How it works

Four steps from
lost to certified.

Every compliance journey on Auxlo follows the same four-step pattern, whether you're a founder running your first SOC 2 or a privacy officer managing GDPR across three jurisdictions.

Answer 20 Questions

Tell us your industry, size, where you process data, and which frameworks you need. Auxlo instantly generates your personalized compliance roadmap (no consultant needed for this part).

⏱ 15 minutes

Follow the Path

Each framework is broken into numbered, plain-language steps. Every step tells you exactly what form to fill, what evidence to upload, and what it means. Nothing is left vague.

⏱ Days to weeks, not months

Add a Consultant (Optional)

Stuck on a step? Add an Auxlo-certified consultant to your workspace in one click. They see your exact posture, your gaps, your evidence, and pick up exactly where you are.

⏱ Connected in under 1 hour

Audit-Ready Package

When you're ready, one click generates a complete, auditor-formatted package. KPMG/PWC/BDO compatible. Your evidence, your policies, your controls, organized for any external auditor.

⏱ Same day

The Platform

Seven modules.
One source of truth.

Every module cross-maps your evidence. One upload satisfies every applicable framework simultaneously. No re-entering data, no duplicate work, no gaps between systems.

01The Compass™

Your full compliance picture. Every framework. Under 48 hours.

The Compass runs a structured assessment across all 12+ frameworks, scores every gap by severity, and produces a board-ready report, in plain language, before you talk to an auditor. It's the first thing every Auxlo user does, whether they're a startup CEO or a seasoned CISO.

→

Plain-English gap analysis: every control explained in one sentence. Not "CC6.1 — Logical Access Controls" but "You need to prove only authorized people can log into your systems."

→

Cross-framework deduplication: one answer satisfies every framework asking the same underlying question. 60% less work than running each framework separately.

→

Three-audience report: plain-language executive summary for your board, technical annex for your CISO, regulatory status page for your legal team. One export, three documents.

→

Remediation roadmap: prioritized by severity and effort. Not a list of problems, but an ordered to-do list with estimated hours and assigned owners.

PHIPAPIPEDAHIPAAGDPRSOC 1SOC 2ISO 27001ISO 42001NIST CSFPCI-DSSLaw 25EU AI Act

Who uses it: Startup founders, CEOs, CISOs, Privacy Officers, Board Risk Committees

app.auxlo.ca/compass

● 87% POSTURE

218

CONTROLS MET

CRITICAL GAPS

FRAMEWORKS

Framework Posture

SOC 2

94%

HIPAA

91%

GDPR

88%

ISO 27001

79%

ISO 42001

63%

📋 Board report ready: 24-page executive package · Export to PDF / PowerPoint

02AI Registry™

Every AI tool your org uses. Risk-scored against every framework. Auto-updated.

Staff adopt AI tools faster than governance can track. The AI Registry catalogs every tool, from ChatGPT to Copilot to custom models, and simultaneously scores each one against HIPAA, GDPR, PHIPA, ISO 42001, the EU AI Act, and Canada's AI Directive. Automatically generates Privacy Impact Assessments and flags PHI exposure.

→

Multi-framework risk scoring: each tool scored against every applicable law simultaneously. One view shows your entire AI exposure.

→

Auto-generated PIAs: a Privacy Impact Assessment template is created per AI tool per jurisdiction. Completion tracked, sign-off captured as audit evidence.

→

EU AI Act risk classification: Unacceptable / High / Limited / Minimal risk classification for every AI tool, with required conformity steps per level.

→

PHI / PII exposure detection: flags every tool processing protected information without a completed Data Processing Agreement. Stops the breach before it happens.

HIPAAGDPRPHIPAISO 42001EU AI ActPIPEDALaw 25Canada AI Directive

Who uses it: Privacy Officers, CISOs, CMIOs, DPOs, AI Ethics Committees

app.auxlo.ca/ai-registry

● 2 CRITICAL

CRITICAL

APPROVED

REGISTERED

AI Tools — Risk Assessment

💬

ChatGPT (OpenAI Public)

PHI input detected · No DPA · GDPR Art.28 violation

CRITICAL

🎙️

Otter.ai Transcription

No PIA · Patient audio confirmed · HIPAA exposure

CRITICAL

💼

Microsoft Copilot M365

DPA in review · PIA pending · High-risk EU AI Act

REVIEW

🔬

Azure OpenAI (Enterprise)

✓ PIA complete · DPA signed · HIPAA BAA executed

APPROVED

03Policy Studio™

80+ jurisdiction-aware policies. Generated in hours. Maintained automatically.

Policy Studio generates security and privacy policies adapted to your exact jurisdiction, including Canada (Federal, ON, QC, BC), the US, and the EU, with approval workflows, staff attestation tracking, and automatic review cycles. When regulations change, your policies flag for update automatically.

