LIVE · GENERATED FROM SOURCETRUST CENTER · UPDATED CONTINUOUSLY SERVICE STATUS →

QorTrace maps every operational and platform control we run against SOC 2 Type II, ISO/IEC 27001:2022, NIST CSF 2.0, the EU's DORA, and the FFIEC IT-Examination handbook. The numbers below come straight from our internal GRC console — no marketing layer in the middle.

0%OVERALL MET
·
104CONTROLS MAPPED
·
0POLICIES PUBLISHED
·
8FRAMEWORKS
Download readiness summary (PDF) Request SOC 2 Type II report Talk to Sales
QorTrace's own posture · live from /api/public/status
probed 48s agoview full status
30-day uptime
99.99%
from our own 5-min synthetic monitor
TLS cert
60 days
qortrace.com · auto-renewed by Cloudflare
DB latency
9ms
round-trip to MongoDB Atlas
Subsystems
9/9 green
API, scanner, audit engine, ingest…

Live, not aspirational

Every percentage on this page is generated from our internal GRC console. We don't "prepare" the numbers for visitors — what you see is what we see.

Versioned policies

Every published policy carries an immutable version number. Diff any two versions to see exactly what changed since the last attestation.

Major frameworks mapped

Controls are mapped to SOC 2, ISO/IEC 27001:2022, NIST CSF 2.0, NIST SP 800-53 Rev. 5, NIST SP 800-171 Rev. 3, EU DORA, and FFIEC — the authorities institutional and federal procurement actually ask for.

Evidence on request

Auditor-grade evidence (SOC 2 Type II reports, ISO certificates, signed attestations) is available under NDA. Email trust@qortrace.com to request the bundle.

POSTURE BY FRAMEWORK

Live control posture

AICPA
SOC 2 Type I
0%
met
MET
0
PARTIAL
0
GAP
12
12 in-scope · 0 N/A
AICPA
SOC 2 Type II
0%
met
MET
0
PARTIAL
0
GAP
12
12 in-scope · 0 N/A
ISO
ISO/IEC 27001:2022
0%
met
MET
0
PARTIAL
0
GAP
10
10 in-scope · 0 N/A
NIST
NIST CSF 2.0
0%
met
MET
0
PARTIAL
0
GAP
22
22 in-scope · 0 N/A
NIST
NIST SP 800-53 Rev. 5
0%
met
MET
0
PARTIAL
0
GAP
17
17 in-scope · 0 N/A
NIST
NIST SP 800-171 Rev. 3
0%
met
MET
0
PARTIAL
0
GAP
14
14 in-scope · 0 N/A
EU 2022/2554
DORA
0%
met
MET
0
PARTIAL
0
GAP
8
8 in-scope · 0 N/A
FFIEC
FFIEC IT-Exam
0%
met
MET
0
PARTIAL
0
GAP
9
9 in-scope · 0 N/A
Live security posture·trust-posture-v1
AttentionLast refreshed just now
  • Audit chain integrity
    12 entries · checked 12
    green
  • Audit cold archive (R2)
    0d since · 0 rows
    green
  • Backup-restore drill
    drill cron registered, first run pending
    yellow
  • Subdomain takeover sweep
    sweep cron registered, first run pending
    yellow
  • Email posture (SPF/DKIM/DMARC)
    yellow
  • Supply chain audit
    first scan pending — CI workflow active
    yellow
  • Edge defence posture
    Calm
    green
  • WAF rules synced
    no sync yet — push from CISO Lair to seed
    yellow
  • Stripe live mode
    green
Auto-refreshes every 60 seconds. Refresh interval matches the server-side cache so we never hammer Mongo.
Posture history·posture-history-v1
0%all-green uptime over the last 30 days · 0d green · 13d yellow · 6d red · 11d unknown
Overall
0%
    Audit chain
    63%
    Cold archive
    50%
    Backup drill
    0%
    Subdomain sweep
    0%
    Email auth
    0%
    Supply chain
    0%
    Edge defence
    63%
    WAF sync
    0%
    Stripe live
    23%
greenyellowredunknown19 snapshots · window 30d
EMAIL AUTHENTICATION

Email auth posture

OK
QORTRACE.COMOK
Clean — SPF · DKIM · DMARC verified.21h ago
QORBOM.COMOK
Clean — SPF · DKIM · DMARC verified.21h ago

