Arkova is a compliance audit automation platform in early access, built on top of a production-grade, cryptographically-anchored evidence layer. The audit-automation product — scorecard, gap detection, remediation, regulatory-change alerts, PDF export — is being built and refined with pilot customers.

How much faster is an audit with Arkova going to be vs. the manual process?

Typical compliance audits take weeks: compiling evidence across many tools, mapping it to controls, and producing a report. Arkova is designed to map evidence to the rules in your operating regimes automatically, rank gaps by severity and penalty risk, and produce an audit-ready export. Our pilot target is collapsing weeks of audit prep into hours.

Which regulations are on the roadmap?

US federal (FERPA, HIPAA, SOX, FCRA, GLBA, ADA, FLSA, GINA), EU/UK GDPR, Kenya DPA, Australia APP, Canada PIPEDA, Singapore PDPA, Japan APPI, India DPDP, South Africa POPIA, Nigeria NDPR, Colombia Law 1581, Thailand PDPA, and Malaysia PDPA. Prioritized by pilot-customer footprint.

What will the scorecard show?

A per-jurisdiction posture score and breakdown, a severity-ranked gap list, a prioritized remediation plan, a regulatory-change feed, and an audit-ready export. Designed for GRC leads, CISOs, internal audit, and outside counsel.

Is the evidence chain auditor-grade?

The evidence layer is cryptographic and independently verifiable: every anchor is a SHA-256 fingerprint committed to a public network, and lifecycle events are in an append-only audit log. Our own SOC 2 Type II and ISO 27001 work is in progress.

Is my data safe? Do you see our documents?

No. Documents never leave your device. Fingerprinting is client-side. Only PII-stripped metadata flows to our systems. Even if we were breached, your documents remain private because we never had them.

Join the waitlist on arkova.ai. We reach out to scope pilots — the best fits right now are compliance teams operating across multiple jurisdictions who are tired of the quarterly audit fire drill.

Compliance encyclopedia

Private Beta · Building

Frameworks Arkova anchors evidence for.

A working reference of 11 regulations across US federal, EU, APAC, and Africa. Deep-dive pages cover the operational regimes (HIPAA, SOX, EU AI Act, DORA, FERPA). Compact entries summarize the rest. Every entry maps to specific evidence categories Arkova can anchor on top of your existing GRC stack.

A note on what these pages claim. Arkova does not certify your organisation against any of these frameworks — that's the auditor's job. What we do is anchor the evidence trail you produce so it remains verifiable independently of any single vendor in your stack. The pages below describe how each framework's documentation maps to that anchor.

AI risk + cyber disclosure

EU AI Act

Deep dive

European Union

Phased Aug 2024 → Aug 2027. High-risk AI obligations applicable Aug 2026. Regulation 2024/1689.

United States — Federal

HIPAA

Deep dive

United States

Privacy Rule, Security Rule, Breach Notification Rule, Enforcement Rule. PHI minimum-necessary + ePHI safeguards. OCR enforcement up to

.9M / violation / year.

SOX

Deep dive

United States

Sarbanes-Oxley Act of 2002. Sections 302, 404, 409, 802. ICFR + management certification + auditor attestation for accelerated filers.

FERPA

Deep dive

United States

Family Educational Rights and Privacy Act, 1974. Education records privacy for institutions receiving Department of Education funds.

ESIGN Act

Summary

United States

2000 federal e-signature law. Intent, consent, association, retention. Pairs with state UETA for full coverage of US e-signed records.

UETA

Summary

United States (49 states)

Uniform Electronic Transactions Act, 1999. State-level e-signature law adopted by 49 states. Pairs with federal ESIGN.

European Union

GDPR

Summary

European Union

General Data Protection Regulation, 2018. Six lawful bases, eight data-subject rights, 72-hour breach notification, up to €20M / 4% global turnover penalty.

DORA

Deep dive

European Union

Digital Operational Resilience Act. Applicable since 17 January 2025. Five pillars covering ICT risk, incident reporting, resilience testing, third-party risk, info sharing.

eIDAS

Summary

European Union

Regulation 910/2014 + eIDAS 2.0. Three signature tiers (SES/AES/QES), Qualified Trust Service Providers, EU Digital Identity Wallet phasing in 2026.

Asia-Pacific

Australian Privacy Principles

Summary

Australia

13 principles in Schedule 1 of the Privacy Act 1988. Notifiable Data Breaches scheme. Penalties up to AUD$50M / 30% adjusted turnover.

Africa

Kenya Data Protection Act

Summary

Kenya

Data Protection Act, 2019. Administered by the Office of the Data Protection Commissioner (ODPC). GDPR-style structure with mandatory controller/processor registration.

Coverage roadmap

Not yet on the encyclopedia.

Frameworks we know we'll need pages for and are working through in priority order. If you operate under one of these and want to talk shop, contact us.

NIST AI RMF (United States)

SEC Cybersecurity Disclosure Rule (United States)

PIPEDA (Canada)

PDPA (Singapore)

APPI (Japan)

DPDP (India)

POPIA (South Africa)

NDPR (Nigeria)

LGPD (Brazil)

Law 1581 (Colombia)

PDPA (Thailand)

Layer Arkova onto whichever framework hurts the most first.

Tell us your jurisdiction footprint and which frameworks are causing the most evidence pain. We'll show you which Arkova capabilities can anchor your existing program.

Arkova is in private beta. Features described on this page are being built and refined with pilot customers right now. Some controls and integrations are live today; others are in active development. Talk to us about the parts most relevant to your workload.

Request Early Access

Or read The State of Compliance in 2026 for the broader regulatory picture.