→

80+ policy templates across 12 categories: AI governance, privacy, access control, clinical data, vendor risk, HR, incident response, data retention, acceptable use, and more.

→

Bilingual for Quebec: policies generated in English and French simultaneously. Law 25 compliance tracked in both languages.

→

Approval workflow: Draft → Legal Review → Approved → Published → Attested. Every step timestamped and stored as audit evidence.

→

Staff attestation: who read and acknowledged what, and when. Audit-ready for SOC 2, ISO 27001, HIPAA, and GDPR simultaneously.

SOC 2ISO 27001HIPAAGDPRPHIPALaw 25 FR/ENPCI-DSS

Who uses it: Privacy Officers, Legal Counsel, HR Directors, CISOs, DPOs

app.auxlo.ca/policy-studio

● 427 attested

🇺🇸 US / HIPAA

🇪🇺 EU / GDPR

🇨🇦 CA / Law 25

Active Policy Library

AI Acceptable Use Policy

HIPAA · GDPR · 42001

LIVE

Data Retention & Deletion Policy

GDPR Art.5 · HIPAA

LIVE

Access Control & MFA Policy

SOC 2 CC6 · ISO A.8

LIVE

Privacy Breach Response Plan

PIPEDA · GDPR · HIPAA

IN REVIEW

Vendor Risk Management Policy

SOC 2 CC9 · ISO A.5

DRAFT

✅ 427 of 451 staff attested · 24 overdue · Reminders sent automatically

04Evidence Vault™

Upload once. Satisfy every framework that needs it, automatically.

Your MFA policy satisfies SOC 2 CC6.6, ISO 27001 A.8.5, HIPAA §164.312(d), NIST PR.AC-7, and GDPR Article 32 simultaneously. Stop uploading the same document to six different places. The Evidence Vault cross-maps every piece of evidence to every relevant control and generates auditor-ready packages on demand.

→

300+ controls, 12 frameworks cross-mapped: one upload automatically satisfies every framework control that requires it. Zero duplication.

→

Visual gap heatmap: see every domain × framework combination at a glance. Green is covered. Red needs attention. Yellow is in progress.

→

Auditor-ready packages on demand: SOC 2, ISO 27001, HIPAA, GDPR. One click generates a complete, labeled evidence package your external auditor opens on day one.

→

40+ integrations: auto-collect evidence from Okta, AWS, Azure, GCP, KnowBe4, CrowdStrike, GitHub, Jira. Evidence stays current automatically.

SOC 1SOC 2ISO 27001HIPAAGDPRPHIPANISTPCI-DSS

Who uses it: CISOs, IT Security Teams, Compliance Analysts, External Auditors

app.auxlo.ca/evidence-vault

SOC 2 TYPE II ✓

218

COVERED

GAPS

91%

READY

Gap Heatmap — Domain × Framework

SOC 2 Audit package ready: 218 items organized · KPMG/PWC format EXPORT

05Questionnaire Shield™

A 200-question security questionnaire. Done in 4 hours. Using your real evidence.

Every enterprise sales deal blocked by a security questionnaire is lost revenue. Questionnaire Shield imports any SIG, CAIQ, or custom questionnaire, drafts responses from your actual certifications and evidence vault, and builds a reusable library that gets faster with every submission.

→

Any format accepted: paste a SIG, CAIQ, or upload Excel/Word. AI parses, categorizes, and drafts responses immediately from your real evidence vault.

→

Answers cite your actual controls: not generic templates. Your SOC 2 reports, ISO 27001 clauses, HIPAA policies, and GDPR DPAs, all cited with correct clause references.

→

Approved response library: every answer you approve is saved. Future questionnaires auto-fill from your library in seconds, not hours.

→

Deal acceleration tracker: see which contracts required questionnaires and closed after submission. Turns compliance into a measurable revenue driver.

SOC 2ISO 27001HIPAAGDPRCAIQSIGCustom

Who uses it: Sales Teams, Security Teams, CTOs, Legal Counsel

app.auxlo.ca/questionnaire-shield

🤖 AI DRAFTING

Enterprise SIG v9.2

$2.8M CONTRACT

136/200 answered · 12 AI drafting · 52 from library

Do you enforce MFA for all administrative access?

Yes. MFA enforced for all admin and remote access via Okta. Validated in SOC 2 Type II (CC6.6), ISO 27001 (A.8.5), HIPAA §164.312(d). Pen test confirmed no bypass paths.

✓ Library · SOC 2 CC6.6 · ISO A.8.5 · HIPAA §164.312(d)

Describe your data residency and cross-border transfer controls.

● AI drafting from Evidence Vault · GDPR Art.46 · SCCs

06Breach Navigator™

A breach happens. Auxlo tells you exactly what to do, in what order, by when.

Every breach regulation has different notification windows. PIPEDA: as soon as feasible. GDPR: 72 hours. HIPAA: 60 days. Quebec Law 25: 72 hours. Breach Navigator auto-identifies every applicable notification deadline, generates the required notification letters, and tracks regulatory submissions across all jurisdictions simultaneously.

