Built secure from scratch — no competitor can claim this
Compliance by Architecture
Clarity was designed and built from scratch for sovereign and regulated programmes — not retrofitted. Every enforcement layer is structural: event-driven AWS immutability, @source typed provenance on every entity, zero-trust identity by architecture, and standards overlays that require no code changes to add a new sector or standard. No legacy PLM, ERP, or configuration management system was built this way.
Secure by architecture — not by policy
Clarity’s own compliance
How the platform, codebase, AWS infrastructure, proprietary schema, company, and processes are built and governed. The standards Clarity itself achieves.
Platform compliance →
Any standard. Any sector. No code changes.
Programme standards Clarity supports
The sector standards — defence, aerospace, medical, nuclear, automotive, cyber, and more — that Clarity enables your programme to demonstrate compliance with through the Lx overlay system.
Programme standards →
Secure by architecture — not by policy
Clarity’s own compliance
Compliance is enforced by the codebase and AWS control plane, not by documentation or manual configuration. Every enforcement layer is structural, independently auditable, and inherited by every customer deployment.
Platform & Infrastructure
Fully serverless AWS — Lambda, API Gateway, S3, Cognito. No long-lived servers, no database instances, no infrastructure to patch manually. Every resource defined in CDK TypeScript: git-tracked, reproducible, 3PAO-auditable without GUI access.
Zero-trust identity
Cognito with MFA. Immutable tenant_id JWT claim at every Lambda boundary. RBAC enforced at the control plane. No cross-tenant trust boundary — ever.
Customer-managed encryption
Per-tenant KMS keys. Clarity employees have zero access to customer programme data by architecture, not by policy. KMS at rest + TLS 1.2+ in transit.
FIPS 140-3 cryptography
All key operations delegated to AWS KMS (FIPS 140-3 validated). No custom cryptographic code. Post-quantum transition inherited automatically when AWS KMS migrates.
Infrastructure-as-Code
CDK TypeScript — every stack, every IAM policy, every resource in git. Reproducible builds. Configuration drift is structurally impossible.
Diode & Airlock connectors
Three independent enforcement layers: IAM inline deny + S3 bucket policy + no reverse event rule. Not configurable away by application logic. ITAR/EAR/NOFORN structurally enforced.
Allied nation deployment
AWS regions across all AUKUS and Five Eyes nations. GovCloud, C2S, UK Secret, AU Protected topologies via SQS-based connector framework (no EventBridge dependency).
Proprietary Schema & Data Model
The Clarity data model is the compliance substrate. Every entity carries structured provenance; nothing is silently overwritten; the audit trail is a structural property of the schema, not a feature retrofitted on top.
Open JSON — no lock-in
All programme data stored as documented open JSON. Readable with any tool, without a Clarity licence, in 10 or 50 years. Your data is yours, permanently.
@source provenance
Every entity carries an immutable @source block — origin document, lineage chain, who changed it, what decision it traces to. Tamper-evident via S3 Object Lock.
Immutable baselines (L4)
Configuration changes are additive. Every baseline is a timestamped snapshot behind S3 versioning. Nothing silently overwritten. Diff between any two baselines computable on demand.
Structured change management
ISO 10007 / CMII workflow built into the schema: propose → impact assess → approve/reject → audit trail. The data model enforces it; no workflow configuration required.
Company & Processes
Privacy by design
Tenant-owned KMS keys. No Clarity employee access to customer data by architecture. Data residency controlled at deploy time by AWS region selection per tenant.
Continuous audit & monitoring
Every API call correlated to tenant_id, user, and timestamp in centralised CloudWatch logs. Complete forensic reconstruction of any programme state at any point in time.
Australian company, AWS-native
Incorporated in South Australia. No third-country data transfers outside customer-selected AWS regions. ABN registered. Data Processing Agreements available on request.
Responsible disclosure
Security vulnerability policy at security.txt. Contact: security@compliancewithclarity.com.
Platform compliance summary
| Standard / Framework | What it covers | How Clarity achieves it |
|---|---|---|
| NIST CSF 2.0 | Five Eyes cyber risk baseline | Govern, Identify, Protect, Detect, Respond, Recover — all six functions structurally enforced via RBAC + KMS + immutable logs + L4 baselines + S3 versioning |
| NIST SP 800-53 / 800-171 | FedRAMP / CMMC Level 2–3 controls | Zero-trust identity; IaC reproducibility; per-tenant isolation; structured audit logging; three independent boundary enforcement layers |
| NIST 800-207 (Zero Trust) | Five Eyes emerging mandate | No network perimeter; every invocation authenticated (JWT); every S3 access authorised (IAM); no cross-tenant trust boundary |
| FedRAMP (Moderate/High-ready) | U.S. cloud security authorisation | AWS CIS benchmark alignment; 3PAO-auditable IaC; FIPS 140-3 KMS; NIST 800-53 control mapping available on request |
| CMMC Level 2/3 | DoD supply chain certification | IaC reproducibility; zero-trust identity; diode/airlock boundary separation; @source forensic audit trail enabling complete forensic reconstruction |
| ISO/IEC 27001:2022 | International ISMS | Organisational, people, physical, and technological controls; centralised identity; encryption; structured audit logging; CDK configuration management |
| FIPS 140-3 | Cryptographic module validation | All key operations via AWS KMS (FIPS 140-3 validated). No custom crypto code in Clarity. Post-quantum migration inherited automatically from AWS. |
| ITAR / EAR / NOFORN | Export controls; classification enforcement | Three independent enforcement layers; xBOM export-controlled BOM view; dual-policy redaction engine. Structurally enforced — not configurable away. |
| AUKUS Pillar 2 EDTs | AU/UK/US alliance interoperability | BYOM AI (no clearance-excluded API dependency); air-gap topologies; KMS boundaries per nation; bilateral airlock exchange with CrossDomainTraceLink audit trail |
Full control-by-control mapping to NIST 800-53, FedRAMP, and CMMC — Sovereign Compliance for the 14 Eyes Nations →
Any standard. Any sector. No code changes.
