Compliance posture
Controls we design to, not badges we claim.
Wolyra does not currently hold a third-party compliance certification. We publish a written control posture mapped to the standards that matter for the customers we serve, and we provide the engineering support to prepare your environment for the audit you choose to run.
Honest framing
An audit report is owned by the audited entity, not the consultant.
When Wolyra works inside a customer environment, the resulting SOC 2 report, HITRUST validation, or HIPAA risk assessment belongs to the customer. We help build the controls, the evidence pipeline, and the audit-readiness narrative. We do not represent any customer’s certification as our own, and we do not claim certifications Wolyra has not earned.
Controls we design to
The standards in our control library.
HIPAA Security Rule
Administrative, physical, and technical safeguards under 45 CFR Part 164 Subpart C. Risk analysis, workforce training, access management, audit controls, encryption, and breach notification procedures designed to support a covered entity or business associate.
HITRUST CSF
Common Security Framework controls mapped to HIPAA, NIST, ISO 27001, and PCI DSS. We work to the e1, i1, and r2 assessment levels appropriate to the customer’s risk posture and audit scope.
SOC 2 Type II
Trust Services Criteria for security, availability, confidentiality, processing integrity, and privacy. We build control owners, evidence automation, and operating-effectiveness records that an independent CPA firm can attest over an observation window.
GDPR and UK GDPR
Lawful basis design, data protection impact assessments, records of processing activities, Article 28 controller/processor contracts, Article 32 security measures, and the cross-border transfer machinery (SCCs, UK Addendum).
CCPA and US state privacy
California Consumer Privacy Act amended by CPRA, plus the comprehensive privacy regimes in CO, CT, TX, VA, and the additional states with active laws. Consumer rights intake, identity verification, opt-out signal handling, and data-broker registration where applicable.
PCI DSS
For payment-handling paths only. Scope minimization through tokenization or hosted payment fields, segmentation of the cardholder data environment, and the SAQ-A or SAQ-D evidence path appropriate to the integration pattern.
Audit support
How we prepare a customer environment for audit.
An audit-readiness engagement is not the audit itself. We do not act as an auditor, and we do not promise an outcome that will be issued by an independent firm. The engagement builds the evidence machinery, the policy set, and the operational discipline an auditor expects to see during walkthroughs.
Gap assessment
A written assessment of the current control set against the target standard. Each gap is described, scored by risk, and linked to a remediation plan with an owner and a due date.
Policy and procedure pack
The information security policy, acceptable use policy, incident response plan, access management procedure, vendor risk management, and the rest of the document set the auditor will sample for review.
Evidence automation
Logs, access reviews, vulnerability scans, change tickets, training records, and on-call schedules collected automatically into an evidence vault the audit firm can sample without ad-hoc requests.
Walkthrough rehearsal
A timed rehearsal of the auditor’s likely questions, run with the control owners. The point is to surface ambiguity before the audit, not after.
Contract artifacts
Documents your counsel will want.
Data Processing Agreement
An Article 28-compliant DPA template that covers processing scope, security measures (Annex II), subprocessor flow-down, breach notification, and post-termination data handling. Available on request via the Legal Center.
Subprocessor disclosure
A current list of subprocessors, their region, and the data they touch. Notification for additions or replacements at least 30 days in advance, with reasonable objection rights for the customer.
Business Associate Agreement
For engagements that involve protected health information, Wolyra signs a BAA under HIPAA. The BAA describes permissible uses, safeguards, breach notification timelines, and the termination handling for PHI.
Security questionnaire
A completed CAIQ / SIG Lite response and a Wolyra-authored security overview are provided to procurement teams during evaluation. Custom questionnaires are returned within five business days.
Need a compliance conversation?
Tell us the target standard, the audit firm if one is chosen, and the timeline you are working to. We return a written scope and a gap-assessment proposal within one business day.