acipta: the compliance platform for CCOs, not just SOC 2
acipta is the compliance platform built for the Chief Compliance Officer who owns a growing framework portfolio — not a SOC 2-only tool, and not a generic GRC dashboard. It produces defensible, byte-identically replayable evidence across SOC 2, HIPAA, GDPR, EU AI Act and WCAG 2.1 AA — audit-defensible by design — so one signed artifact satisfies your auditor today and your regulator years from now.
The CCO's three-buyer problem
Compliance procurement in 2026 is no longer a single CCO signature. Three readers arrive at the deal simultaneously — and the platform either satisfies all three or the deal stalls. We call this three-buyer simultaneity, and it is the reason audit-defensible compliance exists as a distinct architectural category from compliance automation.
A vendor whose CCO pitch contradicts the CTO pitch contradicts the auditor demonstration is selling three different stories about the same compliance-automation tool. acipta is built so the same chain — same Ed25519 signatures, same per-criterion evidence, same byte-identical replay — answers all three buyers verbatim.
What multiple frameworks looks like from one control catalog
The traditional model is one framework, one program. Every framework you add means another program, another parallel evidence collection, another annual audit, another budget line, another team. That model breaks at Series B for compliance staffing and at Series C for board defensibility.
acipta inverts the model. One canonical Control Mapping Catalog (CMC) projects N frameworks as N views. Add HIPAA after you ship SOC 2 — same evidence, no rebuild. Add the EU AI Act now that GPAI obligations are in force — same evidence, no rebuild. The more frameworks acipta projects from one CMC, the cheaper each next framework becomes. This is the architectural commitment that makes multi-framework defensibility economical for a Series B-D CCO.
The full suite catalog (one platform, projected views)
- A11Y · WCAG 2.1 AA + 2.2 AA — 25 agents · per-success-criterion evidence · VPAT 2.5 auto-generation. ADA Title II Final Rule defensibility. GA July 12, 2026. See federal-floor pillar.
- HIPAA & Healthcare — 23 agents · per-CFR (45 CFR 160/162/164) Privacy / Security / Breach Notification rules · BAA at contract.
- GDPR — 20 agents · per-Article coverage of all 99 articles · RoPA, DPIA, DSAR.
- CCPA / CPRA — 16 agents · DSAR + Global Privacy Control + opt-out mechanics.
- Privacy (multi-jurisdiction) — 15 agents · CMC views across state and national privacy laws · consent, data minimization, retention.
- EU AI Act & ISO 42001 — 10 agents · GPAI obligations (Articles 49-55 · now in force) + high-risk Annex III · ISO/IEC 42001 AI management.
- Security GRC — 8 agents · SOC 2 + SOX-ITGC module · multi-framework views from one CMC.
- On the post-GA roadmap — additional verticals including Identity Governance, ITOps, KYC/AML, GovCon, Clinical Trials, Telehealth, and Financial GRC. Each ships as another CMC view, not a parallel program.
117 agents. All projected from one CMC. All producing the same per-verdict Ed25519-signed evidence chain. See the full platform architecture for the substrate that makes this economical.
Per-Article / per-CFR / per-§ defensibility
The traditional compliance audit asks "do you have a HIPAA program?" The 2026 regulatory question is sharper: "show me your evidence for 45 CFR § 164.312(b) on May 15, 2026." One CFR. One date. One verdict. acipta indexes evidence at the regulatory citation level — the granularity at which regulators, plaintiffs' attorneys, and forensic auditors actually work.
| Framework | Citation granularity | acipta evidence index |
|---|---|---|
| GDPR | per-Article (1–99) | Per-Article verdict log · DPIA evidence · RoPA · DSAR audit trail |
| HIPAA | per-CFR (45 CFR 160 / 162 / 164) | Per-CFR verdict log · access control · audit controls · transmission security |
| CCPA / CPRA | per-§ (Civil Code §1798.100 et seq.) | Per-§ verdict log · GPC compliance · sale opt-out · sensitive PI |
| WCAG 2.1 AA | per-success-criterion (50 at A+AA) | Per-criterion verdict log · VPAT 2.5 auto-derived from signed evidence |
| EU AI Act | per-Article (1–113) | Per-Article verdict log · GPAI obligations · high-risk Annex III |
| SOX 404 | per-control (COSO mapped) | Per-control verdict log · ITGC · revenue recognition · journal entry |
When a regulator returns in 2031 and asks about a specific Article on a specific date, you return the per-Article verdict log with Ed25519 signatures, RFC 3161 timestamps, and the byte-identical replay artifact. Not a screenshot. Not a dashboard. The cryptographic chain that produced the certification produces the answer.
The five fundamentals (and why automation fails them)
Audit-defensible compliance satisfies five fundamentals on every verdict. Compliance automation platforms typically deliver two or three. The gap is the difference between "we have controls" and "the auditor cannot challenge the evidence":
- Traceability — every verdict ties to a specific agent, model version, goal, and authorization
- Explainability — reasoning reconstructible from stored pipeline state, not regenerated post-hoc
- Authorization — every action aligns with defined permissions, capability tokens, and platform policy invariants
- Tamper-evidence — Ed25519 at write time + RFC 3161 timestamp + hash-chained to prior verdict
- Reproducibility — given verdict_id years later, reconstruct full pipeline state and re-execute. Output must hash-match — or replay fails explicitly
See the full architectural breakdown on our audit-defensible compliance pillar and the Black Box Flight Recorder explainer for the cryptographic substrate that makes the five fundamentals operational.
What this means for procurement
You and your CTO co-sign. Your General Counsel reviews the BAA. Your internal auditor verifies the byte-identical replay test before the deal closes. acipta's enterprise procurement package includes:
- Cryptographic substrate spec (Ed25519, RFC 3161, Determinism Ledger, Evidence Locker)
- SOC 2 Type 2 attestation (targeted August 30, 2026), HITRUST e1 self-assessment (Q3 2026)
- HIPAA BAA at contract
- GDPR processor commitments (Article 28)
- 5-year minimum verification support guarantee
- ASP-1.0 open adapter protocol — no vendor lock-in on third-party integrations
- Cloud-agnostic timestamping — RFC 3161 via independent third-party trusted timestamp authority, portable across infrastructure