→

Multi-jurisdiction notification deadlines: the moment you log a breach, every applicable clock starts ticking and is displayed prominently. No missed deadlines.

→

Pre-filled notification letters: GDPR Article 33 supervisory authority notice, PIPEDA OPC report, HIPAA OCR notification, all drafted from your breach details.

→

Containment checklist: platform-specific: AWS credential rotation, Active Directory lockout, Okta session revocation. These steps are specific to your actual tech stack.

→

Post-incident reporting: board summary, regulatory response log, lessons-learned template. Audit evidence is generated automatically for the next audit cycle.

PIPEDAGDPRHIPAAPHIPALaw 25NIST IR

Who uses it: Privacy Officers, CISOs, Legal Counsel, Incident Response Teams

app.auxlo.ca/breach-navigator

🚨 ACTIVE INCIDENT

GDPR NOTIFICATION DEADLINE

47:16:32

hours remaining of 72-hour window

Notification Deadlines — All Jurisdictions

GDPR — Supervisory Authority

Art. 33

47h LEFT

Law 25 — CAI Notification

§63.1

47h LEFT

HIPAA — HHS OCR Report

§164.408

58d LEFT

PIPEDA — OPC Report

RESA

SUBMITTED ✓

✉️ GDPR Art.33 notification letter drafted · Ready for legal review

07Vendor Shield™

Every vendor that touches your data. Assessed, monitored, and contractually covered.

Your vendors are your risk surface. Every cloud service, SaaS tool, and contractor that processes your data must be assessed under SOC 2 CC9, ISO 27001 A.5.19, HIPAA Business Associate rules, and GDPR Article 28. Vendor Shield automates the entire third-party risk lifecycle from onboarding assessment to annual review.

→

Framework-mapped vendor questionnaires: each vendor assessment aligned to SOC 2 CC9, ISO A.5.19, HIPAA BAA requirements, and GDPR Art.28 simultaneously.

→

Contract tracking: DPA status, BAA status, NDA status per vendor. Automatic alerts when agreements expire or need renewal.

→

Auto-generated Data Processing Agreements: GDPR-compliant DPA templates, Quebec-law DPA clauses, and HIPAA BAA templates generated per vendor.

→

Annual review automation: reminders, re-assessment forms, and updated risk scores without anyone having to remember when reviews are due.

SOC 2 CC9ISO A.5.19HIPAA BAAGDPR Art.28PIPEDAPCI-DSS

Who uses it: Procurement, Legal, CISOs, Privacy Officers, Compliance Analysts

app.auxlo.ca/vendor-shield

● 3 REVIEWS DUE

APPROVED

REVIEW DUE

NO BAA

Vendor Risk Register

AWS — Cloud Infrastructure

BAA ✓ · DPA ✓

LOW RISK

Okta — Identity Provider

BAA ✓ · DPA ✓

LOW RISK

Salesforce CRM

DPA ✓ · BAA Pending

REVIEW

Slack (Standard)

PHI detected · No BAA

CRITICAL

📄 3 DPA templates generated and ready to send · Slack BAA required immediately

Frameworks

12 frameworks.
Zero gaps.

Most platforms cover 3–5 frameworks. Auxlo covers 12, including every Canadian framework that matters, including PIPEDA, PHIPA, and Quebec Law 25, alongside ISO 42001 and the EU AI Act. You don't need a different platform as you grow.

SOC 2 TYPE I/II

Service Organization Control 2

Five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Evidence collection, control testing, Type I and Type II audit packages generated automatically.

Controls coveredTSC Full · Type I & II

ISO 27001:2022

Information Security Management System

93 Annex A controls across 4 domains. Risk register, ISMS scope, Statement of Applicability, internal audit checklists, management review templates, generated and maintained automatically.

Controls covered93 / 93 Annex A

HIPAA / HITECH

Health Insurance Portability & Accountability Act

Administrative, Physical, and Technical Safeguards. Annual risk analysis, workforce training records, BAA register, breach notification workflows. All 164.xxx sections are tracked with plain-English explanations.

Controls coveredSecurity + Privacy Rule

GDPR

General Data Protection Regulation

ROPA, DPIAs, DSAR tracking, supervisory authority relationships, cross-border transfer mechanisms (SCCs, BCRs, adequacy decisions), all managed without a full-time DPO or law firm on speed dial.

Controls coveredAll 99 Articles

PHIPA · PIPEDA

Canadian Privacy Law — Federal & Provincial

PHIPA for Ontario healthcare data, PIPEDA for federal commercial organizations. Breach-of-security-safeguard reporting, consent management, Privacy Officer appointment tracking, all bilingual.

