ISO & SOC Compliance.

One control system, mapped multiple ways.

ISO and SOC 2 are not parallel programmes at Ophanix. They are different views of the same operating controls: asset ownership, access management, change control, vulnerability management, incident response, supplier risk, privacy governance, and AI governance.

Customer-facing evidence is maintained from production systems, not recreated for audit season. Control mappings, test results, exception logs, and remediation status are shared under NDA during procurement and renewed on contract review.

Information security controls embedded in delivery.

• Asset inventory — every customer environment, service, model, data store, and integration has a named owner and criticality tier.
• Access control — SSO, MFA, least privilege, break-glass procedures, and quarterly access reviews across production and support systems.
• Secure change — pull-request review, CI gates, release approvals, deployment rollback, and customer-visible release evidence.
• Vulnerability management — continuous scanning, per-release assessment, external VAPT, and remediation SLAs tied to severity.
• Incident response — severity classification, on-call routing, customer notification, post-mortems, and tracked corrective actions.

Privacy controls that match sovereign deployment.

Privacy controls extend the ISO 27001 baseline into data minimisation, purpose limitation, processor obligations, data-subject request handling, transfer controls, retention schedules, and deletion evidence.

• Customer data remains residency-bound and single-tenant by default.
• PII and sensitive features are tokenised or envelope-encrypted at rest.
• Support access is ticketed, time-limited, logged, and customer-reviewable.
• Export and deletion evidence is produced at exit or statutory request.

AI management controls for consequential systems.

Ophanix maps responsible-AI controls to ISO 42001 alongside EU AI Act obligations: system inventory, intended-use documentation, risk classification, human oversight, performance monitoring, bias evaluation, and serious-incident handling.

The evidence is operational. Each production model has a model card, version record, evaluation history, deployment approval, monitoring threshold, and rollback path.

SOC 2 evidence without a separate theatre.

SOC 2 control evidence is mapped across Security, Availability, Confidentiality, Processing Integrity, and Privacy where those criteria apply to the customer deployment.

• Security — access reviews, vulnerability evidence, endpoint posture, logging, alert triage, and incident records.
• Availability — uptime reporting, backup evidence, recovery testing, capacity review, and customer-specific RTO / RPO commitments.
• Confidentiality — encryption, key-management records, support access logs, tenant isolation evidence, and sub-processor controls.
• Processing integrity — data lineage, reconciliation checks, model-version pinning, and signed operator actions.
• Privacy — DPA controls, DSAR process evidence, retention enforcement, and deletion certificates.

What customers can review.

• ISO 27001 / 27701 / 42001 control map and ownership register.
• SOC 2 Trust Services Criteria mapping for the contracted deployment.
• Quarterly control-test results, exceptions, and remediation status.
• Access-review evidence and production support access logs.
• VAPT summaries, dependency posture, and critical-finding remediation record.
• Incident-response exercise results and customer-specific recovery evidence.