Shield
AuditProven Shield™
Product Overview
AuditProven Shield is a compliance documentation engine that transforms your existing policy documents into complete, audit-ready compliance packages. It does not generate content from a language model. It maps your actual policies to regulatory requirements using a deterministic pipeline, identifies what is covered and what is missing, and produces reports where every claim is cryptographically linked to its source.
What Makes Shield Different
Most compliance tools ask you to fill in questionnaires or manually tag your policies. Shield reads your documents directly. It understands the difference between an obligation ("employees must use MFA"), a control statement ("the company implements RBAC"), and an evidence reference ("as documented in the audit log"). It classifies each statement into the correct compliance domain, maps it to specific framework requirements, and generates professional prose that an auditor can verify.
The difference that matters: when an auditor asks where a control description came from, you do not point to a chatbot. You point to a Merkle proof that resolves to a specific section of a specific document.
The Shield Pipeline
The pipeline executes eight stages in strict sequence. Each stage is deterministic — the same input always produces the same output.
Stage 1: Document Parsing Your uploaded PDF, DOCX, or text files are parsed into structured sections. Each section preserves its heading hierarchy, page number, character offsets, and a SHA-256 hash of its content. This hash is the first link in the provenance chain.
Stage 2: Statement Extraction Each section is split into sentences. Every sentence is classified by its compliance function: obligations (shall, must, should, may), control descriptions (we implement, the company maintains), evidence references (as documented in, per the audit log), or narrative context. Modal verb strength is recorded — the difference between "must" and "should" carries legal weight.
Stage 3: Domain Classification Each extracted statement is classified into one of twenty compliance domains — access control, encryption, incident response, change management, and sixteen others. Classification uses TF-IDF cosine similarity against the compliance knowledge graph, boosted by domain-specific keyword matching.
Stage 4: Requirement Mapping Classified statements are matched to specific framework requirements. If you selected SOC 2, your access control policy is matched to CC6.1 (Logical and Physical Access Controls). If you selected ISO 27001, the same policy maps to A.8 (Technological Controls). Confidence scoring distinguishes high-confidence matches from weak ones.
Stage 5: Gap Analysis Every framework requirement that has no matching policy statement is flagged as a gap. Requirements with only low-confidence matches are flagged as weak. Controls with no evidence references are flagged as needing evidence. Each gap receives a risk score based on how many downstream controls depend on it — a gap in access control propagates risk to encryption, monitoring, and vendor management.
Stage 6: Narrative Generation For each addressed requirement, Shield generates a control narrative using template-based composition with strict usage caps. Each template is used at most twice per report section to prevent stock-phrase repetition. Every generated sentence passes a garble detection gate that catches eleven known broken-syntax patterns. If all templates for a category are exhausted, a plain-but-grammatical fallback sentence is used instead of silently dropping the requirement.
Stage 7: Evidence Linking Evidence reference statements from Stage 2 are matched to their corresponding controls, building an evidence matrix that maps each requirement to its control description and supporting documentation.
Stage 8: Report Composition The final report assembles ten sections: cover page, table of contents, executive summary, scope and methodology, control narratives ordered by framework structure, gap analysis with priority ranking, evidence matrix, risk assessment, remediation plan, and a provenance appendix containing the Merkle root and all provenance records.
Output Formats
- JSON — Machine-readable, suitable for API integration and dashboard consumption
- PDF — Professional formatting with headers, footers, page numbers, and color-coded gap severity
- DOCX — Editable Word document with heading styles and table of contents
- XLSX — Evidence matrix as a filterable spreadsheet
Framework Support
Shield currently supports six major compliance frameworks with full requirement coverage:
| Framework | Requirements | Status |
|---|---|---|
| SOC 2 Type II | Trust Service Criteria (CC1-CC9, A1, PI1, C1, P1-P8) | Full Coverage |
| ISO/IEC 27001:2022 | Clauses 4-10 + Annex A (A.5-A.8) | Full Coverage |
| EU GDPR | Articles 5-50 (Principles, Rights, Controller/Processor, Transfers) | Full Coverage |
| HIPAA Security Rule | Administrative, Physical, Technical Safeguards + Breach | Full Coverage |
| PCI DSS v4.0 | Requirements 1-12 | Full Coverage |
| NIST CSF 2.0 | Identify, Protect, Detect, Respond, Recover | Full Coverage |
Multi-Framework Assessment
Upload once, assess against multiple frameworks simultaneously. Shield's cross-framework mapping identifies where the same control satisfies requirements across SOC 2, ISO 27001, and NIST CSF, eliminating redundant documentation effort.