Compliance

Mappings between OrbitalReg features and external compliance frameworks. Use these pages during procurement, internal audit, and Statement-of-Applicability drafting to short-cut the what does the product do? conversation with security teams.

Available mappings

• License tiers (Free vs Commercial) — which features stay entitled after a trial lapses (Security + Core Hosting) and which require a commercial envelope (Premium integrations + Migration importers). Forward this page to procurement teams asking "what happens after the trial?" — the short answer is security never lapses.
• ISO/IEC 27001:2022 Annex A controls — all 93 controls with per-control status (Implemented / Configurable / Customer-side), feature reference, and evidence pointer.
• SOC 2 Trust-Service-Criteria — twelve TSCs the built-in SOC 2 Evidence-Engine answers out of the box, with the matching orbital compliance soc2-report CLI workflow and a copy-pasteable system-description matrix.

How to use these pages

1. Procurement: forward the relevant page to the requesting security team. Each control row is self-contained — no need to read the page top-to-bottom.
2. Statement-of-Applicability: copy the per-control rows into your SoA spreadsheet; the Status column maps directly to the inclusion-justification cell. The ISO 27001 page ships an SoA template starter near the bottom.
3. Audit evidence collection: each control cites either an admin URL, an API endpoint, a runbook, or a source-tree path. Have the auditor reproduce the assertion from the citation rather than take this page on its word.

Scope

These mappings describe the technical and operational controls OrbitalReg ships. They do not cover the management-system clauses that sit with your organisation (governance, risk-treatment plans, internal audit programmes, leadership review). Certification is granted by an accredited body against your ISMS, not against OrbitalReg.