Controls coveredON · FED · BC · AB

Quebec Law 25

Loi 25 — Protection of Personal Information

Quebec's strictest privacy law with AI disclosure obligations. Bilingual (FR/EN) policy generation, 72-hour CAI notification, public disclosure registry, and Privacy Impact Assessment tracker built in.

Controls coveredBilingual · Full

ISO 42001

AI Management System Standard

The world's first AI governance standard. AI system registry, algorithmic impact assessments, PIA per AI tool, acceptable use policies, Canada AI Directive alignment, all available in the AI Registry module.

Controls coveredFull 2023 Standard

PCI-DSS v4.0

Payment Card Industry Data Security Standard

12 requirements, 250+ sub-controls. CDE scoping, network segmentation evidence, quarterly scan tracking, SAQ completion workflows, and P2PE evidence, audit-ready in weeks, not months.

Controls coveredv4.0 Full

Forms Store

Every form your framework
actually requires.

280+ compliance forms, not generic templates. Each form resolves a specific control in a specific framework. Built by compliance experts who've been through real audits. Available as standalone purchases or included with your plan.

SOC 2 TYPE II

SOC 2 requires proof that your security controls actually work over a 6–12 month period. These are the forms auditors look for, in the order you complete them.

STEP 01

Scope Definition

System Description Form · Trust Services Criteria Selection

→

STEP 02

Risk Assessment

Risk Register · Threat Inventory · Risk Scoring Matrix

→

STEP 03

Policy Pack

Access Control · Encryption · Incident Response · Vendor Risk

→

STEP 04

Evidence Collection

Control Testing Log · MFA Evidence · Access Review Records

→

STEP 05

Audit Package

Management Assertion · SOC 2 Report Template · Auditor Brief

📋

$29/form

SOC 2 Risk Assessment & Register

Structured risk identification matrix covering all 5 Trust Service Criteria. Includes threat catalogue, likelihood/impact scoring, and remediation owner tracking. Satisfies CC3.1–CC3.4.

CC3.1CC3.2CC3.3CC3.4

🔐

$29/form

Access Control Review Log

Quarterly access review record for all system users. Tracks who has access to what, last review date, and changes made. Satisfies CC6.1, CC6.2, CC6.3 for both Type I and Type II.

CC6.1CC6.2CC6.3

🔒

$39/form

Vendor Due Diligence Questionnaire

Third-party vendor security assessment aligned to CC9.2. Covers data handling, security certifications, incident history, subprocessor chain, and contractual requirements.

CC9.2Vendor Risk

🚨

$29/form

Incident Response Log & Report

Structured incident record that captures detection, containment, root cause, and resolution. Maps to CC7.3, CC7.4, CC7.5. Used as evidence for both SOC 2 and ISO 27001 simultaneously.

CC7.3CC7.4CC7.5

📊

$49/bundle

Change Management Evidence Pack

Complete change management evidence kit: change request form, approval workflow record, pre/post testing evidence, and rollback plan. Satisfies CC8.1 for Type II audits.

CC8.1Change Mgmt

🛡️

$39/form

Penetration Test Evidence Summary

Structured form for documenting pen test scope, provider credentials, critical findings, and remediation status. Required evidence for CC7.1 and CC7.2 in Type II reports.

CC7.1CC7.2PenTest

HIPAA Security Rule

HIPAA requires Covered Entities and Business Associates to implement and document specific administrative, physical, and technical safeguards. Here's the required documentation path.

STEP 01

Risk Analysis

§164.308(a)(1) Annual Risk Analysis · PHI Inventory

→

STEP 02

Safeguards

Administrative · Physical · Technical Safeguard Checklists

→

STEP 03

Workforce

Training Records · Sanction Policy · Workforce Access Log

→

STEP 04

BAA Register

Business Associate Agreement Tracker · Vendor PHI Inventory

→

STEP 05

Breach Protocol

Breach Assessment Form · OCR Notification Template

⚕️

$49/form

HIPAA Annual Risk Analysis

Required by §164.308(a)(1). Comprehensive PHI inventory, threat-vulnerability analysis, impact ratings, and remediation plan. The single most-cited missing document in HIPAA audits.

§164.308(a)(1)Required

📝

$39/form

Business Associate Agreement (BAA)

HIPAA-compliant BAA template aligned to §164.314. Covers PHI handling, breach notification, subcontractor requirements, and termination provisions. Reviewed by healthcare privacy counsel.

§164.314BAA Required

👥

$29/form

Workforce HIPAA Training Record

§164.308(a)(5) requires documented workforce training. This form captures training date, topics covered, trainer identity, and employee acknowledgment, audit-ready per OCR standards.

§164.308(a)(5)Training

🏥

$59/bundle

Physical Safeguards Checklist Bundle

§164.310 compliance package: facility access controls, workstation use policy, device and media controls. Three forms covering all Physical Safeguard standards in one bundle.

§164.310Physical

🚨

$49/form

HIPAA Breach Assessment & Notification

Four-factor breach risk assessment matrix (§164.402), affected individual notification letter, HHS OCR report form, and media notification template. Complete §164.410 compliance.