We monitor our own SPF, DKIM, and DMARC daily so any DNS drift is caught within 24 hours. Why this matters →

DAILY SELF-AUDIT

Freshness self-audit

OK
SUBDOMAIN TAKEOVER SWEEPOK
0 CNAMEs audited · 0 dangling21h ago
ZONES: qortrace.com · qorbom.com
SELF-HEALING WATCHDOGSUNKNOWN
1 watchdog · 0 repairs in last 30d
QORBOM APEX SPF

Two safety nets run every morning: a sweep across every CNAME in our Cloudflare zones (looking for classic subdomain-takeover signatures) and an auto-repair watchdog that re-merges critical DNS records if a third party overwrites them. Findings, if any, are surfaced here within 24 hours. How we do this →

MONTHLY AUDIT DIGEST

Get the monthly compliance posture digest

1 AUDITOR SUBSCRIBED

One email per month. Surfaces every drift in our SPF/DKIM/DMARC posture, every subdomain takeover sweep, and every self-healing repair fired in the last 30 days. Nothing else. Built for audit teams that need a paper trail.

Unsubscribe in one click from any email.
SOC 2 · GDPR Article 28 · DPA

Our Subprocessors

Third-party services that process customer data on QorTrace's behalf. We disclose every active relationship below + publish a change-log so your security team can subscribe.

Subscribe · RSS feed

AWS

United States · us-east-1 / us-west-2
DPA

Backing infrastructure layer (underpins MongoDB Atlas, Resend, several other subprocessors).

all-categories-via-downstream-services
Disclosed for transparency; no direct contract with AWS.

Anthropic (via Emergent)

United States
DPA

Claude Sonnet 4.5 LLM inference for Qelli AI chatbot, talk-track generation, and methodology analysis. Customer data NEVER used to train models.

prompt-payloadsknowledge-base-snippets
Zero-retention agreement via Emergent integration tier.

Cloudflare

Global edge network
DPA

Edge CDN, WAF, DDoS protection, Turnstile bot mitigation, DNS.

ip-addresses-hashedrequest-metadatabot-fingerprints

MongoDB Atlas

United States · AWS us-east-1
DPA

Primary database hosting for customer accounts, scans, audits, and engagement data.

customer-account-datascan-resultsaudit-findingstelemetry
SOC 2 Type II + ISO 27001 + HIPAA certified hosting.

PostHog Cloud

United States
DPA

Product analytics, funnel attribution, A/B testing.

anonymous-pageview-eventsfeature-flag-decisions
Cookie-less default; PII-stripping middleware on ingest.

Resend

United States · AWS multi-region
DPA

Transactional email delivery (signups, password resets, audit deliveries, drift alerts).

customer-email-addressestransactional-message-content

Sentry

United States
DPA

Error monitoring and stack-trace aggregation.

stack-tracesrequest-paths-pii-redacted

Stripe

United States · global PCI-DSS network
DPA

Payment processing, subscription billing, customer portal.

billing-datacard-fingerprints (tokenized)tax-residency
PCI-DSS Level 1, SOC 1 Type II, SOC 2 Type II.
Total: 8 active subprocessors. Updated automatically when changes happen.
PUBLISHED POLICIES

0 policies attested

Policy library is being prepared. Check back soon.
METHODOLOGY

Each framework's met % is the share of in-scope controls (excluding N/A) marked met by our security team. Controls in the partial state have a remediation owner and a targetSOC 2 follows the AICPA Trust Service Criteria, ISO/IEC 27001 the 2022 Annex A taxonomy, NIST CSF 2.0 the 2024 Cybersecurity Framework (Govern · Identify · Protect · Detect · Respond · Recover), NIST SP 800-53 Rev. 5 the federal control catalog (17 families: AC, AT, AU, CA, CM, CP, IA, IR, MA, MP, PE, PL, PS, RA, SA, SC, SI), NIST SP 800-171 Rev. 3 the CUI protection baseline, DORA the EU 2022/2554 chapter structure, and FFIEC the IT-Examination handbook booklets. QorTrace's cryptographic engines themselves align with NIST PQC: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). For a SOC 2 Type II report or a signed compliance receipt, contact trust@qortrace.com.