Compliance

Audit-ready evidence in one click.

6 frameworks. Per-control evidence pulled from real device data — not templates or screenshots. PDFs your auditor accepts on first submission.

Why most RMMs fall short at audit time

Compliance isn't paperwork — your auditor wants evidence that your actual fleet is patched, encrypted, monitored, and access-controlled. Most RMMs give you "reports" — generic templates with placeholder text. PatchPilot generates per-control evidence from live device data: which devices have BitLocker enabled, what's the actual patch state on Windows critical updates, who accessed which device on which date.

Data residency

Where does the evidence live?

PatchPilot is a control plane, not a data warehouse. We collect device posture and patch state to generate evidence — but the resulting PDFs, session recordings, and configuration backups belong to you, and you decide where they live.

Evidence PDFs

Generated on-demand, signed and timestamped. Downloaded directly to your machine — never stored in PatchPilot's database.

Session recordings

Stream to your own S3, Backblaze B2, or Wasabi bucket. You control retention, deletion, and who can access them.

Backups & configs

Device configuration backups go to your S3-compatible bucket or on-prem share. We orchestrate — you own the data.

Sovereign deployment

Enterprise customers can deploy PatchPilot inside their own infrastructure. Aligned with NHS DSPT, G-Cloud 13, and MoD JSP 440 data-handling requirements.

Under GDPR Article 28, PatchPilot acts as your data processor — not your data controller. The device telemetry we process is yours; we never monetise it, share it, or retain it beyond what's needed to deliver the service. Read our DPA →

How it works

Four steps from fleet to PDF

1

Install agents

Evidence is generated continuously from live device data — nothing to configure per-audit.

2

Pick a framework

Dashboard → Compliance → choose your framework (CE, ISO 27001, SOC 2, etc.).

3

Step-up MFA

One-time code required to export. Every evidence export is logged with who, when, and which framework.

4

Send to your auditor

Signed, timestamped PDF with raw evidence appendix. Typically accepted on first submission.

Frameworks

All six frameworks, one tool

🇬🇧

Cyber Essentials & CE Plus

The UK government's baseline — required for government contracts, increasingly expected by insurers and private-sector procurement.
  • A1: Boundary firewalls — per-device firewall state, default-deny evidence
  • A2: Secure configuration — ASR rules, Windows Update settings, software inventory
  • A3: User access control — admin enumeration, MFA state per account
  • A4: Malware protection — Defender AV state, definition freshness, real-time protection
  • A5: Patch management — patch SLA per device, exceptions register
📋 One-click PDF mapped to IASME question set
🌎

ISO/IEC 27001:2022

The international standard. Demanded by enterprise customers, regulated industries, and B2B procurement globally.
  • A.8.5–8.7: Authentication, secure configuration, malware protection
  • A.8.8: Vulnerability management — CVE tracking, SLA, remediation evidence
  • A.8.9: Configuration management — baseline + drift detection
  • A.8.13: Information backup evidence
  • A.8.15–8.16: Logging, monitoring, session recording index
📋 Annex A control matrix with per-control evidence
🇺🇸

SOC 2 (Type 1 / Type 2)

US-focused but increasingly demanded by US customers of UK SaaS providers. Trust Services Criteria, Security focus.
  • CC6.1: Logical access controls — per-user role, audit log
  • CC6.6: MFA enforcement — per-connection step-up evidence
  • CC6.7: Access termination — deactivation logs
  • CC7.1–7.2: Threat detection, monitoring — Tripwire alerts, session recordings
  • CC8.1: Change management — baseline drift evidence
📋 Per-criterion evidence pack with timeline data
🏥

HIPAA Security Rule

For US healthcare and UK organisations handling US patient data. 45 CFR §164.308 and §164.312.
  • §164.308(a)(1): Risk analysis — vulnerability scan output
  • §164.308(a)(3): Workforce security — access controls, MFA evidence
  • §164.312(a)(1): Access control — unique user IDs, audit log
  • §164.312(b): Audit controls — retention and export
  • §164.312(c)(1): Integrity — Tripwire file-integrity monitoring
📋 HIPAA Security Rule control mapping per safeguard
💳

PCI DSS v4.0

For organisations handling cardholder data. Endpoint-relevant requirements only — not a substitute for full PCI scope.
  • Req 5: Anti-malware — Defender state, definition freshness
  • Req 6: Vulnerability management — CVE scanning, patch SLA, remediation
  • Req 7–8: Access control, MFA on remote, session recording
  • Req 10: Logging — audit log retention evidence
  • Req 11: Security testing — vulnerability scan + baseline
📋 PCI DSS v4.0 control mapping (endpoint scope)
🛡

CISA BOD 22-01

Known Exploited Vulnerabilities catalog with mandatory remediation deadlines for US federal agencies and contractors.
  • KEV CVE coverage on managed fleet — which devices have which KEVs
  • Remediation SLA vs CISA-published deadlines
  • Exception register with justification when KEV cannot be patched
📋 KEV-aware patch report with deadline tracking

What we do NOT evidence — be honest with your auditor

Which tier includes compliance packs?

Compliance evidence packs unlock at the Business tier (£4/device/month) and above. Pro tier gives you the underlying data (patch state, CVEs, audit log) — just not the framework-mapped PDF generator.

Join the waitlist See full pricing

Generate your first evidence pack in under 5 minutes

Install one agent. Open the Compliance tab. Pick Cyber Essentials. Click Generate. That's it.

Join the waitlist Book a demo