Audit-ready from the first commit.
The Compliance edition wires the technical controls an auditor asks for — tenant isolation, immutable evidence, and a tamper-evident log — in before your first customer, tested in CI. You start fail-closed, then prove it on demand.
$ psql -c "select * from invoices" ERROR: permission denied for table invoices DETAIL: RLS policy "tenant_isolation" forbids SELECT with no app.tenant_id set — fail-closed by default.
Compliance prevention at the application layer.
A scanner is a smoke detector. Caisson is the fail-closed construction — prevention wired in before the fire, not after. Each control below ships with a live artifact you can read, run, and hand to an auditor.
SOC 2 from scratch runs $80k and 6–9 months. Retrofitting RLS, WORM, and an audit chain into a live multi-tenant database is months more — a migration with customer data on the line.
Both, wired on day one. Once tenants share rows in production, isolation becomes a backfill you cannot fully trust. As a default, it is just how the schema is built.
Five technical controls, each with its proof.
No diagrams standing in for behaviour. The artifact carries the claim, and each control names the framework clause it satisfies.
Every tenant table enables AND forces row-level security, so the policy binds the owner too — no privileged path around it. A query that never set the tenant context returns nothing, not everything.
SELECT count(*) FROM invoices; → ERROR: app.tenant_id not setEvidence buckets ship with S3 Object Lock in COMPLIANCE mode and a default retention. Inside the window an object cannot be overwritten or deleted — not by a bug, not by an operator, not by a leaked root key.
delete-object → AccessDenied: WORM-protected until 2033-06-27ZEach audit row commits SHA-256 over the previous hash plus its own payload. Tampering with any historical row breaks every link after it — and the break is detectable, provable, and exportable for an auditor.
caisson audit verify → 41984 rows · 0 breaks · root 2c9f…b7Sensitive columns are sealed with a data key derived per tenant from a root KMS key via HKDF-SHA256. A leaked tenant key exposes one tenant, never the table; rotating the root re-derives every key with no re-encrypt scan.
hkdf(rootKey, tenantId) → DEK·A cannot open DEK·B ciphertextCollects the live RLS policies, the WORM retention config, and an audit-chain proof, maps them to named controls, and writes a dated bundle. The evidence comes from the system that enforces it — not a spreadsheet.
soc2-evidence-2026-06-28/: rls-policies.json · worm-retention.json · audit-chain-proof.jsonCaisson ships the controls. Your auditor signs the certificate.
Compliance is trust, so the line is drawn plainly: Caisson covers the technical half and generates the evidence. It does not — and cannot — make you certified.
- The technical access and integrity controls, in code.
- A dated evidence pack mapped to named SOC 2 / HIPAA controls.
- A tamper-evident audit chain you can replay and export.
- Administrative controls — HR, vendor management, incident response.
- The audit engagement and the certification itself.
- The scope decision: Caisson ships the controls CC6.x / CC7.2 require, not a compliance verdict.
What a security review asks first.
Does Caisson make us SOC 2 or HIPAA certified?
No. Caisson ships the technical controls those frameworks require and generates the evidence to prove them. Certification comes from an auditor assessing your whole program — the organizational controls (HR, vendor, incident response) and the audit itself remain yours.
Which controls does Caisson actually cover?
The technical access and integrity controls: fail-closed RLS (SOC 2 CC6.1, HIPAA §164.312(a)(1)), WORM-retained evidence, an append-only audit chain, and per-tenant field encryption. It does not cover administrative, physical, or policy controls — those stay with you.
Can I retrofit this into an existing database?
You can, but it is the expensive path. Backfilling RLS, WORM, and an audit chain into a live multi-tenant database runs $80k and 6–9 months of migration with customer data on the line. Caisson wires them in on day one, before tenants ever share rows.
How does the evidence pack work?
One command collects the live RLS policies, the WORM retention config, and an audit-chain proof, maps them to named controls, and writes a dated bundle. The evidence is read out of the running system, not transcribed into a screenshot or a spreadsheet.
Do I own the source?
Yes. The one-time Compliance license is perpetual — you own the source for the base, the four controls, and the evidence-pack generator. Compliance Updates is an optional subscription that tracks framework drift so the control mappings stay current.
Own the source, or track the frameworks.
Own the Compliance edition outright — the base, the five controls, and the evidence-pack generator. Regulations don't hold still, so an optional Compliance Updates subscription keeps the control mappings current as SOC 2 / HIPAA guidance moves.
Start fail-closed.
$ npx create-caisson@latest ✓ scaffold complete ✓ tenancy-rls: fail-closed ✓ standards gate: passing