§164.402§164.410Breach

📋

$39/form

HIPAA Sanction Policy & Violation Log

Required by §164.308(a)(1)(ii)(C). Documents disciplinary actions for policy violations. Satisfies OCR requirements for workforce accountability (often missing from first audits).

§164.308(a)(1)Sanctions

ISO 27001:2022

ISO 27001 certification requires a documented Information Security Management System (ISMS). These are the key documents your certification body will review, in sequence.

STEP 01

ISMS Scope

Scope Document · Context of Organization (Clause 4)

→

STEP 02

Risk Register

Information Security Risk Register · Asset Inventory

→

STEP 03

SoA

Statement of Applicability (93 Controls) · Exclusion Justification

→

STEP 04

Internal Audit

Internal Audit Checklist · Nonconformity Register · CAPA Form

→

STEP 05

Mgmt Review

Management Review Record · Continual Improvement Log

📜

$59/form

Statement of Applicability (SoA)

Pre-populated SoA covering all 93 ISO 27001:2022 Annex A controls with justification fields, implementation status, and evidence reference columns. The document certification bodies review most carefully.

Clause 6.1.393 ControlsRequired

⚠️

$49/form

Information Security Risk Register

Clause 6.1.2 risk assessment and 6.1.3 risk treatment register. Asset-based risk identification, CIA impact scoring, treatment options, and residual risk acceptance records. ISO/IEC 27005 aligned.

Clause 6.1.2Clause 6.1.3

🔍

$49/form

Internal Audit Checklist & Report

Clause 9.2 internal audit evidence: audit plan, scope, findings log, nonconformity grading (major/minor/observation), and corrective action tracking. Required for Stage 1 and Stage 2 audits.

Clause 9.2Internal Audit

🏢

$39/form

Management Review Meeting Record

Clause 9.3 management review minutes template. Covers ISMS performance, risk status, audit results, incidents, and continual improvement decisions. Required annually for certification maintenance.

Clause 9.3Annual

🗂️

$29/form

Asset Inventory & Classification Register

Annex A.5.9 and A.5.10. Information asset register with owner, classification (Public / Internal / Confidential / Restricted), handling rules, and disposal procedures.

A.5.9A.5.10Asset Mgmt

📊

$79/bundle

Full ISMS Starter Pack

Everything for your first ISO 27001 audit: Scope document, Information Security Policy, Risk Register, SoA, Internal Audit checklist, and Management Review record. 6 forms, one price.

6 FormsStage 1 ReadyBest Value

LOI 25 / LAW 25

Quebec's Law 25 is Canada's strictest provincial privacy law. It applies to any organization that collects personal information about Quebec residents, including those outside Quebec. All forms available in English and French.

ÉTAPE 01

Privacy Officer

Privacy Officer Appointment · Public Registry Entry

→

ÉTAPE 02

PIA (EFVP)

Privacy Impact Assessment · AI Decision-Making Disclosure

→

ÉTAPE 03

Consent

Consent Collection Forms · Minor Consent Protocols

→

ÉTAPE 04

Transfers

Cross-Border Transfer EFVP · Confidentiality Agreement

→

ÉTAPE 05

Incident CAI

CAI Incident Notification Form (72h) · Register Entry

👤

$29/form

Privacy Officer Appointment & Registry / Désignation du RPP

Required internal and public designation of your Privacy Officer (responsable de la protection des renseignements personnels). Includes CAI public registry submission form. Bilingual FR/EN.

§3.1 QL25BilingualRequired

🔎

$59/form

Évaluation des facteurs relatifs à la vie privée (EFVP / PIA)

Quebec EFVP template for projects involving personal information, required before any technology project, AI system, or cross-border transfer. Bilingual. Includes AI disclosure section per §12.

§3.3 QL25AI §12EFVP

🚨

$39/form

CAI Incident Notification — 72h / Avis d'incident à la CAI

Required notification to the Commission d'accès à l'information within 72 hours of a confidentiality incident. Pre-formatted per CAI requirements. Includes affected-person notification template.

§63.1 QL2572h Window

🌐

$49/form

Cross-Border Transfer Agreement / Accord de communication hors-Québec

Satisfies Law 25 §17 requirements for transferring personal information outside Quebec. Includes EFVP prerequisite checklist and contractual protection clauses. Required for any US/EU data transfers.

§17 QL25Cross-Border

PHIPA — Ontario

PHIPA governs personal health information in Ontario. It applies to health information custodians: hospitals, clinics, pharmacies, labs, and their agents. These are the documents your Privacy Officer needs.

