Compliance

Stop assembling compliance evidence. Start generating it.

Every session through the gateway produces the evidence you need for SOC 2, GDPR, PCI DSS, and HIPAA. Not after the fact. Not from screenshots. From live infrastructure, continuously, with every query and every command.

See the compliance report →Get started free →

SOC 2 Type II20+ controls

GDPR12+ articles

PCI DSS 4.030+ requirements

HIPAA15+ controls

FRAMEWORK COVERAGE

One gateway configuration. Four frameworks covered.

Data Masking alone satisfies controls in SOC 2, GDPR, PCI DSS, and HIPAA. Session Recording covers audit requirements across all four. Each capability maps to multiple frameworks simultaneously. The compliance surface area covered by a single deployment is not incremental. It compounds.

SOC 2 Type IICC6, CC7, CC8, P4

GDPRArt 5, 25, 30, 32, 33

PCI DSS 4.0Req 1, 3, 4, 7, 8, 10

HIPAA§312(a)-(e), §308

Framework Coverage0 / 27 controls covered

Data Masking

Session Recording

Access Control

Guardrails

JIT Reviews

SIEM Integration

CC6

CC7

CC8

Art5

Art25

Art30

Art32

Req3

Req7

Req8

Req10

312a

312b

312e

Control Mapping0 controls satisfied

Data Masking

Session Recording

Access Control

Guardrails

JIT Reviews

SOC 2

CC6.1CC7.2CC8.1P4.1

GDPR

Art 25(1)Art 30(1)Art 32(1)(a)Art 5(1)(f)

PCI DSS

3.3.17.2.18.2.110.2.1

HIPAA

§312(a)(1)§312(b)§312(d)§312(e)(1)

CONTROL MAPPING

The auditor asks for CC6.1. You point to Access Control. The same feature covers PCI 7.2.1 and HIPAA §312(a).

Every Hoop capability maps to specific control IDs across every framework you report against. The evidence is not a separate artifact. It is a byproduct of the gateway doing its job. Masking data generates P4.1 evidence. Recording sessions generates CC7.2 evidence. You do not build compliance. You inherit it.

CONTINUOUS POSTURE

Compliance posture that updates with every session. Not every quarter.

The compliance score reflects the current state of your controls. When a new database connection gets masking enabled, the Data Protection score updates immediately. When a guardrail blocks a destructive command, the Change Management score reflects it. Gaps are visible the moment they appear, not at the next audit.

Identity, Audit Trail, Access Control, Data Protection, Monitoring

Control status updated from live session data

Gaps surface immediately, not at audit time

Compliance Report

BeforeWith Hoop

0/ 100

GAPS DETECTED

Identity3/4

Audit Trail3/6

Access Control2/6

Data Protection2/6

Monitoring3/5

SOC 2GDPRPCI DSSHIPAA

CC6.1Logical Access SecurityAccess Control

CC6.3Data-in-Transit EncryptionData Protection

CC6.6Session-Level Access ControlsAccess Control

CC6.7Data Masking & RedactionData Protection

CC7.2Anomaly Detection & MonitoringMonitoring

CC8.1Audit Trail & EvidenceAudit Trail

EVIDENCE GENERATION

Four types of evidence. Generated from every session. Accepted by every auditor.

The gateway sits at the protocol layer. Every query, every command, every response passes through it. That position produces compliance evidence that no application-layer tool can match.

Session recordings

Every access session captured with user identity, timestamps, commands, and responses. Immutable.

Masking logs

Every PII, PHI, and PCI field detected and redacted. Counts, types, and sources tracked per session.

Approval chains

Every approval request, reviewer identity, decision, and timestamp. Full chain of custody.

Guardrail events

Every blocked command with context: who, what, when, why it was blocked, and what policy triggered.

Audit Readiness

Before/With Hoop

Without Hoop

Gather access logs3 days

manual

Screenshot session evidence2 days

manual

Compile masking records2 days

incomplete

Map controls to framework1 week

spreadsheet

Review with security team3 days

meeting

Auditor review2 weeks

delays

Total: 4-6 weeksRepeated every audit cycle

With Hoop

Access logsauto

✓ continuous

Session evidenceauto

✓ recorded

Masking recordsauto

✓ generated

Control mappingauto

✓ real-time

Security reviewauto

✓ dashboard

Auditor export1 click

✓ ready

Total: 0 weeksEvidence generated continuously

AUDIT READINESS

The next audit takes zero engineering hours. The evidence already exists.

Manual audit prep is gathering logs, screenshotting sessions, compiling masking records, mapping controls in a spreadsheet, coordinating with security. That takes 4 to 6 weeks. With the gateway running, every session generates evidence continuously. When the auditor arrives, export the report. One click.

MEASURABLE IMPACT

Risk reduction you can put in a board deck.

PII fields masked across every connection. Destructive commands blocked before execution. Sessions governed and audited. Compliance score trending up. These are not projections. They are measured from live traffic through the gateway.

Organizational Impact

Last 30 days

0PII Fields Masked

0Destructive Commands Blocked

0Sessions Audited

0%Compliance Score

Risk Reduction

PII Exposure87%

Unaudited Sessions64%

Ungoverned AI Access92%

Compliance Gaps48%

Compliance Trend

90% target

Sep

Oct

Nov

Dec

Jan

Feb

Mar

SepOctNovDecJanFebMar

Compliance evidence should be a byproduct. Not a project.

Deploy the gateway. Connect your infrastructure. The compliance report starts writing itself from the first session.

See the compliance report →Get started free →