We don't claim compliance we haven't earned. This page lists every framework EvalGuard supports, and exactly what level of support means: control mappings, evidence engine, or third-party certified. Use it to evaluate fit honestly before you sign.
We've linked each control in the framework to specific attack types, plugins, or platform features. Run a security scan; you get a per-control coverage report. Useful for auditor-pre-work + RFP responses.
Every relevant platform action emits a tamper-detection-hashed evidence row mapped to the framework's controls. Auto-populated continuously from your audit log. Auditors consume the JSON directly via /api/v1/compliance/<framework>/attestation.
A third-party auditor has verified our controls through a full audit cycle. Requires the 6-month observation period (SOC 2 Type II), accredited certification body engagement, and YOUR own attestation against your specific deployment.
Foundation work shipped (data handling, encryption, policies) but the evidence engine + control mapping for this framework hasn't landed yet. Tracked in our 90-day roadmap.
All 10 controls mapped to attack plugins + scorers.
Every security scan returns a per-control coverage report you can show to your auditor or security team. Scan via /api/v1/security with attackTypes from the framework registry.
All 10 controls (AAI01-AAI10) mapped. First-class agent risks.
Includes plugins for memory poisoning (AAI01), tool misuse (AAI02), privilege compromise (AAI03), goal misalignment (AAI06), value-alignment drift (AAI07), repudiation/temporal-attack (AAI08), identity spoofing (AAI09), human-loop bypass (AAI10).
12 CC controls seeded; user-action + system-level evidence auto-collected.
Two evidence streams: (1) every audit-loggable user action (login, role change, key create/revoke, export, settings change, incident update) emits a SHA-256-hashed evidence row mapped to a SOC 2 control; (2) a background worker job collects synthetic system-level evidence hourly for controls that don't have a user action — CC6.1 membership review, CC6.6 api_key review, CC7.2 health-check, CC7.4 backup-run. Coverage dashboard at /dashboard/compliance/coverage. Auditor consumption: GET /api/v1/compliance/soc2/attestation (snapshot) + /api/v1/compliance/soc2/evidence (raw row export, paginated, payload_hash on every row). Type 1 attestation (point-in-time) target Q4 2026; Type II (6-month observation period + accredited firm) follows in 2027. Both gated on funding the auditor engagement — the evidence above is live regardless.
See live coverage →Articles 9-15 mapped + Annex IV technical-documentation auto-generator.
High-risk system obligations: risk management (Art 9), data governance (Art 10), record keeping (Art 12), transparency (Art 13), human oversight (Art 14), accuracy/robustness/cybersecurity (Art 15). Annex III high-risk categories enumerated for deployer questionnaire flow. POST /api/v1/compliance/eu-ai-act/annex-iv auto-generates the 9-section Annex IV technical documentation from real platform state — audit logs, SOC 2 evidence, incident reports, applied standards — with SHA-256 tamper-detection hashing on the canonical JSON. Legal review of your specific deployment is your responsibility.
See live coverage →Annex A controls A.2-A.10 mapped + Statement of Applicability auto-generator.
AI management system controls: policies (A.2), internal organization (A.3), resources (A.4), impact assessment (A.5), AI lifecycle (A.6), data (A.7), information for users (A.8), use (A.9), third-party relationships (A.10). POST /api/v1/compliance/iso-42001/statement-of-applicability auto-generates the SoA per Clause 6.1.3 — every Annex A control listed with applicability + implementation status derived from your real evidence collection. Coverage percentage computed across applicable controls. Accredited certification requires engagement with a recognized certification body.
See live coverage →Data-handling implemented; third-party attestation Q2 2027.
Encryption-at-rest (Supabase AES-256), encryption-in-transit (TLS 1.3), org-isolated RLS, audit logging, BYOK provider keys via Supabase Vault. Healthcare vertical pack (medical + pharmacy plugins) ready. BAA-eligible only after attestation.
DSR intake, account-deletion atomic RPC, consent gates wired.
Data subject right intake at /api/v1/privacy/dsr. Right to erasure: account_deletion_full() Postgres function — 11-step purge in a single transaction. Consent enforcement at the gateway: HTTP 451 returned when subject withdraws. Data Processing Agreement template available; legal review required for your specific deployment.
Govern, Map, Measure, Manage functions tied to platform features.
Risk Management Framework alignment via the existing compliance/nist-ai-rmf.ts registry. Coverage via security scans + drift detection + adversarial campaigns.
This page is not a substitute for legal review of your specific deployment. EU AI Act high-risk system obligations, HIPAA BAA requirements, and state-level AI laws (Colorado, California, etc.) all depend on how YOU deploy our platform. Use this page as evidence input to your own counsel; not as a green light for regulated workloads.