STEP 01

Privacy Officer

PHO Appointment · Agent Authorization Records

→

STEP 02

Policies

PHI Collection Policy · Access & Correction Procedure

→

STEP 03

Consent

Patient Consent Form · Express/Implied Consent Log

→

STEP 04

Breach Report

IPC Breach Notification Form · Individual Notification

→

STEP 05

TPAs & Agents

Third Party Authorization · Agent Agreements

🏥

$49/form

PHIPA Privacy Breach Report — IPC

Ontario IPC-formatted breach notification for privacy breaches involving personal health information. Includes risk-of-harm analysis, affected individual notification template, and corrective action record.

§12.2 PHIPAIPC Required

📋

$39/form

Agent Agreement & Authorization Record

PHIPA §2 "agent" authorization documenting who can access PHI on behalf of a custodian, under what conditions, and for what purposes. Required for every staff member and contractor accessing PHI.

§2 PHIPAAgents

🔏

$59/bundle

PHIPA Privacy Policy Bundle

Three-policy bundle: PHI Collection & Use Policy, Individual Access & Correction Procedure, and Retention & Disposal Policy: the three documents Ontario IPC expects every custodian to have in place.

§29–54 PHIPA3-Policy Bundle

PCI-DSS v4.0

PCI-DSS v4.0 (effective March 2024) requires organizations handling payment card data to document controls across 12 requirements. Start with scoping, as it determines everything else.

STEP 01

CDE Scoping

Cardholder Data Environment Map · Network Segmentation Evidence

→

STEP 02

SAQ Selection

SAQ Eligibility Assessment · SAQ A / SAQ D Completion

→

STEP 03

Controls

12 Requirement Checklists · Control Testing Evidence

→

STEP 04

Scanning

Quarterly ASV Scan Results · Penetration Test Evidence

→

STEP 05

AOC / ROC

Attestation of Compliance · QSA Report Pack

💳

$59/form

CDE Scoping & Network Segmentation Evidence

Documents your Cardholder Data Environment scope and network segmentation controls. Includes data flow diagram template, segmentation test results, and scope reduction attestation, required for PCI v4.0.

Req 1Req 4Scoping

📊

$49/form

Quarterly Vulnerability Scan Log

Requirement 11.3 quarterly ASV scan tracking form. Records scan dates, provider, findings, remediation status, and rescan results. Formatted for QSA review and annual AOC preparation.

Req 11.3ASV Scans

📝

$79/bundle

PCI v4.0 Policy Bundle (12 Policies)

All 12 PCI-DSS policy templates updated for v4.0: network security, account data protection, vulnerability management, access control, monitoring, information security policy, and more.

All 12 Reqv4.0Best Value

ISO 42001

ISO 42001 is the world's first AI Management System Standard (2023). It's becoming required for enterprise AI deployments and aligns with Canada's AI Directive and the EU AI Act. These forms establish your AIMS.

STEP 01

AI Register

AI System Inventory · Use Case Classification

→

STEP 02

Risk Assessment

Algorithmic Impact Assessment (AIA) · Bias Risk Register

→

STEP 03

Governance

AI Acceptable Use Policy · Human Oversight Procedures

→

STEP 04

EU AI Act

Risk Classification Matrix · High-Risk Technical Documentation

→

STEP 05

Monitoring

Post-Deployment Monitoring Log · Incident Reporting

🤖

$59/form

AI System Registry & Risk Classification

Catalog every AI system your organization uses with use-case classification, data inputs, outputs, decision impact, and risk level. Cross-maps to ISO 42001 Clause 6, EU AI Act risk tiers, and Canada's AIDA.

Clause 6.1EU AI ActAIDA

⚖️

$69/form

Algorithmic Impact Assessment (AIA)

In-depth assessment for automated decision-making systems. Covers bias testing methodology, protected-characteristic impact analysis, human review override procedures, and appeal mechanism documentation.

Clause 8.4AIABias

📋

$49/form

AI Acceptable Use Policy

Organization-wide policy governing employee use of AI tools. Covers approved tools, prohibited uses, PHI/PII restrictions, disclosure obligations, and accountability chain. Satisfies ISO 42001, GDPR, and HIPAA AI requirements.

ISO 42001GDPRHIPAA

All forms included in Professional and Enterprise plans · Individual purchase available

Expert Network

Platform-native consultants.
No handoff cost.

Stuck on a control? Every Auxlo-certified consultant works inside your account. They see your exact gap analysis, your evidence vault, your pending forms. No onboarding, no knowledge transfer, no extra charge for the integration.

HOW THE MARKETPLACE WORKS

Your Auxlo account shows your gaps. You add a consultant from the marketplace with one click.

The consultant opens your workspace and sees your compliance posture, evidence, and what's blocking you. No briefing meeting needed.

They work inside Auxlo, uploading evidence, completing forms, and filling your gaps using the same tools you use. You review and approve.

Billing flows through Auxlo. You see exactly what was done, what evidence was added, and what it cost, all in one place.

