Five-anchor OAuth sweep
Most compliance SaaS ship two providers (GitHub + AWS). Your firm runs on Google Workspace + Okta + Stripe — so we evidence those too. One sweep. Eighty-four leaves. Roughly ninety seconds.
firmguardio
Audit Binder · SOC 2 · ISO 27001 · HIPAA · Merkle-anchored
Open the binder, sweep five providers, and hand your auditor a URL that proves itself on her own laptop.
FirmGuard is the audit binder for a 38-person firm: one OAuth sweep collects 84 evidence leaves from GitHub, AWS, Okta, Google Workspace, and Stripe in roughly ninety seconds. Stamp a single leaf and our crosswalk maps it onto SOC2, ISO 27001, and HIPAA simultaneously. Every leaf is SHA-256 anchored into a per-tenant Merkle tree whose root publishes daily — your auditor verifies inclusion proofs in WebCrypto, on her own machine, without ever touching your server.
Start a 90-second SOC 2 sweepSee a sample audit binder
No card required. OAuth scopes are read-only by default.
“My SOC 2 binder is literally a Google Drive folder called ‘SOC2 binder’ and a spreadsheet with 47 rows of controls. Half the rows say ‘screenshot needed’ and I have no idea which AWS console I’m supposed to screenshot.”
— Maya Okafor, Compliance Operations Lead (composite, drawn from compliance-officer interviews Q4 2025).
The three-framework binder
One sweep. Three binders. One leaf, stamped on all three.
The crosswalk is deterministic — a JSON mapping table that says “SOC 2 CC6.1 is ISO 27001 A.5.15 is HIPAA §164.312(a)(1).” When you evidence one, the other two ignite within 200 milliseconds. You stop holding three frameworks in your head.
Binder · AICPA TSP-100 / 2017 Trust Services Criteria
SOC 2 — Type II
CC6.1Logical access — Okta MFA enforcement policy + group-membership snapshot
22 / 24
controls evidenced
Binder · Annex A — Information Security Controls
ISO/IEC 27001:2022
A.5.15Access control — auto-mapped from SOC 2 CC6.1 via crosswalk.json
24 / 24
controls evidenced
Binder · 45 CFR §164.308 / §164.312 — Administrative & Technical Safeguards
HIPAA Security Rule
§164.312(a)(1)Access control standard — auto-mapped from SOC 2 CC6.1 via crosswalk.json
18 / 22
controls evidenced
Spine click opens the binder to its control register via the View Transitions API. The full interactive flow — collect, stamp, cross-stamp, auditor-mode share URL — lives on the evidence route.
What is rare here
Three things Vanta and Drata do not ship to a 38-person firm.
Public Merkle inclusion proofs
Every evidence leaf is SHA-256 anchored into a per-tenant Merkle tree. The root publishes daily to /.well-known/firmguard-merkle-root.txt. Your auditor verifies any leaf in WebCrypto, on her laptop, with your server offline.
SBOM auto-generated (2026 SOC 2 requirement)
AICPA TSP-100 §SC-4.2 (Q1 2026 amendment) requires software supply chain inventory evidence. We run syft on every prod deploy and commit SPDX-2.3 + CycloneDX to a public read-only repo — linked from your /trust page.