VerifAI is a compliance automation platform that helps teams implement, map, and maintain controls across frameworks like SOC 2 and ISO 27001. We use a modern web stack, an opinionated data model, and integrations to collect evidence, assess gaps, and keep audit readiness on track.
Architecture
- Modern web application architecture with strong typing and validation.
- Modular API endpoints and background processing for automation.
- Relational database with row-level access policies.
- Standards-based authentication with role-based access control (RBAC).
- Continuous delivery with automated testing and gated production releases.
Security & Data Handling
We enforce least-privilege access with RBAC and row-level data isolation. Application inputs are validated and privileged operations are isolated.
- Policy-driven access controls constrain all user data access.
- Least privilege: separate roles for users and background operations.
- Secrets management via environment configuration; not persisted in customer data.
- Auditability: activity logging and evidence lineage are preserved.
Data Model (High-level)
Core entities and relationships:
- Organization → Members, Settings, Plans
- Frameworks → Controls, Mappings
- Evidence → Sources, Artifacts, Reviews
- Integrations → Connectors, Schedules
- Policy Library → Versions, Diff, Approvals
- Tasking → Assignments, Status, Audit readiness
Integrations
First-party connectors and evidence collectors with plan-based limits.
- Source control, messaging, and cloud providers
- HR, identity, and ticketing systems
- More integrations on the roadmap
Automation & AI
AI-assisted policy drafting, control mapping suggestions, and evidence triage. Human-in-the-loop with clear diffing and approvals.
- Control coverage recommendations per framework
- Evidence classification and duplicate detection
- Change summaries and auditor-friendly reports
Deployment & Environments
- Cloud-hosted frontend and API with CI-controlled deploys
- Hardened database schema and permissions
- Versioned schema migrations
API Access
Public API endpoints are being rolled out. Today, most interactions go through authenticated application routes.
Interested in early access? Contact us with your use case.
Technical FAQs
How do you handle data access?
Postgres RLS and application-side checks enforce org-level isolation. Service operations use service_role with explicit grants.
What’s your uptime story?
We deploy via CI, monitor with health checks, and maintain incident runbooks. Status is published at /status.
Can we export evidence and reports?
Yes. Evidence artifacts and reports can be exported; auditor access is supported via Trust Portal.
Want the deep dive?
Book a technical session with our team or start a free trial.