CompStack
For multi-standard, multi-site teamsv1.4 live

Stop preparing for the audit.
Start passing it.

CompStack is the operating system for compliance programs across quality, safety, security, and regulatory standards. When the auditor sits down, your team stops searching and starts showing.

Book a working sessionSee how it works
0 NCs
last surveillance audit
4 days
pack assembly, down from 14
9 days
install to first scoped audit

Outcomes from Acme Foods Group, six months after rollout. Customer references on request.

acme-foods.compstack.io/readiness
live
Group readiness
87.4/ 100+3.2 wk
5 sites · 4 standards
Q2 audit · 17 days
QMS
ISO 9001:201594%
5 sites
EMS
ISO 14001:201588%
5 sites
OHS
ISO 45001:201882%
4 sites
DR-W
KEBS · KS 46076%
2 sites
Open findings
112 overdue · 3 awaiting verify
Evidence expiring · 30d
26acks · certs · calibrations
When the auditor arrives

They ask for the calibration cert for MD-04.

Same question, two operating models. Below is the audit moment compliance teams know by heart, and what changes when the records are linked.

Beforespreadsheet ops

Three drives, two days, one apology.

  1. 1QA Lead opens the shared drive. The calibration certs folder has 41 PDFs. None of them are named MD-04.
  2. 2She emails the previous maintenance manager, who left in November. No response by lunch.
  3. 3The auditor asks for the linked CAPA. There is one, somewhere. Last accessed in a Word doc by someone who is on leave.
  4. 4Two days later, the cert is found in a sub-folder named “old_finals_v2_USE”. The audit team writes an OFI for retrieval delays.
2 days, 4 peopleverdict: OFI
With CompStacklinked records

Search, open, move on.

MD-043 results
  • Calibration cert MD-04 v3
    evidence · valid until Apr 17, 2027
  • QMS-PROC-008 §4.2
    document · monthly calibration program
  • CAPA-2026-0098 (closed)
    finding · MD-04 drift, last cycle

Three linked records on screen in under five seconds. The auditor sees the cert, the policy that owns the cadence, and the CAPA that proved the program works. Audit pack exports as one PDF.

under 1 minute, 1 personverdict: conform
Two vocabularies, one platform

You speak IMS. They speak GRC. The platform speaks both.

Quality leaders talk scope, CAPA, and management review. Risk and security leaders talk controls, attestations, and remediation. Same workflow. Different label.

IMS · quality leader speaks
GRC · compliance & risk leader speaks
Requirement / clause
Control objective
Control / procedure
Control activity
Evidence
Artifact / attestation
Scope applicability
System scope / TSC selection
Internal audit
Readiness assessment
NC · OFI · OBS
Finding / gap
CAPA
Remediation
Management review
Steering / risk committee
ISO 9001 · 14001 · 45001 · 22000 · 13485
SOC 2 · ISO 27001 · GDPR · NIST CSF · HIPAA

One tenant. One audit log. Whichever language your team uses on the morning of the assessment.

Standards covered

Quality, safety, security, environmental, food, pharma, privacy, regional. New standards ship as installable modules, cross-mapped at the requirement level.

Browse module store
ISOISO 9001Quality management
ISOISO 14001Environment
ISOISO 45001Occupational H&S
ISOISO 27001Information security
ISOISO 22000Food safety
ISOISO 22301Business continuity
ISOISO 13485Medical devices
KEBSKEBS · KS 460Drinking water
KEBSKEBS · KS 2466Bottled water
SONSON · SONCAPConformity assessment
UNBSUNBSUganda standards
EUGDPREU data protection
SAISA8000Social accountability
FSSCFSSC 22000Food safety scheme
ISOISO 9001Quality management
ISOISO 14001Environment
ISOISO 45001Occupational H&S
ISOISO 27001Information security
ISOISO 22000Food safety
ISOISO 22301Business continuity
ISOISO 13485Medical devices
KEBSKEBS · KS 460Drinking water
KEBSKEBS · KS 2466Bottled water
SONSON · SONCAPConformity assessment
UNBSUNBSUganda standards
EUGDPREU data protection
SAISA8000Social accountability
FSSCFSSC 22000Food safety scheme
What the platform does

Everything the audit asks for,
in one place.

Eight workflows. They feed each other. Nothing crosses a spreadsheet boundary on the way to the audit folder.

01 · Scoping

Decide what applies. Defend why.

9001 · 7.5.3Control of documented information
Applicable
9001 · 8.3Design and development
Not applicable
9001 · 8.5.5Post-delivery activities
Applicable
14001 · 6.1.2Significant aspects identification
Applicable
45001 · 8.1.4Procurement (contractor mgmt)
Deferred
02 · Document control

Policies that don't fall out of date.

QMS-POL-014 · Supplier evaluation policy
v3.2 · awaiting QM approval · author cannot self-approve
Draft
Review
Approve
Publish
Obsolete
3 ack pendingretain · 7 yrs
03 · Controls

Map what you do to what's required.