Sophie Moreau

CIPP/C · CISSP · Montréal, QC

SOC 2ISO 27001Law 25GDPR

AUXLO STAFF

12 years in privacy and security compliance. Leads Auxlo's Quebec compliance practice. Former Privacy Commissioner advisor. Has guided 40+ organizations through Law 25 implementation, including the first Quebec AI EFVP ever submitted to the CAI.

→

Law 25 full implementation (FR/EN bilingual)

→

GDPR cross-border transfer mechanism design

→

SOC 2 Type II audit readiness program

From $220/hr · Fixed-scope packages available

James Rutherford

CHPC · RHIA · Toronto, ON

HIPAAPHIPAHITRUSTSOC 2

CERTIFIED PARTNER

Healthcare privacy specialist with 15 years in hospital and health-tech environments. Former Privacy Officer at a 3,000-bed Ontario health system. Specializes in PHIPA and HIPAA compliance for digital health startups entering the US market.

→

HIPAA Security Rule gap assessment + remediation

→

PHIPA Privacy Officer setup and agent authorization

→

BAA negotiation and vendor PHI inventory

From $275/hr · HIPAA starter pack $2,200

Priya Kalyanaraman

CISM · ISO 27001 Lead Auditor · Ottawa, ON

ISO 27001ISO 42001EU AI ActNIST AI

CERTIFIED PARTNER

AI governance and information security specialist. Led ISO 27001 certification programs at two federal government agencies. Canada's first ISO 42001 Lead Implementer. Advisor to the Treasury Board on AI governance frameworks for public sector organizations.

→

ISO 42001 AI Management System implementation

→

EU AI Act risk classification and conformity

→

ISO 27001 Stage 1 and Stage 2 audit preparation

From $290/hr · ISO 27001 readiness from $3,500

Do it yourself

Auxlo guides you, step by step.

Every framework is broken into numbered steps with plain-English instructions and pre-filled forms. Most startup founders complete their first SOC 2 readiness assessment without a consultant.

Do it with an expert

Add a consultant to your workspace.

No knowledge transfer, no briefing sessions. Your consultant sees your exact compliance state and starts working in Auxlo on day one. Billed through the platform at a price below the traditional consulting market.

Data Architecture

Your data stays
in Canada.
Your markets don't.

Built on Canadian infrastructure by default. When you're ready to serve US or European customers, Auxlo handles the compliance bridge. You don't move data; you add a compliance layer.

🇨🇦

Canada-first by default

All Auxlo data stored in AWS ca-central-1 (Montréal). No data leaves Canadian borders without your explicit configuration. Compliant with PIPEDA, PHIPA, and Law 25 data residency requirements.

🇺🇸

Serve US customers without data migration

HIPAA compliance doesn't require US data residency. Auxlo helps you implement the BAAs, access controls, and audit logs that satisfy HIPAA regardless of where your infrastructure is hosted.

🇪🇺

EU customers: compliance, not migration

GDPR doesn't mandate EU data storage; it mandates adequate protection. Auxlo generates Standard Contractual Clauses (SCCs), Transfer Impact Assessments, and Article 46 documentation that satisfy GDPR from Canadian infrastructure.

🔒

Zero foreign government access

Auxlo is incorporated in Canada with no US CLOUD Act exposure. Your clients' data is never subject to US government disclosure orders, a key requirement for Canadian public sector and healthcare contracts.

🇨🇦

CANADA
ca-central-1

PRIMARY · LIVE

🇺🇸

USA
HIPAA Bridge

COMPLIANCE LAYER

🇪🇺

EUROPE
GDPR / SCCs

SCC BRIDGE

🔏 LAW 25 · PHIPA · PIPEDA

DATA NEVER LEAVES CANADA · COMPLIANCE DOES

Why Auxlo

More coverage.
Better price.
Human backup.

The leading GRC platforms were built for enterprise security teams with $50K budgets. Auxlo was built for the startup founder, the growing healthtech, and the Canadian organization that nobody else built for.

Typical Enterprise Platform

$15K–$50K/yr

SOC 2 and ISO 27001 (US-focused)

✗

PHIPA and Quebec Law 25 support

✗

ISO 42001 / EU AI Act built in

✗

Bilingual (French/English) Quebec compliance

✗

Integrated consultant marketplace

Plain-English step-by-step guidance

✗

Canadian data residency by default

✗

Framework-specific forms store

Cross-framework evidence deduplication

✗

Affordable for startups (under $500/mo)

Auxlo™

From $299/mo

✓

SOC 2, ISO 27001 + 10 more frameworks

✓

PHIPA, PIPEDA, Law 25: built from day one

✓

ISO 42001 + EU AI Act native module

✓

Every Quebec form in FR + EN simultaneously

✓

Auxlo staff + vetted partner consultants

✓

Numbered steps in plain language, every framework

✓

Canadian data residency (ca-central-1) default

✓

280+ forms, framework-specific, audit-ready

✓

One upload satisfies all applicable frameworks

✓

Free plan + Professional from $299/mo

01 —

Built for Canadian organizations, not adapted for them

PHIPA, PIPEDA, and Law 25 are first-class citizens in Auxlo, not add-ons or future roadmap items. We built the platform for the Canadian regulatory reality first, then added the global frameworks around it.

