OSSeva Assure

Your CISO signs. Your auditor accepts.

Patch plus the architectural and compliance layer: annual configuration audits, upgrade planning, and documentation designed to pass SOC 2, HIPAA, PCI, and ISO 27001 without revision.

Start with AssureCompare tiers

What's included

  • Everything in OSSeva Patch
  • Annual configuration & architecture audit
  • Version upgrade planning & migration roadmap
  • SOC 2 Type II attestation package
  • HIPAA technical safeguard matrix
  • PCI DSS evidence package
  • ISO 27001 control mapping
  • FedRAMP-aligned documentation
  • Pen-test validation summary
  • Named architecture consultant
  • Reference architecture for your deployment
  • Dependency compatibility audit

Compliance frameworks covered

SOC 2 Type II

Service organization control report for security, availability, and confidentiality.

HIPAA

Technical safeguard mapping for covered entities and business associates.

PCI DSS

Evidence package for Requirement 6 (secure systems) and Requirement 11 (testing).

ISO 27001

Control mapping to Annex A for vulnerability management and patch processes.

FedRAMP-aligned

Documentation aligned to NIST 800-53 controls for federal agency use.

Frequently asked questions

What compliance frameworks does OSSeva Assure cover?

OSSeva Assure compliance documentation covers: SOC 2 Type II (Trust Services Criteria CC6, CC7, CC8), PCI DSS v4.0 (Requirements 6.3 and 12.3), HIPAA Security Rule (§164.312 Technical Safeguards), ISO 27001:2022 (Annex A.8 Technological Controls), EU DORA (ICT risk management requirements for financial entities), and FedRAMP Moderate (AC, SI, and SA control families). Documentation is reviewed annually and updated at each major patch release.

What does an OSSeva compliance attestation letter contain?

An OSSeva attestation letter includes: the technology and version covered, the CVEs addressed in the current patch cycle with CVSS scores, the patch delivery date and build identifier, OSSeva's assertion that the patched build has been tested for the applicable CVEs, a statement of ongoing patch commitment for the engagement period, and an OSSeva compliance team signature. It is designed to be provided directly to auditors as third-party assurance evidence.

Does OSSeva Assure include an architectural review?

Yes. OSSeva Assure engagements begin with a deployment architecture review that identifies configuration-level security gaps — for example, RabbitMQ management ports exposed to broad network segments, PostgreSQL roles with excessive privilege, or Kafka inter-broker communication without TLS. Findings are documented with remediation recommendations. The review is repeated annually and on major configuration changes.

Our auditors require a vendor SOC 2 report. Does OSSeva have one?

OSSeva's SOC 2 Type II report is available under NDA for qualified prospects and active customers. The report covers OSSeva's patch development, build, and delivery pipeline. Contact your account representative or reach out via the discovery call process to request a copy.

Get your compliance documentation ready this quarter.

Start with a discovery call. We confirm your frameworks, scope the evidence package, and deliver audit-ready documentation within 60 days.

Book a Discovery CallRequest a compliance package sample