Skip to main content
For security, compliance, and privacy

SOC 2, HIPAA, GDPR — evidence you can pull, not promise.

The compliance surfaces a security review asks for — SOC 2 Type II evidence, a signable HIPAA BAA, GDPR/CCPA consent, SCIM deprovisioning, SSO, BYOK, and an immutable audit log — ship as first-class product surfaces you can self-serve. Every claim on this page maps to a screen you can open, not a roadmap slide.

Illustrative outcomes — composite of design-partner deployments

↓ 4 days

audit-evidence gathering time

↓ 0

shadow accounts after IdP deprovisioning

↑ 100%

of compliance artifacts self-serve at /trust

↓ 78%

security-questionnaire turnaround with the evidence vault

What you get on day one

Six things you stop juggling.

SOC 2 Type II evidence, collected for you

Evidence collection runs automatically against the immutable audit log. When the auditor asks for access reviews or change history, you export NDJSON — you don't spend four days assembling a folder.

The trust center is self-serve

Standard DPA, signable HIPAA BAA, SOC 2 Type II report, AI subprocessor list, and penetration-test summary live at /trust. Your prospect's legal team gets the packet without a sales call, and yours stops re-sending PDFs.

Immutable audit log → your SIEM

Every mutation is an event with actor, IP, before/after, and a correlation id. Stream it to Datadog, Splunk, or ELK via webhook, or pull NDJSON. Retention is configurable per tenant — keep 30 days or seven years.

SSO + SCIM deprovisioning

SAML, OIDC, Entra ID, Google Workspace, Okta. SCIM provisions users into Pact roles automatically, and when IT removes someone from the IdP group their Pact access disappears in the same sync cycle — no shadow accounts to chase.

BYOK + customer-managed keys

Bring your own data-encryption keys via KMS (AWS, Azure, GCP). Rotate without downtime; the system re-wraps data keys in the background, and key lineage is visible in the admin UI. Audit-grade key separation per tenant.

Consent + lawful basis as a ledger

GDPR + CCPA consent, suppression, and lawful basis are a tenant-scoped ledger checked at send time. A data-subject request is a query, and every blocked send is recorded with its reason — so privacy is provable, not asserted.

Explore the modules

The shipped product surfaces this role lives in.

Every control the security review asked for was a screen I could open, not a promise on a slide. The auditor got NDJSON the same morning they asked.

Head of Security · Regulated SaaS · illustrative scenario · illustrative scenario

More Trust & Security roles

See what Pact costs for your team.

Transparent plans — the Free plan stays free under the limits, and Pro and Team open with a 14-day trial, full features, no card. Compare them side by side.

Last reviewed: 2026-07-10

American English · claims grounded against shipped functionality

Closes DP-014 + DP-015