Skip to content
For compliance & regulatory officers — the gate you can't quietly pass

Measured compliance — we evidence the automatable slice, you declare the rest, a named person signs.

A control the measurement catches failing can't be silently passed — overriding it is recorded, in full, in the artifact. We measure; you declare; we never certify — the honesty model an auditor trusts and a vendor can't game.

Non-technical by design — the verdict is in plain language; your security engineer drills the findings behind it.

The asymmetry you're up against

A vendor's self-assessment isn't audit-defensible.

"We're NIS2-ready" on a supplier's letterhead is the party with the most to lose grading their own work.

Today: a checkbox you take on trust

Self-assessments with no measurement behind them, no gate against wishful answers, and nothing an auditor can re-derive.

Now: measured, gated, signed

The automatable slice measured; failures locked until justified in writing; the declaration signed by a named person and frozen to a commit and a rubric version.

What you get

One conformance home — the verdict up front, the findings a drill-down.

EU-regulated frameworks first

NIS2, DORA and GDPR up front — then SSDF, SLSA, OWASP ASVS, WCAG 2.2, ISO 27001, CRA and EN 301 549. Ten frameworks, one honest pattern.

A signed Conformance Pack

A PDF an auditor accepts: every override on record, measured-vs-declared never blurred, frozen to a commit and a pinned rubric.

The signing pack →

An evidence & audit register

Each declaration frozen and signed at signature time, with a CycloneDX SBOM and a PII data-flow map travelling inside the artifact.

How it works — for you

Self-assess for free; sign when you're ready.

Measure

The automatable slice is evidenced from the code — no questionnaire to fill in first.

Gate

A control caught failing is pre-set to Fail and locked — overriding it requires a written justification, recorded in full.

Declare

You work the remaining controls; the verdict always shows measured vs declared, never blurring the two.

Sign

A named person signs; the declaration freezes to the commit and rubric. Self-assessment is free — signing into a Conformance Pack is the paid activation.

An auditor can re-run the measurement themselvesThe measured slice is scored against the open CAI standard — an auditor or competent authority can take the evidence and reproduce the numbers at cai.canine.dev/verify. The declaration rests on the declarant; the measurement rests on mathematics.

Stop signing compliance you can't evidence. Measure it.

We measure; you declare; we never certify.