The CTO's frame: compliance as a build-time concern
Most compliance platforms add a parallel org. A new repo. A separate evidence collection cycle. A different cadence than engineering. A second support contract. A different vendor's dashboard your team has to keep an eye on. The structural problem is not the platform — it's the architectural choice that compliance must be collected rather than produced. Collection requires a separate workflow. Production happens inside the workflow you already have.
acipta inverts the model. Compliance evidence is a byproduct of the CI pipeline your team already runs:
- Every PR generates per-rule verdicts attached to the commit SHA — GDPR Article, HIPAA CFR, WCAG success criterion, EU AI Act Article — keyed by the same identifier engineering already tracks.
- Every deploy attaches signed evidence to the build artifact. The same artifact your auditor accepts is the same artifact your deploy system tracks — keyed by commit SHA, retrievable by build number.
- Every regression is caught at the source where it was introduced. Not "next quarter's audit." Not "next year's annual review." The PR-level gate where engineers actually look.
- Every finding opens a GitHub issue (or Linear ticket, or Jira) with reproducible steps, fix-it commands, and the per-criterion verdict attached. Same surface engineering already uses for bugs.
The opposite of workflow-grounded is what most compliance-automation products are: a parallel org with a different cadence. acipta is built so the compliance team reads the same dashboards engineering reads — not a vendor portal with a separate login.
The 3-buyer simultaneity from the CTO's seat
Three readers procure acipta together. From your seat:
The CCO needs defensible evidence across multiple frameworks. The auditor needs byte-identical replay at year 5. You need release velocity — compliance grounded in the workflow you already ship. acipta is built so all three readers see the same answer.
The CCO's audit-defensibility argument depends on per-verdict cryptographic evidence — Ed25519 at write time, RFC 3161 timestamps, hash-chained ledger. Your job is to ensure that doesn't add overhead to release velocity. acipta's commitment: signing happens at agent-emit time, not at audit time. The cryptographic primitives run inside the same managed compute job that produces the verdict — there's no "now sign everything for the audit" batch job that breaks the velocity budget.
ASP-1.0 — the open adapter protocol
The architectural commitment that protects you from vendor lock-in across the next 5+ years:
ASP-1.0 (Adapter Specification Protocol v1.0) is the open standard for third-party tools and frameworks that plug into acipta without breaking the cryptographic replay guarantee. Specification covers:
- Cryptographic boundary — adapters sign their I/O at the plugin boundary with their own Ed25519 keys, declared in the conformance manifest. acipta verifies adapter signatures before consuming output.
- Conformance class — each adapter declares Class A (deterministic-only, byte-identical replay), Class B (deterministic with seeded randomness, byte-identical given seed), or Class C (judgment-layer LLM, replay requires pinned model bundle).
- Deterministic-only entry points — every adapter exposes at least one deterministic entry point. AI judgment is opt-in, not architectural default.
- Capability tokens — adapters declare their required capabilities; acipta refuses to invoke adapters with broader capabilities than declared.
- Replay bundle pinning — when an adapter is deprecated, acipta replays against the pinned ASP-1.0 bundle (frozen as of the original verdict date), not the live adapter. The replay contract holds for 5+ years even when the upstream adapter is gone.
What this gives you operationally: swap LLM vendors, change downstream tools, evolve the stack — without restarting the audit chain. The 5-Year Replay Guarantee holds across LLM deprecation, vendor change, and integration evolution. This is why acipta deliberately does not bet on a single LLM provider, a single cloud, or a single integration partner.
How acipta fits with your existing stack
| Your existing layer | What it does | How acipta integrates |
|---|---|---|
| Build AI (Dataiku, Databricks, Hugging Face) | Train, tune, and deploy AI models | ASP-1.0 adapter ingests model registry events. Pinned model versions land in Determinism Ledger automatically. |
| Systems of record (Snowflake, BigQuery, Postgres, S3) | Source-of-truth data for compliance evidence | RAG read via ASP-1.0 adapters. Read-only access, signed at the plugin boundary. |
| Source control + CI (GitHub, GitLab) | Code repo + build pipeline | Native Actions/webhooks. Verdict-on-PR, evidence-on-deploy, finding-as-issue. |
| Identity (Okta, Auth0, Azure AD) | SSO + RBAC | Capability-token mapping. Roles in your IdP map to acipta capability scopes via ASP-1.0. |
| Observability (Datadog, New Relic, Honeycomb) | Production telemetry | acipta emits signed verdicts as structured events. Same dashboards engineering uses. |
| GRC tooling (Vanta, Drata, OneTrust) | SOC 2 / ISO 27001 program management | Coexists. acipta produces audit-defensible evidence; GRC tooling manages the program. Most CCOs use both. |
The frame is acipta plus your existing stack — not a wholesale replacement. Specific integrations land per quarter via the Plugin Audit Mode roadmap. See the platform architecture page for the substrate that makes this composability operational.
The foundation infrastructure (the substrate you procure)
acipta is built on a managed cloud platform with a deliberate cloud-agnostic timestamping layer:
- Managed compute — stateless deterministic execution. Per-tenant isolation via service-account boundaries.
- Document store — verdict metadata + indexing. Strong consistency for the verdict chain.
- Analytics warehouse — analytics + Evidence Locker cold storage. 5-year retention guaranteed.
- Object storage — source artifact storage. SHA-256-keyed, immutable, customer-managed encryption keys.
- FIPS-validated HSM — Ed25519 key custody. Per-tenant key isolation. Tamper-evident.
- independent third-party trusted timestamp authority — RFC 3161 timestamping. Deliberately cloud-agnostic so the timestamp is portable across infrastructure changes over the 5-year retention horizon.
Multi-cloud is deployment-target (per-tenant), not active-active. Preserves a single cryptographic substrate per tenant. If your enterprise contract requires AWS or Azure rather than GCP, that's available via the deployment-target option — same code, same evidence chain, different cloud-runtime binding.
What you commit to (and what acipta commits to)
What you commit to:
- Engineering signs off on the same evidence chain the auditor signs off on
- CI pipeline integration via GitHub Actions / GitLab Pipelines / equivalent webhook surface
- Read-only access to systems of record for RAG (no write access, no data movement)
- Capability-token configuration for new agent classes (5 min per new agent on average)
What acipta commits to:
- No parallel compliance org. Same surfaces, same identifiers, same tooling.
- 5-year replay guarantee — verdict_id today reconstructs byte-identically in 2031
- ASP-1.0 open adapter protocol — no vendor lock-in across LLM, cloud, or integration partner
- Cloud-agnostic timestamping — RFC 3161 portable across infrastructure changes
- Plugin Audit Mode — every third-party adapter signs at the boundary, replay-verifiable independently