Compliance · at design time
Compliance becomes a derivative of the architecture.
Regulatory evidence shouldn't be reverse-engineered from code at audit. In the chain, the rules are present while the design is made — so the audit isn't a project, it's a projection of what the architecture already knows.
- audit-readiness cycle
- 4–6 mo → 30 hr
- rule packs · HIPAA, SOC 2, HITRUST, PCI-DSS, FDA
- 5
- evidence derived from the architecture
- 100%
The shift
Compliance is no longer a frame around the work. It's load-bearing inside it.
- Compliance enters six months after launch.
- Auditors reverse-engineer the design from code.
- Evidence is a retrofit project — slow, manual, costly.
- A drift becomes an incident, then a finding.
- Rules are present while the decision is made.
- The architecture carries its own provenance.
- Evidence falls out of the chain — a projection.
- A drift is flagged before it reaches production.
Two products carry it
Codex
The rule layer
Carries regulatory knowledge as versioned rule packs, distributed by signal + fetch and available at design time. Rules are applied to the spec, the behavior, and the tests — not checked after the fact.
Proof
The verification
Verifies that the implementation conforms to what was designed — structural, behavioral, and schema conformance, checked against the assertion corpus. It surfaces every drift, and answers "did the decision survive?" with a proof.
The chain remembers which rules applied to which decision — forever.
Take a single decision — split inventory by region. Data residency isn't a feature; it's a regulation, a posture, a contractual obligation. Codex applies each rule to the decision and records it. When the SLA and the residency policy disagree, the conflict is surfaced for resolution, not silently resolved.
Regulatory rule packs
-
HIPAA
Health data privacy & security
-
SOC 2
Trust services criteria
-
HITRUST
Common security framework
-
PCI-DSS
Payment card data security
-
FDA
Regulated software controls
delivered by signal + fetch · versioned · canary-promoted
The governing principle
Violations surface. They never block.
Proof is an assurance surface, not a gate. You execute as you choose; the chain tells you exactly where you've drifted from the design — with the lineage to fix it. A flagged edge case that would have been a compliance incident is caught before it ships, not after.
-
PASS
EU residency — 100% of personal data within EU shards
-
DRIFT
cross-region audit emission — 4 events missing subject metadata
-
FLAG
dual-region records exhibit conflict-resolution drift
Run an audit-readiness pilot.
We run a real regulatory surface against your domain and show you the evidence falling out of the architecture — in hours, not months.