Framework-agnostic
Controls don't reference SOC 2, ISO 27001, or any external standard. They describe what your system actually does. External frameworks ship as separate mapping artifacts — you pick which ones you care about, when you care.
AureliaSRS
Ship audit-ready software, without the audit-week scramble.
A framework-agnostic specification for security & quality controls. Each control is precisely defined, embedded in your code, and verified by the same tools that build your system. SOC 2 and ISO 27001 are mappings, not the source of truth.
Compliance shouldn't be a quarterly fire drill.
Most teams treat audits as paperwork — screenshots gathered the week before the assessor arrives, controls written to match a framework they barely use, evidence that lives in a spreadsheet and goes stale the moment it's saved. The result is a system that passes the audit and fails the engineering review.
Three principles.
Programmatically verifiable
If a requirement can't be checked by code, it doesn't belong in AureliaSRS. Every control has a precise specification a tool can evaluate. No more "we have a process for that" — the process is the test.
Emergent compliance
Compliance becomes a side effect of well-designed software, not the driver of it. Build the system right and the audit answers itself.
How it works.
- Every control has a stable URI you can reference from code, tests, documentation, and tooling — the same identifier from spec to runtime.
- Controls are published as JSON, machine-readable end to end. No PDF policies. No copy-paste from Confluence.
- Evidence is signed and published per artifact digest at provenance.aureliasrs.ca. Anyone can verify a claim without trusting the publisher.
- Frameworks like SOC 2 are shipped as separate mapping artifacts. Swap regimes without rewriting your controls.
What's here.
Start with the controls.
The library is the product. Read a few, see what a programmatically verifiable control looks like, and decide from there.
Browse controls.aureliasrs.ca