All systems operational · v2.7.2 GA
GitHub Community
OXware OXware
Documentation Get OXware
Home vCenter Pricing Documentation Marketplace Partners Certification Compliance Status Bug Bounty Privacy GitHub
Compliance Posture

Built audit-ready,
not retrofitted.

SOC 2 Type II and ISO 27001 audits are underway. Until they land, OXware ships a built-in compliance scanner that maps every host setting to CIS, NIST 800-53, PCI-DSS, HIPAA, and ISO 27001 controls — and auto-generates auditor-ready PDF reports on demand.

See frameworks Request audit pack

Certification roadmap

Public progress, real dates, no marketing fog.

In Progress

SOC 2 Type II

Independent auditor engaged. Continuous-monitoring controls live since v2.7.0 (audit log, RBAC, encryption-at-rest, immutable change log).

Audit window: 2026-04 → 2026-10. Report ETA: 2026-Q4.
In Progress

ISO 27001:2022

ISMS scope: oxware.top SaaS components + the OXware Hypervisor product. Stage 1 audit complete; Stage 2 scheduled.

Stage 2: 2026-Q3. Certificate ETA: 2026-Q4.
Live now

CIS Benchmark scanner

Built into the panel. Maps every host setting to CIS Linux + KVM Hardening Benchmark. Auto-remediation suggestions per finding.

Bundled since v2.5.0. Hourly scan cadence.
Live now

NIST 800-53 Rev. 5

AC, AU, CM, IA, SC, SI control families covered by built-in audit log + RBAC + crypto modules + supply-chain controls.

Mapping doc at docs/#nist-mapping
Live now

PCI-DSS v4.0

For workloads handling cardholder data. Scanner flags shared-tenancy violations, weak ciphers, and missing logs.

Section 1.1, 2.2, 8.x, 10.x covered.
Live now

HIPAA Security Rule

BAA-ready feature set: at-rest encryption, audit chain, RBAC with break-glass, immutable change log, session recording.

§164.308, §164.312 controls mapped.

Built-in compliance scanner

Hit one endpoint, get an auditor-ready PDF. Same report your auditor will accept.

Control familyStandardv2.7.2 coverageHow OXware satisfies it
Access controlSOC 2 CC6 / ISO A.9 / 800-53 ACPassRBAC + LDAP/AD + SSO (SAML/OIDC) + 2FA + recovery codes + audit trail.
Audit loggingSOC 2 CC7 / 800-53 AUPassSHA-256 hash-chained audit log, immutable JSONL, 90-day retention policy, SIEM export (Splunk, Elastic, Wazuh).
Cryptography at restHIPAA §164.312(a)(2)(iv) / PCI 3.5PassLUKS2 on host disks, AES-256-GCM for credential vault, vTPM-sealed keys for confidential VMs.
Cryptography in transitPCI 4.2.1 / 800-53 SC-8PassTLS 1.3 default, HSTS, secure ciphers only, mTLS for cluster federation.
Change managementSOC 2 CC8 / ISO A.12.1.2PassGitOps manifest sync, immutable change log, plugin AST validation, signed releases.
Vendor managementSOC 2 CC9PartialCycloneDX SBOM auto-generated per release; subprocessor list published quarterly.
Incident response800-53 IR / ISO A.16PassAuto-remediation runbooks, anomaly detector, alert correlation, on-call rotation via PagerDuty integration.
Vulnerability mgmtPCI 11 / 800-53 RA-5Passpip-audit + Bandit in CI, bug bounty program, SEC-001..033 tracked, quarterly pen-test rotation.

Need the audit pack now?

Email us for the security questionnaire kit: CAIQ Lite, NIST mapping spreadsheet, SBOM, pen-test summary, sample scanner output. NDA-friendly.

root@oxware.top
Response within 1 business day. We share NDA template on first reply.