Skip to content

Early Access opens July 12 · $99/mo · all suites during the launch window · price locked through Q1 2027 · Join the waitlist →

For Chief Technology Officers · Workflow-Grounded Buyer · 2026

Compliance is a build-time concern. Not a quarterly fire drill.

acipta · Agent-based defensibility platform — workflow-grounded.

Same git. Same CI. Same evidence pipeline. No parallel compliance org. acipta agents run as build-time gates in the workflow your team already ships — generating per-rule verdicts on every PR, signing evidence at write time, and attaching cryptographic proofs to the same artifacts engineering and the CCO both inspect. ASP-1.0 open adapter protocol means no vendor lock-in. The frame is *acipta plus your existing stack*, not *acipta or your existing stack*.

Build-time compliance across SOC 2, HIPAA, GDPR and EU AI Act — same git, same CI, one signed evidence pipeline.

The CTO's frame: compliance as a build-time concern

Most compliance platforms add a parallel org. A new repo. A separate evidence collection cycle. A different cadence than engineering. A second support contract. A different vendor's dashboard your team has to keep an eye on. The structural problem is not the platform — it's the architectural choice that compliance must be collected rather than produced. Collection requires a separate workflow. Production happens inside the workflow you already have.

acipta inverts the model. Compliance evidence is a byproduct of the CI pipeline your team already runs:

The opposite of workflow-grounded is what most compliance-automation products are: a parallel org with a different cadence. acipta is built so the compliance team reads the same dashboards engineering reads — not a vendor portal with a separate login.

The 3-buyer simultaneity from the CTO's seat

Three readers procure acipta together. From your seat:

The CCO needs defensible evidence across multiple frameworks. The auditor needs byte-identical replay at year 5. You need release velocity — compliance grounded in the workflow you already ship. acipta is built so all three readers see the same answer.

The CCO's audit-defensibility argument depends on per-verdict cryptographic evidence — Ed25519 at write time, RFC 3161 timestamps, hash-chained ledger. Your job is to ensure that doesn't add overhead to release velocity. acipta's commitment: signing happens at agent-emit time, not at audit time. The cryptographic primitives run inside the same managed compute job that produces the verdict — there's no "now sign everything for the audit" batch job that breaks the velocity budget.

ASP-1.0 — the open adapter protocol

The architectural commitment that protects you from vendor lock-in across the next 5+ years:

ASP-1.0 (Adapter Specification Protocol v1.0) is the open standard for third-party tools and frameworks that plug into acipta without breaking the cryptographic replay guarantee. Specification covers:

What this gives you operationally: swap LLM vendors, change downstream tools, evolve the stack — without restarting the audit chain. The 5-Year Replay Guarantee holds across LLM deprecation, vendor change, and integration evolution. This is why acipta deliberately does not bet on a single LLM provider, a single cloud, or a single integration partner.

How acipta fits with your existing stack

Your existing layerWhat it doesHow acipta integrates
Build AI (Dataiku, Databricks, Hugging Face)Train, tune, and deploy AI modelsASP-1.0 adapter ingests model registry events. Pinned model versions land in Determinism Ledger automatically.
Systems of record (Snowflake, BigQuery, Postgres, S3)Source-of-truth data for compliance evidenceRAG read via ASP-1.0 adapters. Read-only access, signed at the plugin boundary.
Source control + CI (GitHub, GitLab)Code repo + build pipelineNative Actions/webhooks. Verdict-on-PR, evidence-on-deploy, finding-as-issue.
Identity (Okta, Auth0, Azure AD)SSO + RBACCapability-token mapping. Roles in your IdP map to acipta capability scopes via ASP-1.0.
Observability (Datadog, New Relic, Honeycomb)Production telemetryacipta emits signed verdicts as structured events. Same dashboards engineering uses.
GRC tooling (Vanta, Drata, OneTrust)SOC 2 / ISO 27001 program managementCoexists. acipta produces audit-defensible evidence; GRC tooling manages the program. Most CCOs use both.

The frame is acipta plus your existing stack — not a wholesale replacement. Specific integrations land per quarter via the Plugin Audit Mode roadmap. See the platform architecture page for the substrate that makes this composability operational.

The foundation infrastructure (the substrate you procure)

acipta is built on a managed cloud platform with a deliberate cloud-agnostic timestamping layer:

Multi-cloud is deployment-target (per-tenant), not active-active. Preserves a single cryptographic substrate per tenant. If your enterprise contract requires AWS or Azure rather than GCP, that's available via the deployment-target option — same code, same evidence chain, different cloud-runtime binding.

What you commit to (and what acipta commits to)

What you commit to:

What acipta commits to:

Frequently asked questions

What does "workflow-grounded" mean for the CTO?
Workflow-grounded means compliance evidence is produced as a byproduct of the CI pipeline your team already runs — not a parallel quarterly audit cycle. Every PR generates per-rule verdicts. Every deploy attaches signed evidence. Every regression is caught at the source. Same git, same CI, same evidence pipeline. No parallel org, no new staffing layer.
How does acipta avoid adding a parallel compliance org?
Agents run as CI jobs gated on the same triggers your pipeline already uses. Evidence commits alongside source — keyed by commit SHA, retrievable by PR number. Remediation is GitHub-issue-native — findings open issues with reproducible steps and per-criterion verdicts. The compliance team reads the same dashboards engineering reads.
What is the ASP-1.0 open adapter protocol?
ASP-1.0 is the open standard for third-party tools that plug into acipta without breaking the cryptographic replay guarantee. Adapters sign their I/O at the plugin boundary, declare their conformance class, and expose deterministic-only entry points. The replay contract holds even when an adapter is later deprecated — acipta replays against the pinned ASP-1.0 bundle, not the live adapter. Vendor-neutral by design.
How does this integrate with our existing stack (Dataiku, Databricks, Snowflake, etc.)?
acipta is not a replacement layer. Dataiku and Databricks build AI; acipta makes the AI defensible. Snowflake, BigQuery, Postgres are systems of record acipta reads via ASP-1.0 adapters. GitHub and GitLab are integration surfaces via webhooks and Actions. The frame is "acipta + your existing stack," not "acipta or your existing stack."

See workflow-grounded compliance in 20 minutes.

Bring a repo. We wire acipta into your CI for one suite, run a scan on a PR, sign the verdict, replay the hash — all inside the same workflow your team already ships.

Related guides

Go deeper

What is workflow-grounded compliance?

Compliance produced in the build pipeline, signed at write time.

The cryptographic evidence chain

Per-verdict evidence, signed and replayable, verifiable years later.

Last reviewed · Reviewed by the acipta compliance & accessibility team.

Was this page helpful?