Compliance · Sovereign Infrastructure · SaaS

custodia™

Sovereign Compliance Infrastructure as a Service. Every compliance event is HMAC-SHA256 signed and written to an append-only ledger — independently verifiable by any auditor without trusting the platform. Evidence you can prove. Not just evidence you can show.

Request Access MSSP and enterprise deployments · Questions? steven.hasson@omniapan.ai

The Problem

Compliance evidence has a trust problem.

Every compliance platform today lets you upload evidence and show it to an auditor. None of them can prove that evidence hasn't been altered since it was uploaded. Hashes are stored in the same database as the files. The platform is the single point of trust — and the single point of failure.

For DoD contractors pursuing CMMC Level 2 certification, regulated enterprises facing SOC2 audits, and organizations under HIPAA or PCI-DSS scrutiny, "trust the platform" is not an acceptable answer. C3PAO assessors don't want to trust your platform. They want independently verifiable proof.

The Moat

Sovereign ledger. Independently verifiable.

custodia™ writes every compliance event — control scored, evidence uploaded, policy attested, ODP completed — as an HMAC-SHA256 signed entry to an append-only sovereign ledger. The signature covers the event payload, the tenant identity, and the timestamp. Any auditor with the HMAC secret can verify every event independently, without accessing the custodia platform at all.

Ledger Events

95,000+ signed events · append-only · HMAC-SHA256

Evidence Integrity

SHA-256 verified on every download · tamper detection built in

No Competitor Has This

OneTrust, RegScale, Drata — none write to a signed sovereign ledger

MSSP Pipeline

omniaTRIAGE case closure writes evidence automatically · MOAT #1

Frameworks

Six frameworks. One platform.

custodia™ supports six compliance frameworks out of the box, with 495 seeded controls and automated cross-mapping between CMMC L2, NIST CSF 2.0, SOC2 Type II, and ISO 27001:2022. Score once — derive across frameworks. Automated controls are scored every six hours via the omniapan.ai™ engine feed.

CMMC Level 2 NIST CSF 2.0 SOC2 Type II ISO 27001:2022 HIPAA Security Rule PCI-DSS v4.0

495 controls seeded · 241 automated · 254 manual

Cross-mapping: CMMC ↔ NIST CSF ↔ SOC2 ↔ ISO 27001 — 110 practices fully mapped

Automated control scoring every 6 hours via scheduled workers — never overwrites manual scores

SPRS score computed live — Grade A through F — C3PAO package generation on demand

C3PAO Ready

Assessment-ready from day one.

custodia™ generates a complete C3PAO evidence package on demand — SSP summary, SPRS score, evidence manifest with SHA-256 hashes, full ledger audit trail, POA&M with milestones, and a pre-assessment readiness checklist. The What-if SPRS analyzer shows the exact impact of remediating each not-met control before assessment day.

SSP export — JSON and DOCX — SHA-256 signed to sovereign ledger on generation

C3PAO package: cover + SPRS + controls + evidence manifest + POA&M + ledger audit trail + integrity hash

What-if SPRS analyzer — ranked remediation impact before assessment

Pre-assessment checklist — scoring coverage, ODP completion, evidence, POA&M completeness

Auditor role — scoped read-only access to public evidence + ledger proof only

Architecture

Multi-tenant. Sovereign. MSSP-native.

custodia™ is a multi-tenant backend with a modern React frontend, encrypted evidence store on dedicated volume, task queue for automated scoring, and bot blocking at the perimeter. semelpass.ai gated authentication on the practitioner workspace.

Roles: practitioner · client · auditor · owner — scoped per engagement

omniaTRIAGE pipeline: case closure writes evidence to custodia automatically

Service key architecture — every integration gets its own revocable key

Evidence locker: /vault/data — encrypted · SHA-256 verified on every download

Policy versioning · ODP fields · attestation · licensing tiers built in