
  • Resilience testing evidence including chaos engineering runbooks

FedRAMP

Federal Risk & Authorization

AC-2 — Account Management

What OSSeva provides

  • NIST SP 800-53 control mapping for OSS components at Moderate baseline
  • Configuration baseline documentation for hardened OSS Kubernetes deployments
  • Continuous monitoring evidence packages for containerized workloads
  • Supply chain risk management artifacts for OSS dependencies

Document library

Request specific documents

These documents are available to customers and prospects under NDA. Request access and we'll respond within one business day.

SOC 2 Type II Attestation

OSSeva's independent attestation of security controls across managed OSS environments, suitable for inclusion in your vendor risk review package.

Request Access

Sample Audit Narrative

Pre-written audit narrative templates your team can adapt for common OSS infrastructure controls — saves weeks of documentation work during audit prep.

Request Access

HIPAA Technical Safeguard Matrix

A detailed control mapping table that links HIPAA §164.312 technical safeguard requirements to specific OSS configuration controls and evidence sources.

Request Access

Pen-Test Report Summary

Sanitized summary of penetration testing findings across OSSeva-managed platform components, including remediation status and compensating controls.

Request Access

How it works

From request to audit-ready

Three steps from initial conversation to documentation your auditors will accept without follow-up requests.

01

Book a discovery call

Tell us which frameworks are in scope, your audit timeline, and the OSS components you need covered. We confirm which documentation packages apply to your environment.

02

Coverage review

We map your OSS stack against the relevant control frameworks, identify any gaps, and agree on a documentation package that satisfies your auditor's evidence requirements.

03

Documentation delivered

Completed evidence packages, attestation letters, and audit-ready matrices are delivered to your compliance team. We remain available to respond to auditor follow-up questions.

All documentation is delivered under NDA

Evidence packages, attestation letters, and audit narratives contain sensitive configuration details. We provide them only to customers and qualified prospects after a signed NDA. Response time is typically one business day.

Request access

Frequently asked questions

What compliance documentation does OSSeva provide for PCI DSS?

For PCI DSS v4.0, OSSeva provides evidence covering Requirement 6 (Secure Systems and Software): patch cadence attestation satisfying Req 6.3.3 (all components protected from known vulnerabilities), change management documentation for each patch delivery, and a vulnerability management matrix showing CVSS scores, patch availability dates, and remediation confirmation for all applicable CVEs. This evidence is formatted for direct submission to QSA teams.

Does OSSeva help with SOC 2 Type II audits?

Yes. OSSeva provides SOC 2-specific evidence packages covering Common Criteria CC6 (Logical and Physical Access Controls), CC7 (System Operations), and CC8 (Change Management). Evidence includes: access control configuration attestations, monitoring and alerting configuration documentation, and patch change management records. OSSeva's own SOC 2 Type II report (as a subservice organization) is available under NDA for customers who need it for their own audit.

How does OSSeva address HIPAA Technical Safeguards for OSS middleware?

OSSeva addresses HIPAA §164.312 by providing: (a) Access controls — documented role and permission configurations for RabbitMQ vhosts, Kafka ACLs, and PostgreSQL roles; (b) Audit controls — evidence of audit logging enabled and retained; (c) Integrity controls — TLS configuration and message signing attestation; (d) Transmission security — encryption-in-transit configuration documentation. These are provided as standalone HIPAA evidence packages per covered technology.

Does OSSeva provide compliance documentation for EU DORA?

Yes. EU DORA (Digital Operational Resilience Act, effective January 17, 2025) requires financial entities to manage ICT risk including third-party software. OSSeva provides DORA-specific ICT risk documentation covering: identification and classification of OSS components, vulnerability management (patch SLAs and evidence), third-party service provider risk assessment materials, and resilience testing support. OSSeva can serve as a documented ICT third-party service provider under DORA.

Need compliance documentation for your OSS stack?

We work with your security and compliance teams to produce audit-ready evidence packages — tailored to your framework requirements and your specific OSS components.

Start a compliance requestView all resources →