Ask Concord

Answers from our documentation

Ask anything about Concord. Every answer comes from our actual documentation.

IaxaIConcord

Surface: Compliance Evidence Auto-Packets · V1 wedge

Examiner-ready evidence packets. Pulled from a signed ledger, not assembled in screenshots.

Concord by IaxaI Compliance Evidence Auto-Packets pull filtered, hash-chained evidence from the audit ledger into examiner-ready bundles for FFIEC, SOC 2, HIPAA, and PCI. For the MSSP serving a regulated end-client, this is the fastest path from telemetry to a packet that holds up in front of an auditor.

Building exam packets by hand for every client?

The Problem

Examiner shows up. The MSSP rebuilds the year from screenshots.

The bank's FFIEC exam lands. The healthcare payer's HIPAA audit lands. The insurance carrier asks for a SOC 2 evidence bundle. Today the MSSP assembles these by hand: screenshots from CrowdStrike, exports from Splunk, copy-pasted Jira tickets, signed PDFs at the end. Two to four weeks per cycle, every cycle, per client. The evidence is real. The process is brittle.

The Outcome

A signed bundle, generated from the ledger, ready to hand to an examiner.

Pick the framework. Pick the timeframe. Pick the controls. Concord pulls the relevant evidence straight out of the hash-chained, Ed25519-signed audit ledger and assembles a bundle a regulator can verify cryptographically. The MSSP stops being a packet-assembly factory and starts being a security partner.

How It Works

Filter. Bundle. Sign. Hand over.

Step 1: pick the framework, the window, the controls

FFIEC for the bank. SOC 2 for the SaaS client. HIPAA for the payer. PCI for the merchant. Pick the audit period and the control set. Concord knows which evidence each control needs and which ledger entries satisfy it.

Step 2: Concord pulls evidence from the ledger

Translation decisions, entity matches, drift repairs, dedup merges, and detection deployments. Every relevant ledger entry inside the chosen window gets included. Filtered by tenant, by control, by event type. Original vendor payloads attached for drill-down.

Step 3: cryptographic chain-of-custody

Every entry in the bundle inherits its position in the hash chain plus the original Ed25519 signature. The packet itself ships with a manifest a regulator can verify independently. No screenshots. No copy-paste. No trust-me.

Step 4: examiner-ready bundle

PDF executive summary on top. Per-control evidence map underneath. Raw signed entries at the bottom for forensic drill-down. The MSSP hands the packet to the end-client. The end-client hands it to the examiner.

What It Sits On

The audit ledger is the spine. Auto-Packets is the shape it ships in.

Consumes

The audit ledger.

Append-only, hash-chained, Ed25519-signed evidence chain. Every Concord engine output already writes to it: Translation, Entity Resolution, Drift, Dedup. Auto-Packets is the read surface, not a separate data store.

Produces

Framework-shaped evidence bundles.

FFIEC, SOC 2, HIPAA, PCI. Signed manifest. Per-control evidence map. Cryptographic chain-of-custody back to the originating vendor payload. Verifiable independently of Concord.

Frameworks

Same engine. Different alphabet.

FFIEC

Bank examiner-ready packets for community and mid-market banks.

SOC 2

Auditor-ready bundles aligned to TSC criteria, mapped to Concord ledger evidence.

HIPAA

Security Rule evidence for regional payers and provider networks.

PCI DSS

Cardholder-data scope evidence for merchants and processors.

Status

The V1 wedge. Shipping with the first MSSP Founders Program partners.

Foundation shipped

  • SHA-256 hash-chained audit log running in production.
  • Ed25519-signed provenance bundles already attached to every Translation, ER, and Drift event.
  • Immutable audit primitives across three engine paths ready to unify.

V1 build list

  • Unified per-tenant ledger chain across every engine output.
  • Framework-to-control mappings for FFIEC, SOC 2, HIPAA, and PCI.
  • Bundle generator with examiner-verifiable manifest and independent signature verification.

Why an examiner can trust the packet.

Append-only ledger

Evidence cannot be edited, reordered, or backdated after the fact. The chain catches tampering.

Independently verifiable

Bundle manifest carries the public key and signature chain. An auditor can verify it without trusting Concord's servers.

Per-tenant chains

Every MSSP end-client gets its own chain. One packet, one tenant, no cross-contamination of evidence.

SOC 2 Type I targeted Q3 2026.

Concord ships Auto-Packets that help end-clients stand up evidence for their own audits today. Concord's own SOC 2 Type I is targeted for Q3 2026. That gate unlocks broader MSSP partner enablement and procurement at the largest regulated buyers. Stated honestly because that's the whole point of the ledger.

Stop reconciling. Start trusting one timeline.

30-minute walkthrough. Your tools. Your tenants. Your audit cycle. We will show you exactly where Concord earns its keep.