02 —

The only platform where your consultant works inside your account

Every other platform and every independent consultant means two different systems, a knowledge transfer meeting, and duplicated work. Auxlo's consultant marketplace means they open your workspace and start. No briefing required.

03 —

Compliance that makes sense to a CEO, not just a CISO

We translate every control requirement into plain language before we ask you to act on it. "SOC 2 CC6.1 — Logical Access Controls" becomes "Prove that only the right people can log in to your systems, and that you check this quarterly." Every step. Every framework.

Pricing

Startup-accessible.
Enterprise-grade.

Compliance shouldn't be a competitive disadvantage for organizations that can't afford a $40K/year enterprise GRC platform. Auxlo's Professional plan covers more frameworks at a fraction of the price, and includes human experts when you need them.

For early-stage

Starter

$0_{/mo forever}

Full platform access. Real compliance tools, not a demo. No credit card required.

✓

1 active framework

✓

Compass gap analysis

✓

10 policy templates

✓

Evidence Vault (5GB)

✓

20 forms from the store

✓

Canadian data residency

✓

Community support

No credit card · Forever free

Organizations that chose
the clearer path.

We were six months from our first enterprise deal and our prospect sent a 200-question SIG. Questionnaire Shield drafted 180 of those answers from our evidence vault in under two hours. We closed the deal.

Marcus Kirby

CTO · Health-tech SaaS · Toronto

SOC 2 TYPE II · HIPAA · PHIPA

I'm a founder, not a CISO. I didn't know what "CC6.6" meant. Auxlo told me it means "prove only the right people log in." I completed our SOC 2 readiness assessment in three weeks, without hiring a consultant.

Amara Ly

CEO & Co-Founder · FinTech · Montréal

SOC 2 TYPE I · ISO 27001 · Law 25

We serve Ontario hospitals and need PHIPA, but we're expanding to the US. Auxlo's consultant connected to our workspace and had our HIPAA BAA register and PHIPA agent authorizations done in two weeks. No briefing meeting.

Rania Chalhoub

VP Operations · Digital Health · Ottawa

HIPAA · PHIPA · SOC 2

Compliance
that finally
makes sense.

Compliance is
expensive, opaque,
and broken.

One platform.
Every step taken
with you.

Four steps from
lost to certified.

Seven modules.
One source of truth.

Your full compliance picture. Every framework. Under 48 hours.

Every AI tool your org uses. Risk-scored against every framework. Auto-updated.

80+ jurisdiction-aware policies. Generated in hours. Maintained automatically.

Upload once. Satisfy every framework that needs it, automatically.

A 200-question security questionnaire. Done in 4 hours. Using your real evidence.

A breach happens. Auxlo tells you exactly what to do, in what order, by when.

Every vendor that touches your data. Assessed, monitored, and contractually covered.

12 frameworks.
Zero gaps.

Every form your framework
actually requires.

Platform-native consultants.
No handoff cost.

Your data stays
in Canada.
Your markets don't.

More coverage.
Better price.
Human backup.

Startup-accessible.
Enterprise-grade.

Organizations that chose
the clearer path.

Compliance that actually
covers everything.

Compliance that finally makes sense.

Compliance isexpensive, opaque,and broken.

One platform.Every step takenwith you.

Four steps fromlost to certified.

Seven modules.One source of truth.

Your full compliance picture. Every framework. Under 48 hours.

Every AI tool your org uses. Risk-scored against every framework. Auto-updated.

80+ jurisdiction-aware policies. Generated in hours. Maintained automatically.

Upload once. Satisfy every framework that needs it, automatically.

A 200-question security questionnaire. Done in 4 hours. Using your real evidence.

A breach happens. Auxlo tells you exactly what to do, in what order, by when.

Every vendor that touches your data. Assessed, monitored, and contractually covered.

12 frameworks.Zero gaps.

Every form your frameworkactually requires.

Platform-native consultants.No handoff cost.

Your data staysin Canada.Your markets don't.

More coverage.Better price.Human backup.

Startup-accessible.Enterprise-grade.

Organizations that chosethe clearer path.

Compliance that actuallycovers everything.

Compliance
that finally
makes sense.

Compliance is
expensive, opaque,
and broken.

One platform.
Every step taken
with you.

Four steps from
lost to certified.

Seven modules.
One source of truth.

12 frameworks.
Zero gaps.

Every form your framework
actually requires.

Platform-native consultants.
No handoff cost.

Your data stays
in Canada.
Your markets don't.

More coverage.
Better price.
Human backup.

Startup-accessible.
Enterprise-grade.

Organizations that chose
the clearer path.

Compliance that actually
covers everything.