Compliance

How DriftGuard maps to DORA, NIS2, ISO 27001, and CIS Benchmarks.

DORAEU Digital Operational Resilience Act

Evidence ready

DriftGuard provides an audit-ready trail of every infrastructure change reviewed, blocked, or approved. Findings and policy decisions are timestamped, signed, and exportable as DORA evidence packs.

Art. 9 — ICT risk managementArt. 10 — Protection & preventionArt. 11 — DetectionArt. 13 — ICT-related incident management

NIS2Network and Information Security Directive 2

Evidence ready

Every DriftGuard PR analysis flags findings against NIS2 risk categories. Incident evidence — severity, blast radius, remediation time — is structured for NIS2 reporting.

Art. 21 — Cybersecurity risk measuresArt. 23 — Incident reporting obligations

ISO 27001:2022Information Security Management System

Evidence ready

Checkov findings are mapped to ISO 27001 Annex A controls. Security assessment evidence per PR satisfies A.8.29 requirements without additional tooling.

A.8.8 — Vulnerability managementA.8.25 — Secure development lifecycleA.8.29 — Security testing

GDPRGeneral Data Protection Regulation

Compliant

DriftGuard processes only repository metadata and infrastructure plan output — no user data, no PII. Data residency is EU-only. DPA available on request.

Art. 25 — Data protection by designArt. 32 — Security of processing

SOC 2 Type IIService Organization Control 2

In progress

SOC 2 Type II audit scheduled Q4 2026 with Vanta-assisted readiness. CC8 (change management) evidence is already produced as a side effect of every DriftGuard PR review.

CC6 — Logical accessCC7 — System operationsCC8 — Change management

Evidence pack

Need a pre-packaged compliance evidence export for your auditor? Available on Team and Enterprise plans.

Request evidence pack