Most teams discover their compliance gaps the week of the audit. That's the part we're done with. We run a continuous, audit-ready security and compliance program on your behalf — powered by Adalace, the platform our team operates so your team doesn't have to.
Adalace is not another tool you have to learn. It's a managed program — a platform plus the people who run it. You get the dashboard. We do the work behind it.
This is the view your team gets every morning. Framework coverage, control status, open risk items, and last night's evidence captures — all in one place. No more reconstructing the past from twelve different tools.
Sample data shown for illustration. Real dashboards are scoped to your organization, your frameworks, and your evidence.
Adalace's threat intelligence pipeline runs continuously — pulling from vulnerability feeds, active-exploit alerts, breach signals, and vendor advisories, then scoring each event against the technologies and vendors your program actually depends on. Your team sees what matters, not the firehose.
Sample data shown for illustration. Your live feed is scoped to your stack.
Adalace ships with control mappings for the frameworks your customers, regulators, and insurers actually ask about. Need something custom? We map it.
Most clients start with a Posture Scan, graduate to the Managed Program, and pull us in for Audit Sprints as new frameworks come into play. Same Adalace platform, different depth.
Every engagement produces artifacts your team, your board, and your auditors can use directly. These are anonymized samples from real Managed Program clients — the exec summary from a Posture Scan, the control status view an auditor pulls, and the quarterly board narrative.
Prepared for · Northwind Health, Inc.
Aggregate score across 10 control domains, weighted by asset criticality and framework applicability. Above threshold for SOC 2 Type II readiness; below threshold for HITRUST i1.
3 critical (blocking Type II), 8 elevated (should remediate within 60 days), 7 informational (documentation and hardening improvements).
Time to close all critical and elevated gaps with a dedicated 0.5 FTE and Managed Program support.
Northwind operates a credible security foundation — access controls, backups, and vendor onboarding are documented and repeatable. The gaps are in continuity of evidence: quarterly access reviews are executed but not archived; vendor SOC 2 reviews happen at signature but not annually; incident response has never been drilled.
These are not architectural problems. They are program-operation problems — the kind that become audit findings the week before a Type II report ships.
Northwind Health, Inc. · Managed Program
Q1 was defined by preparation for the SOC 2 Type II fieldwork window that begins in Q3. The Managed Program advanced from 87.4 to 91.2 on the composite posture score. Three critical gaps identified in the January Posture Scan are now closed; five elevated gaps remain, all tracking to their remediation dates.
Vendor risk cadence caught two SOC 2 downgrade events (both remediated with vendor-side corrective action plans). Access reviews executed for 100% of privileged users on time; documentation stored auditor-ready in-platform.
| Risk | Delta | Owner Action |
|---|---|---|
| Vendor SOC 2 downgrade (billing gateway) | Elevated | Vendor CAP received; retest 2026-05-20 |
| Delayed OS patching (2 servers, 45+ days) | Critical | Change window scheduled; IR runbook drilled |
| Backup restore tests overdue | Closed | Full restore executed 2026-03-22; passed |
Northwind Health, Inc. · 47 Active Vendors
| Vendor | Tier | Data Handled | Last Review | Status |
|---|---|---|---|---|
| AWS (us-east-1, us-west-2) | Tier 1 | ePHI · PII · Auth | 2026-02-14 | Current |
| Snowflake | Tier 1 | ePHI · Analytics | 2026-01-22 | Review Due |
| Stripe (billing) | Tier 2 | Card · Billing | 2026-03-01 | Current |
| Twilio (patient SMS) | Tier 2 | PHI · Comms | 2025-09-30 | BAA Expiring |
| Datadog | Tier 3 | Ops · Logs | 2026-02-28 | Current |
A taste of the questions we hear most often. For the full set — including engagement and getting-started questions — head to our FAQ page.
Most teams underestimate this. From the day you decide to pursue SOC 2 to the day you have a signed report in hand, plan on 6–12 months — broken roughly into: 2–6 weeks of readiness work, 3–6 months of evidence collection (the audit period), then 4–8 weeks of fieldwork and report finalization. Through the Managed Program, the audit period feels like business-as-usual because evidence is already being captured continuously.
Plan on 9–14 months from kickoff to certification. The process: Stage 1 audit (documentation review), 3+ months of operating the ISMS, then Stage 2 audit (operational effectiveness). Certifications are good for 3 years with annual surveillance audits. We've shortened this for clients who already have mature security programs — but most teams need the full timeline to build the management system correctly.
No. HIPAA is a regulation, not a certification scheme — there's no government-issued HIPAA certificate. What exists are HIPAA compliance attestations from third-party assessors (like HITRUST) and self-attestations backed by documented risk analysis, policies, and controls. Many of our clients pursue HITRUST for the credibility, or layer HIPAA controls into their SOC 2 (using the HIPAA-aligned Trust Services Criteria) for efficiency.