Compliance Guides
Automate evidence collection, framework mapping, and audit preparation. Not just checking boxes — proving it.
Compliance That Proves Itself
ARQERA automates compliance evidence collection, audit preparation, and framework mapping. Every action your organisation takes is recorded, hashed, and mapped to the controls that matter.
From Reactive to Continuous
Traditional compliance is a scramble before each audit. ARQERA makes it continuous.
Auto-generated
Evidence artifacts
Real-time
Control monitoring
Zero lead time
Audit preparation
Multi-framework
Framework mapping
PDF, CSV, JSON
Export formats
SHA-256 chain
Hash integrity
Supported Frameworks
Four regulatory frameworks with dedicated guidance, control mapping, and automated evidence collection.
SOC 2 Type II
Continuous control monitoring across all five Trust Service Criteria. Automated evidence collection, gap detection, and one-click audit reports.
GDPR
Full Article 5 principle enforcement, DSAR automation, consent management, and records of processing. Privacy by design, built in.
HIPAA
Administrative, physical, and technical safeguards for protected health information. Access controls, audit trails, and BAA support.
EU AI Act
Risk classification, Annex III documentation, transparency obligations, and human oversight requirements. Deadline: August 2, 2026.
How ARQERA Handles Compliance
Five capabilities that replace manual audit prep with continuous, automated compliance.
Continuous Monitoring
Real-time control verification, not point-in-time audits. When a policy changes, encryption drifts, or access is revoked, you know immediately.
Automated Evidence Collection
Every action emits a tamper-evident evidence artifact via the Evidence Chain. Login events, permission changes, data access logs, and policy enforcement captured automatically.
Framework Mapping
Your governance actions map directly to compliance controls. One action can satisfy multiple frameworks simultaneously: SOC 2 CC6.1, GDPR Art. 30, HIPAA Access Control.
Audit-Ready Exports
Generate compliance reports in PDF, CSV, and JSON. Evidence attached, gaps annotated, controls mapped. Your auditor gets a clean package, not a messy spreadsheet.
Real-Time Dashboards
Live compliance posture across every framework. See which controls are passing, degraded, or failing at a glance. Drill into any control for evidence history.
The Evidence Chain
The backbone of ARQERA compliance. Every action emits a tamper-evident artifact linked by cryptographic hashes.
How It Works
Immutable, append-only, cryptographically linked evidence artifacts
| Integrity | SHA-256 hash chain. Each record hashes the previous, creating a tamper-evident sequence. |
| Immutability | Once written, evidence artifacts cannot be modified or deleted. Append-only by design. |
| Control mapping | Each artifact maps to specific compliance controls (SOC 2 CC6.1, GDPR Art. 30, HIPAA 164.312). |
| Artifact types | Login events, permission changes, data access logs, policy enforcement, configuration changes. |
| Export formats | PDF (auditor-ready), CSV (spreadsheet), JSON (API integration). |
| Retention | Configurable per framework. Default: 7 years (SOC 2), 6 years (GDPR), 6 years (HIPAA). |
Evidence Flow
SOC 2 Quick Reference
Trust Service Criteria coverage and ARQERA control mappings.
Trust Service Criteria
Five criteria. Security is mandatory. The others are scoped to your business.
Protection against unauthorised access. The mandatory criterion every audit starts with.
33 controls
Systems available for operation as committed. SLAs, redundancy, and disaster recovery.
17 controls
Confidential information protected as committed. Encryption, access controls, and retention.
12 controls
System processing is complete, valid, accurate, timely, and authorised.
14 controls
Personal information handled in conformity with commitments and applicable regulations.
18 controls
ARQERA Control Mappings
| Control | Name | Auto-Collected Evidence |
|---|---|---|
CC6.1 | Logical Access Controls | Login events, MFA enforcement, role assignments |
CC7.2 | System Monitoring | Audit logs, anomaly detection, alert history |
CC8.1 | Change Management | Deployment approvals, PR reviews, rollback records |
CC9.1 | Risk Assessment | Risk register, quarterly assessments, mitigation plans |
CC6.3 | Access Removal | Deprovisioning logs, access revocation timestamps |
CC3.2 | Risk Monitoring | Continuous risk scoring, trend analysis, gap reports |
Full SOC 2 coverage details, gap analysis, and readiness assessment available on the dedicated SOC 2 page
GDPR Quick Reference
Key articles covered and how ARQERA enforces each principle.
Articles Covered
Six key GDPR articles with automated enforcement and evidence collection.
Art. 5Processing Principles
Lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity.
ARQERA Coverage
Every AI processing activity logs its lawful basis before execution. Purpose boundaries enforced at the evidence layer.
Art. 6Lawful Basis
Consent, contract, legal obligation, vital interests, public task, or legitimate interest.
ARQERA Coverage
Lawful basis recorded per processing activity. Consent management with granular opt-in/opt-out controls.
Art. 12-22Data Subject Rights
Access, rectification, erasure, restriction, portability, objection, automated decision-making.
ARQERA Coverage
Automated DSAR workflows. Self-service data export, deletion requests, and processing restrictions.
Art. 25Privacy by Design
Data protection integrated into processing activities from the design stage.