Programme standards Clarity supports.
What your programme can demonstrate compliance with, using Clarity as the evidence engine. Tap any sector to see the standard and how the Lx overlay system supports it.
How it works
Standards are overlays on the Lx graph — not separate tools. The Lx.2 regulatory overlay carries compliance status per standard per entity. Domain packs (defence, aerospace, medical, nuclear, automotive, rail, energy) pre-load sector standards as first-class assessment dimensions. The scope-matrix report engine — 13 lifecycle verticals × 39 assessment layers — generates any compliance evidence package on demand: traceability matrices, verification plans, configuration records, decision logs, audit packages. Adding a new standard is a configuration change, not a code change.
Systems Engineering & Lifecycle
ISO 15288:2023
L0–L5 design plane maps to stakeholder needs, requirements, architecture, design, verification, and decision management. L6–L12 extends to deployment, operations, and disposal.
ISO 10007 / CMII
Configuration management built into the schema: propose → impact assess → approve → audit trail. L4 baselines are ISO 10007-compliant by construction. Every change traceable to the decision that authorised it.
MIL-STD-973
Scope-matrix report templates for configuration status accounting, configuration identification, and change management. Full DoD configuration management documentation coverage.
Defence & Intelligence
NATO STANAGs
Lx.32 frameworks overlay and Lx.33 defence domain pack carry STANAG mappings. Diode connectors enforce one-way metadata flow; airlock connectors enable bilateral exchange with joint approval.
MIL-STD-810 / DEF STAN 00-600
Environmental testing and configuration management standards mapped via Lx.33 defence domain pack. Evidence chain from test records (L8) to design decisions (L5) and requirements (L0).
AUKUS Pillar 2 EDTs
Cross-classification digital thread sharing across AU/UK/US programme boundaries. BYOM AI for cleared environments. Lx subset exchange via bilateral airlock with CrossDomainTraceLink audit trail.
Aerospace
AS9100 Rev D
QMS requirements mapped as Lx.2 regulatory overlay and aerospace domain pack. Scope-matrix reports generate AS9100 audit evidence: design reviews, change records, traceability matrices.
DO-178C / DO-254
Software and hardware lifecycle evidence mapped to the Lx chain. L8 validation records carry certification evidence. Traceability from L0 requirements through L5 decision approval to L8 test results computable on demand.
Medical & MedTech
ISO 13485 / FDA 21 CFR Part 820
QMS requirements mapped via Lx.2 regulatory overlay and medical domain pack (Lx.35). Full design history file (DHF) derivable from the Lx chain. ISO 15288 + ISO 13485 traceability reports for notified body submission.
IEC 60601 / ISO 14971
Safety and performance requirements traced from L0 stakeholder needs through L8 validation records. Risk management (ISO 14971) as Lx.2 regulatory overlay dimension. GDPR/HIPAA data residency via region selection and tenant-owned KMS.
Automotive
ISO 26262
Functional safety lifecycle mapped to the Lx chain. ASIL classification carried as Lx.2 safety overlay. Safety case evidence — hazard analysis, safety requirements, verification results — traceable end-to-end via L5 decision records.
ASPICE
SYS.1–SYS.5 and SWE.1–SWE.6 process outcomes mapped to Lx artefacts. Clarity-generated traceability evidence directly addresses ASPICE process indicators without additional tooling.
Rail, Transport & Nuclear
EN 50126 / 50128 / 50129
RAMS lifecycle (Reliability, Availability, Maintainability, Safety) mapped to the Lx chain. Safety integrity levels as Lx.2 safety overlay. Verification and validation evidence in L8 records.
NQA-1 / IEC 61511
Quality assurance and safety instrumented system lifecycle mapped across the Lx chain. Open JSON with S3 backup archive exportable on demand, without Clarity dependency — meets NQA-1 data control requirements.
Cyber & Information Security
ISO/IEC 27001:2022
Lx.7 security classification overlay carries ISMS control status per entity across the programme model. Organisational and technical controls mapped as overlay dimensions.
Common Criteria (ISO/IEC 15408)
Security functional and assurance requirements traced from L0 through L8 certification evidence. EAL target as Lx.2 overlay dimension. Certification evidence package derivable from scope-matrix reports.
Financial Services & Supply Chain
ISO 20022
Structured financial data in Lx.10 cost overlay. ISO 10007 change governance traces every schema or data model change to an approved decision — critical for 14-Eyes central bank adoption programmes.
ISO 9001 / ISO 28000 / PCI DSS
Baseline QMS and supply chain security via Lx.2 regulatory overlay; Lx.5 supplier risk; Lx.8 availability risk. PCI DSS cardholder data environment scope via Lx.7 + L4 configuration baselines.
Any standard, any sector: standards not listed — proprietary engineering norms, programme-specific mandates, corporate quality frameworks — load as Clarity overlays without code changes. They appear in the DeZolve truth vector and every scope-matrix report alongside ISO and MIL-STD: green where evidence exists, amber where partial, red where missing.
One thread. 13 verticals. 16 BOMs. 25 USPs.
The only complete digital thread for regulated programmes, powered by the patent pending DeZolve Decision Intelligence Framework. Sovereign deployment under your own AWS account and encryption keys — at 10× less than the enterprise alternatives.