SOC 2 Type II evidence, collected for you
Evidence collection runs automatically against the immutable audit log. When the auditor asks for access reviews or change history, you export NDJSON — you don't spend four days assembling a folder.
The compliance surfaces a security review asks for — SOC 2 Type II evidence, a signable HIPAA BAA, GDPR/CCPA consent, SCIM deprovisioning, SSO, BYOK, and an immutable audit log — ship as first-class product surfaces you can self-serve. Every claim on this page maps to a screen you can open, not a roadmap slide.
Illustrative outcomes — composite of design-partner deployments
↓ 4 days
audit-evidence gathering time
↓ 0
shadow accounts after IdP deprovisioning
↑ 100%
of compliance artifacts self-serve at /trust
↓ 78%
security-questionnaire turnaround with the evidence vault
What you get on day one
Evidence collection runs automatically against the immutable audit log. When the auditor asks for access reviews or change history, you export NDJSON — you don't spend four days assembling a folder.
Standard DPA, signable HIPAA BAA, SOC 2 Type II report, AI subprocessor list, and penetration-test summary live at /trust. Your prospect's legal team gets the packet without a sales call, and yours stops re-sending PDFs.
Every mutation is an event with actor, IP, before/after, and a correlation id. Stream it to Datadog, Splunk, or ELK via webhook, or pull NDJSON. Retention is configurable per tenant — keep 30 days or seven years.
SAML, OIDC, Entra ID, Google Workspace, Okta. SCIM provisions users into Pact roles automatically, and when IT removes someone from the IdP group their Pact access disappears in the same sync cycle — no shadow accounts to chase.
Bring your own data-encryption keys via KMS (AWS, Azure, GCP). Rotate without downtime; the system re-wraps data keys in the background, and key lineage is visible in the admin UI. Audit-grade key separation per tenant.
GDPR + CCPA consent, suppression, and lawful basis are a tenant-scoped ledger checked at send time. A data-subject request is a query, and every blocked send is recorded with its reason — so privacy is provable, not asserted.
The shipped product surfaces this role lives in.
“Every control the security review asked for was a screen I could open, not a promise on a slide. The auditor got NDJSON the same morning they asked.”
Head of Security · Regulated SaaS · illustrative scenario · illustrative scenario
More Trust & Security roles
Transparent plans — the Free plan stays free under the limits, and Pro and Team open with a 14-day trial, full features, no card. Compare them side by side.
Last reviewed: 2026-07-10
American English · claims grounded against shipped functionality
Closes DP-014 + DP-015