Measured compliance — we evidence the automatable slice, you declare the rest, a named person signs.
A control the measurement catches failing can't be silently passed — overriding it is recorded, in full, in the artifact. We measure; you declare; we never certify — the honesty model an auditor trusts and a vendor can't game.
Non-technical by design — the verdict is in plain language; your security engineer drills the findings behind it.
A vendor's self-assessment isn't audit-defensible.
"We're NIS2-ready" on a supplier's letterhead is the party with the most to lose grading their own work.
Today: a checkbox you take on trust
Self-assessments with no measurement behind them, no gate against wishful answers, and nothing an auditor can re-derive.
Now: measured, gated, signed
The automatable slice measured; failures locked until justified in writing; the declaration signed by a named person and frozen to a commit and a rubric version.
One conformance home — the verdict up front, the findings a drill-down.
EU-regulated frameworks first
NIS2, DORA and GDPR up front — then SSDF, SLSA, OWASP ASVS, WCAG 2.2, ISO 27001, CRA and EN 301 549. Ten frameworks, one honest pattern.
A signed Conformance Pack
A PDF an auditor accepts: every override on record, measured-vs-declared never blurred, frozen to a commit and a pinned rubric.
The signing pack →An evidence & audit register
Each declaration frozen and signed at signature time, with a CycloneDX SBOM and a PII data-flow map travelling inside the artifact.
Self-assess for free; sign when you're ready.
Measure
The automatable slice is evidenced from the code — no questionnaire to fill in first.
Gate
A control caught failing is pre-set to Fail and locked — overriding it requires a written justification, recorded in full.
Declare
You work the remaining controls; the verdict always shows measured vs declared, never blurring the two.
Sign
A named person signs; the declaration freezes to the commit and rubric. Self-assessment is free — signing into a Conformance Pack is the paid activation.
Stop signing compliance you can't evidence. Measure it.
We measure; you declare; we never certify.