For compliance teams

Audit-by-construction. Not audit-by-promise.

Every AI-driven action signed. Every signature publicly verifiable. Auditors do not need a SynOI account, a SynOI library, or your permission to verify any decision.

How SynOI fits your compliance stack

Two tracks, working in parallel.

SynOI delivers compliance value through two distinct tracks. Track A is our own vendor-level certification: the credentials your procurement team needs from us. Track B is what makes SynOI a compliance product for your AI program: per-regulation Compliance Packs that map our signed Decision Receipts and audit substrate to specific control numbers your auditor cites.

TRACK AVendor credentials

SynOI Inc's own certifications

What your procurement team asks us for. These are SynOI as a vendor passing standard SaaS audits. Required to sell to enterprise; not part of the product you buy.

SOC 2 Type II

AICPA

Audit in progress. Target attestation: Q1 2027.

In flight

ISO/IEC 42001: AI Management System

ISO/IEC

Targeted following SOC 2 attestation. Independent management-system certification for AI governance.

Planned

ISO/IEC 27001: Information Security

ISO/IEC

Targeted alongside ISO 42001 to support international procurement.

Planned

CSA STAR for AI

Cloud Security Alliance

Application materials in flight. CSA category alignment confirmed.

In flight

HIPAA Business Associate Agreement

HHS

Template BAA ships alongside SOC 2 attestation. Enables healthcare deployments.

Planned

GDPR data-residency controls

European Union

Region-pinned receipt retention and tenant-scoped right-to-erasure. Enterprise tier.

Planned

Full standards alignment list at /standards →

TRACK BProduct capability

Compliance Packs: for your AI program

What you use SynOI for. Each Compliance Pack maps our signed Decision Receipts, HITL records, integrity attestations, and audit substrate to the specific control numbers your auditor cites. Handed to your auditor as-is.

NIST AI Risk Management Framework

Shipping Q3 2026

GOVERN / MAP / MEASURE / MANAGE control mappings. US AI compliance lingua franca.

ISO/IEC 42001 (AI Management System)

Shipping Q3 2026

Clause 6, 7, 8, 9 mappings with certifiable audit export. International / certifiable.

EU AI Act Article 12 (record-keeping)

Shipping Q4 2026

High-risk AI system audit logs. Anchored receipt log meets Article 12 tamper-proof requirement.

SOC 2 Type II evidence support

Shipping Q4 2026

Evidence pipeline for CC6.1, CC7.1, CC7.3, CC8.1. Plugs into your existing Vanta / Drata stack.

NYC Local Law 144 (hiring AI)

Vertical pack

Per-decision provenance feeding annual bias audits. For hiring-AI vendors with NYC customers.

HIPAA Technical Safeguards

Vertical pack

§164.312 audit controls + integrity controls. For healthcare AI.

Each Pack includes: mapping document (control number → SynOI feature) · pre-built dashboard view (coverage gaps, last evidence date) · audit-ready export (PDF + CSV + structured JSON) · auditor support(we'll talk to your auditor directly).

Which Packs come with which plan

Tiered by Pack count, not by surprise.

Free (self-host)

Substrate only. Receipts + integrity + HITL. No mapped Compliance Packs.

Personal · $19/mo

Pick one Compliance Pack of your choice.

Team · $99/seat

Three Packs. Standard audit export formats. Multi-seat governance.

Enterprise

All

Every current + future Pack. Custom mappings. Auditor support included. EU data residency.

The substrate every Pack builds on

What you get regardless of which Pack you pick.

Signed Decision Receipts

Hybrid-signed (Ed25519 + ML-DSA-65) records of every AI action. Publicly verifiable offline via npx @synoi/verify. No SynOI account required.

Anchored audit log (planned Q4 2026)

Receipt batches periodically anchored to OpenTimestamps (Bitcoin) and sigstore Rekor for tamper-evidence beyond SynOI infrastructure.

HITL approval records

Human-in-the-loop gates on high-risk actions, with cryptographic proof of approver identity and decision timestamp.

Tamper detection

Every gateway install reports a manifest hash on boot. Receipts produced by modified code are flagged degraded:true.

Point-in-time queries

Reconstruct what your AI system knew and decided at any historical moment. S3 temporal signatures + supersession chains.

Independent verification

Auditors verify receipts cryptographically with a 5-line snippet. No vendor lock-in on the audit trail itself.

Compliance-tagged receipts

Every receipt carries a deterministic JSON array of NIST, EU AI Act, ISO 42001, and SOC 2 subcategory tags, derived at write time from the receipt's action context. Filter by framework without re-deriving.

Auditor evidence export API

GET /v1/account/compliance/export streams a JSONL / JSON / CSV bundle scoped to a framework or specific subcategory tag and a date window. Hand the URL to your auditor; they verify the signatures themselves.

Live coverage summary

GET /v1/account/compliance/summary returns per-framework receipt counts and per-subcategory totals. Wire into a status dashboard so the compliance team sees coverage in real time, not at year-end.

MCP tool-call receipts

Every agentic tool call routed through /mcp/proxy produces a signed receipt (allow, deny, require-approval, and HITL outcomes) all stamped with the same Article 12 / NIST MAP-2.3 tags as LLM calls. Agents do not bypass the audit trail.

Pick the Pack that maps to your audit.

Talk to us about your specific regulation; we'll tell you exactly which receipts answer which controls.

Talk to us See full standards alignment →