Loading…
Loading…
SOC 2, PCI DSS, and ISO 27001 compliance · self-hosted
Scorifya Controls runs 54 automated checks across AWS, GitHub, GCP, and Azure, each mapped to SOC 2, PCI DSS 4.0.1, and ISO/IEC 27001:2022 Annex A, tracks 36 manual controls with evidence, and generates audit-ready reports plus a Statement of Applicability, all self-hosted on your own infrastructure, with no per-seat licensing. Built for seed-stage startups and small SaaS teams preparing for their first SOC 2 audit, a SAQ A / A-EP PCI assessment, or an ISO 27001 certification.
Watch the overview
A 90-second walkthrough of why self-hosting keeps your compliance tooling out of your audit scope, and what one deployment covers across SOC 2, PCI DSS 4.0.1, and ISO/IEC 27001:2022.
See it before you buy
Live screenshots from a running instance, not mockups. What you see is what ships on day one. Or skip the screenshots and click through the live demo yourself.
The dashboard shows your live compliance posture score, a trend chart across every check run, and a precise count of what's passing and failing right now. The drift detection banner surfaces exactly what changed since your last run, what broke, what you fixed. When your auditor asks how controls performed across the observation window, you show them this chart. No spreadsheet. No manual assembly.

Every check is dual-mapped: a SOC 2 Trust Services Criterion and the matching PCI DSS 4.0.1 requirement, side by side on the same row. AWS, GCP, Azure, and GitHub checks all run against your live accounts and return results in minutes. Each failing check shows both the SOC 2 criterion and the PCI requirement plus severity, so you know exactly which gaps to close first. Your auditor and your QSA each see labels they already recognize. No translation required between what you've built and what they need to certify.

