Solutions

Nine solutions.
One engine underneath every one.

Each of these looks like a product a competitor would sell you separately, with its own licence and its own database. Here they are the same engine with different rows, sharing one graph, one audit chain, and one place to configure them.

01 · Audit

An engagement, end to end, on one record.

Planning, fieldwork, tests, samples, exceptions, reporting. The test carries its source, its sample size, the exceptions found and the rate. Last year's engagement and last year's issue carry forward, so a recurring finding is flagged as recurring, not rediscovered.

The opinion is a defined choice, not free text someone can fudge.

Recordengagement, planning to closed
Holdstests, samples, exceptions, rate
Remembersprevious engagement, previous issue
Flagsrecurrence, automatically
02 · Risk

A register that knows what it touches.

A risk is a node, not a spreadsheet row. It knows the controls that mitigate it, the entities it sits in, and the obligations it threatens, because those are edges in the graph. Score it from its own fields, and the residual updates when a control changes.

Risk lives on the record, wherever the record is.

Isa node with edges
Knowsits controls, entities, obligations
Scoresinherent, control, residual
Updateswhen the graph around it moves
03 · Policy

Policies that know why they exist.

A policy traces back to the citation and the regulation that require it, and forward to the controls that implement it. When a regulation changes, you can see every policy it touches. When an auditor asks why a policy exists, the answer is a path, not a memory.

Back tocitation, regulation
Forward tocontrols, evidence
On changesee everything affected
04 · Controls

Map a control once. Report it everywhere.

A common control framework sits at the centre. Map a control to it once, and every framework you report against, ISO, NIST, CIS, reuses that mapping. Test the control once, and the result satisfies every obligation that leans on it. No more testing the same thing five times for five reports.

Maponce, to the common framework
Reuseacross ISO, NIST, CIS
Testonce, satisfy many
05 · Compliance

Obligations tied to what discharges them.

Obligations by jurisdiction and sector, each linked to the controls that satisfy it. Filter to the profile that matches you, listed or not, by region, by industry, and see exactly which obligations apply and which controls answer them. Coverage is a query, not a quarterly panic.

Byjurisdiction, sector, listed status
Tied tothe controls that discharge them
Coverageis a query, run any time
06 · Vendor risk

Third parties, on an audit-grade record.

Vendor reviews with tiering, cadence and a named owner, on the same record shape as an audit test. A tier-one vendor review is not a different tool, it is the same engine with a vendor at the centre and a review cycle around it. Overdue is a state the platform knows, not a reminder someone forgot to set.

Carriestier, cadence, owner
Same asan audit-grade test record
Knowswhen a review is overdue
07 · Issues

A repeat finding, visible as a repeat.

Findings, remediation, owners and due dates. An issue can point to the issue it followed, so the third time a control fails, that is on the record, not in someone's memory. Carry-forward is a link in the graph, which means "this keeps happening" is a fact you can query.

Tracksfinding, remediation, owner, due
Linksto the issue it followed
Showsrecurrence as a fact
08 · Evidence

Proof attached to what it proves.

Evidence lives on the control it supports, not in a shared drive nobody trusts. And because the deterministic layer watches it, the day a piece of evidence goes stale, a source that moved, a document that expired, that is flagged before an auditor finds it first.

Attached tothe control it proves
Watched bythe deterministic floor
Flagsthe day it goes stale
09 · Regulatory submissions

Deadlines that carry their source.

A filing deadline is only as good as where it came from. Each one in Amzaa carries the regulator page it was read from and the line the date appeared on. A human verifies it once. Then, with the AI switched off, the platform keeps re-reading that page and tells you the day the deadline changes or the source disappears.

When the agent cannot find a dated filing, it proposes nothing rather than guess.

Carriessource URL, exact line
Verifiedby a human, once
Re-readwith the AI off
On emptyproposes nothing
And the tenth

The one you need next is a configuration, not a purchase.

Everything above was built in the same wizard, on the same engine, with no new code. The solution that fits your organisation and no one else's is built the same way.

Bring us the tenth