CISOs of 100–500 person SaaS
Pursuing or maintaining SOC 2 and ISO 27001, adding ISO 42001 because the board read about the AI Act, tired of paying Vanta-class prices for screenshot-and-attest workflows.
The Security Compliance Platform
Your compliance copilot.
Argitron makes SOC 2 and ISO 27001 an automated outcome of how your team already works — not a parallel project. One self-hosted binary runs your ISMS, AIMS, and ITSM on the same data model, so the controls execute themselves and the audit evidence writes itself.
Free under 25 assets, forever. No credit card. No sales gate. Production use OK.
Frameworks shipped SOC 2 · ISO 27001:2022 · ISO 42001:2023 · NIS2 · EU AI Act
$ argitron start 2026-04-25T09:21:14Z argitron 1.4.0 starting 2026-04-25T09:21:14Z isms ready ISO 27001 Annex A · 93 controls 2026-04-25T09:21:14Z aims ready ISO 42001 Annex A · 38 controls 2026-04-25T09:21:14Z soc2 ready TSC 2017 · 64 criteria 2026-04-25T09:21:14Z itsm ready ITIL 4 · 34 practices 2026-04-25T09:21:14Z workflow ready 34 activities · 30 playbooks 2026-04-25T09:21:14Z evidence ready signed · hash-chained · WORM 2026-04-25T09:21:15Z serving https://localhost:8443 $ argitron audit run --framework soc-2 --evidence-pack collecting 64/64 TSC criteria ok bundling soc2-description.pdf evidence/ control-matrix.csv signing cosign · sha256:f8c3…b2a9 ready ./out/soc-2-2026-04-25.bundle.tar.gz
One binary in your VPC. Data never leaves. Every action signed.
What "compliance copilot" means
Compliance, as an automated outcome.
Most GRC tools attest after the fact. Argitron sits inside the work, applies the controls automatically, and emits framework-tagged evidence as you go.
Controls that run themselves
Access reviews, vulnerability scans, change approvals, vendor risk — executed on a schedule, with cryptographically-signed evidence pinned to the SOC 2 criterion or ISO 27001 control they satisfy.
Audit-ready by default
One command produces the evidence pack auditors actually accept: SoA, risk treatment plan, control matrix, signed bundles. No screenshot Olympics, no quarter-end fire drills.
One trail across SOC 2 → ISO → ITIL
A change request satisfies SOC 2 CC8.1, ISO 27001 A.8.32, and ITIL change enablement at the same time, on the same record. Map controls once, not five times.
Self-hosted, sovereign by default
Runs as a single binary inside your VPC. Your data never leaves the perimeter. IPv6 + TLS 1.3 by default. Cosign-signed releases. Reproducible builds.
Why Argitron exists
Most GRC tools were built to attest. Argitron was built to operate.
The compliance-automation category sells the appearance of governance: screenshots, checklists, slack-bot reminders. That works until an auditor opens a control and asks 'show me how you actually run this.'
SOC 2, ISO 27001, ISO 42001, ITIL 4, and your project portfolio are not five different conversations. They are one operating system: people doing work, decisions being made, controls being applied, evidence being generated.
Argitron is built the other way around. Run the management system properly — PDCA, change enablement, project stage gates, AI lifecycle, risk treatment — and the audit evidence writes itself.
Tools that attest tell your auditor what you claim. Argitron runs the operating system, and the evidence is the byproduct.
| Compliance-automation category | Argitron |
|---|---|
| Collects evidence of claims you make | Runs the management system; evidence is the byproduct |
| SaaS, US-hosted, your data leaves your VPC | Single binary in your infrastructure; data never leaves |
| Compliance only — buy ITSM and PM separately | ISMS + AIMS + ITIL + PM on one data model |
| Demo-gated quote, $20–45k median | Published pricing. Free under 25 assets. |
| Renewals jump 40–100% | Renewals don't jump until you cross the next tier |
What's in the binary
Six pillars on one data model.
A control isn't a row in a Vanta tab and a Jira issue and a JSM ticket. It's one record, with one history, that satisfies every framework that maps to it.