ARQERA Coverage
IP anonymisation enabled by default. Data minimisation enforced. AI agents access only minimum required data.
Art. 30Records of Processing
Maintain records of all processing activities under your responsibility.
ARQERA Coverage
Evidence Chain automatically generates Art. 30-compliant records for every processing activity.
Art. 35Data Protection Impact Assessment
DPIA required for high-risk processing, including automated decision-making.
ARQERA Coverage
Built-in DPIA templates. AI risk assessment generates impact scores with mitigation recommendations.
IP Anonymisation Enabled by Default
ARQERA analytics use IP anonymisation out of the box. No IP addresses are collected or stored. Do Not Track headers are respected. Analytics are consent-gated.
Complete GDPR coverage including DSAR workflows, consent management, and DPIA templates on the dedicated GDPR page
EU AI Act Quick Reference
Risk classification, documentation requirements, and compliance deadlines.
Risk Classification
Four-tier risk framework. Your obligations depend on where your AI system falls.
Social scoring, real-time biometric surveillance, manipulation of vulnerable groups.
Requirement: Prohibited. ARQERA blocks deployment of systems classified at this level.
Critical infrastructure, employment, education, law enforcement, immigration, essential services.
Requirement: Full Annex III documentation, conformity assessment, human oversight, and technical monitoring required.
Chatbots, deepfakes, emotion recognition systems.
Requirement: Transparency obligations. Users must be informed they are interacting with AI.
Spam filters, AI-enhanced games, inventory management.
Requirement: No mandatory requirements. Voluntary codes of conduct encouraged.
ARQERA EU AI Act Features
| Risk classification engine | Automated classification of AI systems against the four-tier risk framework |
| Annex III documentation | Template-driven documentation generation for high-risk AI systems |
| Transparency logs | Record of AI involvement in decisions, disclosures to users |
| Human oversight controls | Approval workflows ensuring humans remain in the loop for high-risk decisions |
| Technical documentation | System architecture, training data, performance metrics, and limitations recorded |
| Conformity assessment prep | Pre-audit readiness checks against EU AI Act requirements |
Deadline: August 2, 2026
High-risk AI systems (Annex III) must be fully compliant by this date. Non-compliance penalties: up to 7% of global annual revenue. Start your compliance assessment now to avoid last-minute gaps.
Full EU AI Act guidance including risk assessment tools, Annex III templates, and conformity assessment on the dedicated EU AI Act page
HIPAA Quick Reference
Administrative, physical, and technical safeguards for protected health information.
Three Safeguard Categories
HIPAA requires administrative, physical, and technical safeguards. ARQERA covers all three.
Administrative
- Security management process and risk analysis
- Workforce training and awareness programmes
- Access authorisation and role management
- Incident response procedures
- Contingency planning and data backup
Physical
- Facility access controls and validation
- Workstation use and security policies
- Device and media controls
- Disposal and re-use procedures
- Physical access audit trails
Technical
- Unique user identification and access control
- Audit controls and activity logging
- Data integrity verification
- Transmission security (encryption in transit)
- Automatic session timeout
Business Associate Agreement (BAA)
ARQERA provides a BAA on the Enterprise plan. If you handle protected health information (PHI) and need ARQERA as a business associate, contact our sales team for BAA execution.
Full HIPAA coverage including PHI flow mapping, incident response procedures, and breach notification on the dedicated HIPAA page
Getting Started with Compliance
Five steps from zero to audit-ready. No consultants, no spreadsheets.
Choose Your Frameworks
Navigate to Settings and select which compliance frameworks apply to your organisation. SOC 2, GDPR, HIPAA, EU AI Act, or any combination.
Map Your Policies
ARQERA maps your existing governance policies to framework controls automatically. See which controls you already satisfy and which need work.
Review Gaps
Get a clear view of compliance gaps with severity ratings and remediation recommendations. No guesswork, no surprises.
Enable Evidence Collection
Turn on automated evidence collection. Every action that maps to a compliance control generates a tamper-evident artifact in the Evidence Chain.
Export Audit Reports
Generate audit-ready reports on demand. PDF for auditors, CSV for spreadsheets, JSON for integrations. Evidence attached, gaps annotated.
One Action, Multiple Frameworks
A single governance action can satisfy controls across SOC 2, GDPR, HIPAA, and EU AI Act simultaneously.
| Action | SOC 2 | GDPR | HIPAA | EU AI Act |
|---|---|---|---|---|
| Enable MFA for all users | CC6.1 | Art. 32 | 164.312(d) | Art. 9(4) |
| Log all data access events | CC7.2 | Art. 30 | 164.312(b) | Art. 12 |
| Automate user deprovisioning | CC6.3 | Art. 5(1)(e) | 164.312(a) | -- |
| Encrypt data at rest and in transit | CC6.7 | Art. 32 | 164.312(e) | Art. 15 |
| Record AI decision rationale | CC4.1 | Art. 22 | -- | Art. 13-14 |
| Conduct quarterly risk assessments | CC9.1 | Art. 35 | 164.308(a) | Art. 9 |
Ready to automate compliance?
Start collecting evidence automatically. Choose your frameworks and be audit-ready in days, not months.