Vanta and Drata start at $10,000–$15,000/year and are built for Series B+ companies with dedicated security teams. Below that, teams either pay for tools they barely use or manage SOC 2 readiness through spreadsheets and manual screenshots.
Controls targets the $0–$7,500/year bracket: the team that just landed their first enterprise customer asking for a SOC 2, and needs a real tool, not a spreadsheet.
The steps to get audit-ready, in order, sent to your inbox. Pick your framework. One email, no drip campaign, and we never share your address.
Four written policies auditors expect to see, in Markdown you can edit and adopt: Information Security, Acceptable Use, Access Control, and Incident Response. Fill-in placeholders. No drip campaign.
54 checks run against your live cloud accounts, each mapped to specific AICPA Trust Services Criteria 2017 points of focus and PCI DSS 4.0.1 requirements.
36 manual controls with evidence tracking
Non-automatable controls across Governance, HR, Access Management, Risk, Change Management, Incident Response, Business Continuity, and Vendor Management, plus 8 PCI-specific controls for SAQ A / A-EP merchants (cardholder data flow diagram, payment-page script inventory, TPSP agreements, and more). Each has a named owner, next review date, overdue alerts, and file evidence upload (PDF, DOCX, PNG, XLSX up to 10 MB).
Posture score trend chart
Every check run is stored and grouped. A 30-run line chart shows your posture score over time, useful for demonstrating to auditors that controls operated effectively across the observation window, not just on the day of the audit.
Drift detection and Slack alerts
After every check run, results are compared against the previous run. New failures trigger a Slack notification. The dashboard surfaces "New failures since last run" and "Fixed since last run" banners so you always know what changed.
Audit period tracking
SOC 2 Type II requires a defined observation window (typically 6–12 months). Create a named audit period with start and end dates. The dashboard shows days elapsed, total days, and a progress bar so you always know where you stand.
Cryptographic attestation timestamps
Every manual attestation, adopted policy, and completed check run is sealed with an RFC 3161 timestamp from DigiCert or Sectigo. Evidence file contents are hashed into the attestation envelope, so replacing a file after attestation invalidates the stamp. Auditors verify offline with OpenSSL, no Scorifya account required. See the full trust model →
Auditor read-only portal
Generate a time-limited shareable link (30, 60, or 90 days) and send it directly to your CPA firm. They see live check history, all manual controls with evidence files, and per-attestation DigiCert timestamp verification, no login required, no PDF filtering, nothing to install.
Controls ships as a Docker image. You run it on your own infrastructure, your own VPS, cloud account, or internal server. AWS credentials, GitHub tokens, check results, evidence files, and attestation records never leave your environment. There is no external telemetry.
Compare that to SaaS compliance platforms: Vanta and Drata connect to your AWS and GitHub accounts and store your compliance data on their servers. For teams with data residency requirements or customers who ask where your audit evidence lives, Controls gives you a clean answer: on your server.
Three self-serve tiers, monthly or annual, plus an enterprise agreement for larger deployments. No per-seat pricing, no per-check pricing, no additional charges as your team grows.
The primary deployment artifact is a docker-compose.yml. On first boot, the database is pre-seeded with all 54 automated checks and 28 manual controls, no additional setup required.
# 1. Download the compose file
curl -O https://www.scorifya.com/docker-compose.yml
# 2. Set SESSION_SECRET and LICENSE_KEY in docker-compose.yml
# 3. Run
docker compose up -d
The image is published to ghcr.io/scorifya/controls:latest. Pin a specific version by replacing :latest with a semver tag (e.g., :1.2.0).
Docker
Any machine that runs Docker. The image includes Node.js and Python, no separate installs needed.
AWS IAM credentials (for AWS checks)
An IAM user or role with the SecurityAudit managed policy attached. Read-only, no write permissions used.
GitHub personal access token (for GitHub checks)
Token with repo, admin:org, and security_events scopes. Works with GitHub personal accounts and organizations.
GCP service account JSON (for GCP checks)
A service account with the Security Reviewer role. Download the JSON key from IAM → Service Accounts → Keys. Optionally configure domain-wide delegation for MFA enforcement checks.
Azure service principal (for Azure checks)
An app registration in Azure AD with Reader and Security Reader roles on the subscription. Requires Tenant ID, Client ID, Client Secret, and Subscription ID.
License key
Issued at scorifya.com. Without a key, the dashboard is read-only (existing data is visible, new runs and attestations are paused).
Three tiers, monthly or annual on every tier, no per-seat charges. Pick the scope that matches the clouds you actually run.
Founders pricing, 25 of 25 spots left
Starter
AWS-only. The seed startup's first SOC 2 tool.
billed annually, cancel any time
Pro
Every cloud you run. Most teams pick this.
billed annually, cancel any time
Team
Agencies and consultants. Multi-tenant.
billed annually, cancel any time
SOC 2, PCI DSS 4.0.1, and ISO/IEC 27001:2022, all three included. Every check maps to all three frameworks in one deployment, on every tier, at the current prices. No per-framework add-on. PCI coverage is scoped to SAQ A and A-EP merchants.
Your first month is the trial. Every self-serve tier is billed monthly with no annual contract, backed by a 30-day money-back guarantee. If Controls doesn't work for your environment, email team@scorifya.com within 30 days for a full refund. No questions asked. One 30-day guarantee per company (per email or registered domain); prior refunded orders aren't eligible for another. Enterprise agreements carry their own contract terms.
Enterprise
From $999/mo billed annually, for companies running multiple instances or business units. Adds a custom registered-domain count, annual invoicing with net-30 terms, MSA and DPA review, security questionnaire support, and priority support. Same self-hosted product; your security team can evaluate the public demo right now with no NDA and no discovery call. .
Comparing compliance platforms?
See how self-hosted Controls stacks up as a Vanta alternative, a Drata alternative, a Comp AI alternative, or a Probo alternative.
vCISO or compliance consultant?
Refer clients and earn 20% recurring commission for 12 months per client.
Need to check your public security posture first? Run a free Scorifya scan →



Automated checks cover roughly half of what a SOC 2 or PCI DSS audit touches. The rest is people, process, and policy: security awareness training, vendor reviews, incident response procedures, background checks. Each manual control gets a named owner, a next review date, and an evidence file upload. Overdue items surface immediately. Nothing slips through the cracks the week before your auditor shows up, because the system has been tracking it the entire observation period.

Connect AWS, GitHub, GCP, and Azure from a single integrations page. Every credential you enter, your AWS access key, GitHub personal access token, GCP service account JSON, is stored encrypted in the SQLite database running on your own infrastructure. It never transits Scorifya's servers. Compare that to Vanta: their OAuth authorization stores your AWS read access on their platform. If your customers ever ask where your audit evidence lives, your answer with Controls is two words: our server.

When your CPA firm requests evidence, you hand them this. Your organization name. Report date. Overall posture summary. A complete table mapping every check to its Trust Services Criterion with pass/fail status. No waiting on a support ticket to generate your own report. File → Print → Save as PDF in your browser, and you have a document your auditor can open and review in their own workflow. The audit report is the reason everything else in Controls exists, and it's generated from data that has never left your server.


Print-to-PDF audit report
A print-optimized report shows org name, report date, pass/fail summary, and a full controls table with TSC criteria. Browser → Print → Save as PDF produces a document auditors can review.
License key delivered by email within minutes. Cancel and update your card any time from your billing portal. Existing customer? Recover your license key or change your registered domain. Need an invoice or Net-30 (Team and Enterprise)? Contact us.
More detailed answers to real-world issues, evidence that satisfies auditors, common check failures, air-gapped deployments, and more, in the full help guide →