Govern
ISMS + AIMS in one tool. SOC 2 TSC, ISO 27001 Annex A (93 controls), and ISO 42001 Annex A (38 controls) on one control library, one risk register, one Statement of Applicability.
Learn more
Service
ITIL 4, the practices that matter. Incident, problem, change enablement, service request, CMDB, SLA management, IT asset management — without the ServiceNow implementation cost.
Learn more
Workflows
A workflow engine polyglot teams can extend. 34 activities across HTTP, email, database, ticketing, identity, cloud, AI. Approval gates, SLA timers, BPMN-friendly. Five language SDKs.
Learn more
Projects
Portfolio, programmes, projects, tasks. RAID logs, stage gates, capacity planning, dependency management, benefits realisation. Project risks roll up to the enterprise risk register the SoA references.
Learn more
Audit
Continuous control testing + signed evidence. Vulnerability + misconfiguration scans, IaC checks, secret detection, asset discovery — outputs auto-attached to the controls they satisfy. Cosign-signed bundles.
Learn more
Respond
30 playbooks ship pre-built. Open the PR, revoke the key, rotate the secret, page the on-call. Approval gates for blast-radius-sensitive actions. Reversibility documented for every action.
Learn more
At a glance
The numbers we're comfortable putting on the page.
Honest scope. We tell you what's solid, what's young, and what's on the roadmap.
93 + 38 + 64
ISO 27001 + ISO 42001 + SOC 2 controls in the library
34
ITIL 4 management practices wired into the data model
9
frameworks mapped: SOC 2, 27001, 42001, NIS2, DORA, HIPAA, PCI, NIST CSF, NIST AI RMF
1
binary. Self-hosted. IPv6 + TLS 1.3 by default.
The dates that drive board agendas
EU AI Act enforcement is a calendar, not a debate.
Most ISO 42001 conversations start because the board is reading a regulatory deadline. Argitron ships the AIMS controls and AI-system inventory you'll need to demonstrate.
- 2 Feb 2025Prohibited practices banned
Social scoring, manipulative AI, untargeted face-image scraping. AI literacy obligations apply to providers and deployers.
- 2 Aug 2025GPAI obligations live
Transparency, technical documentation, training-data summary. Penalty regime activates: up to €35M or 7% of global turnover.
- 2 Aug 2026High-risk AI systems live
Risk management, data governance, technical documentation, logging, human oversight, conformity assessment, post-market monitoring.
- 2 Aug 2027Embedded high-risk live
High-risk AI in regulated products (medical devices, machinery). GPAI models predating Aug 2025 must be fully compliant.
Sources: artificialintelligenceact.eu, European Commission. Read more on our EU AI Act page.
Who buys Argitron
When the CISO, the CIO, and the head of PMO are the same buying decision.
CIOs replacing the ServiceNow shelfware
Want ITIL 4 incident, problem, change, request, CMDB, SLA — without an 18-month implementation. Self-hosted, modern data model, API-first.
Heads of PMO running a hybrid portfolio
PMBOK / PRINCE2 governance over agile delivery. Want stage gates, RAID logs, capacity planning — and project risks that aggregate into the enterprise risk register the auditor reads.
"Every governance tool I've bought asked me to recreate work that was already happening somewhere else — Jira, the CMDB, a spreadsheet. Argitron is the first one where the work and the evidence are the same record."
— Founder & engineer behind Argitron · About →
Built by Deklarative
A small, opinionated team that ships boring, auditable, self-hosted infrastructure. Same team behind the Argitron Studio low-code platform and the GenuStream messaging fabric.
Frameworks shipped on day one
Map controls once, satisfy every regime they touch.
SOC 2
Type II
ISO 27001
2022
ISO 42001
2023
NIS2
EU directive
EU AI Act
2024/1689
DORA
EU 2022/2554
Plus NIST CSF 2.0, NIST AI RMF, HIPAA, and PCI-DSS — all on the same control library. See every framework →
Get started
Make compliance an automated outcome — not a parallel project.
Free under 25 assets, forever. No credit card. No sales call. Production use OK.