CTRL-027 · Calibration programPreventive
owner · QA Lead · monthly · evidence: cert.pdf
linked to
requirement
9001 · 7.1.5
document
QMS-PROC-008
04 · Evidence

Files that show up when the auditor asks.

artifact
type
valid
Mombasa cert · ISO 22000
PDF · 2.4 MB
Mar 12, 2027
Op-09 batch records · 2026-Q1
ZIP · 18.7 MB
·
Calibration cert · MD-04
PDF · 0.8 MB
in 23 days
Forklift operator · J. Otieno
PNG · 0.4 MB
expired
05 · Audits

Run the audit. Get a real report at the end.

AUDIT-2026-Q2-INT
Q2 internal · Mombasa
Standards9001, 14001, 22000
Sites2
Lead auditorA. Wachira
StatusIn progress
clause
checklist item
verdict
7.5.3
Document control records present
Conform
8.5.1
Production change-control evidence
Obs
9.1.3
Trend analysis on customer complaints
NC
10.2
CAPA closure rate vs target (≥ 90%)
OFI
06 · Findings & CAPA

Close the loop with a different person.

Open
5
Action in progress
3
Verifying
2
Closed · 30d
14
verifier ≠ owner · enforced
07 · Risk

Linked to controls. Linked to action.

Risk RGT-094 · Calibration drift · L4 × I3 = 12
likelihood →impact ↑
treatment: mitigate · linked CAPA-0118
08 · Management review

Decisions, on the record.

meeting
Apr 24
attendees
9 · quorum met
inputs
audits · risks · CAPA
  • 10:14Approve scope reduction · KEBS KS 2466Exec
  • 10:21Allocate budget · 4 calibration unitsQM
  • 10:33Defer SA8000 onboarding to Q4Board
  • 10:48Open CAPA on supplier audit overdueQA
immutable record · PDF + CSV exports for audit
How the work flows

Five stages. They run every quarter, then every audit.

Each stage produces what the next one needs. The audit pack is a side effect of doing the work, not a separate project.

  1. Stage 01

    Scope each site

    Mark requirements applicable, not-applicable, or deferred. A site-specific baseline locks before the audit cycle starts.

    scoping ratio
    412 / 614 applicable
  2. Stage 02

    Govern documents

    Drafts move through review with segregation of duties. Acknowledgements are tracked. Retired versions can't surprise you.

    controlled docs
    138 published · 6 in review
  3. Stage 03

    Operate controls

    Owners run the control on the cadence the standard requires. The evidence the auditor will ask for is pre-declared.

    active controls
    76 · 4 due this week
  4. Stage 04

    Capture evidence

    Certificates, batch records, and inspection reports flow into one library. Validity dates trigger a renewal task before they bite.

    evidence library
    1,948 items · 26 expiring
  5. Stage 05

    Audit and close

    Checklists generate from your real scope. Findings convert to CAPA without re-typing. Verification needs a different person.

    current audit
    Q2-INT · 71% complete
Module store

Standards, shipped as software.

When ISO 9001 ships its next amendment, your consultant won't email you a 60-page PDF and a Word table of what changed. You get a version diff. You review it. You upgrade.

license model
Per-org · trial · expiry
upgrade safety
Diff · preview · rollback
Browse the module store
[email protected] → 2.5.0
42 changes
Added
+11
  • 8.2.4 · Customer property · visit logs
  • 9.1.3 · Trend analysis on complaints
  • 10.3 · Continual improvement evidence
Changed
+26
  • 7.5.3 · Now requires retention metadata
  • 8.5.1 · Tightens production change control
  • 9.2 · Internal audit competence rules
3 publishers contributedReviewed · signed · staged
ISO official
ISO 14001:2015
Environmental management
v1.7.2signed · sha256
KEBS
KS 460 · Drinking water
Sampling and lab cross-mapped
v0.9.1signed · sha256
Sector official
Pharma cleanroom pack
EU Annex 1 + GMP templates
v3.1.0signed · sha256
Tools
Internal audit program
Annual plan · 4 audit kits
v2.0.0signed · sha256
Copilot · grounded answer

Calibration cadence for metal detectors on Line 3 is monthly, per QMS-PROC-008 §4.2 and the FSSC 22000 prerequisite program. Next due: Apr 18.

QMS-PROC-008 §4.2FSSC 22000 · PRP-7CAPA-2026-0118Audit Q1-INT · finding 03
Proposal · awaiting human approval
approval gate
Open CAPA-2026-0119 · Calibration drift on MD-04
  • · Owner: J. Otieno (Maintenance)
  • · Linked control: CTRL-027 · linked finding: Q1-INT/03
  • · Verifier: K. Mbeki (different from owner)
  • · Effectiveness review: 2 cycles after closure
every action logged
AI Copilot

AI that an auditor can trust.

Every answer points at a record in your tenant. Anything that writes data waits for a human to click Approve. The transcript lands in your audit log next to the change itself.

  • The auditor role doesn't see what the admin sees. Retrieval respects it.
  • Citations resolve to live records, not URLs that rot.
  • Write actions stage as proposals. A named person approves them.
  • Every prompt, source, and decision is recorded for the next audit.
How the Copilot stays auditable
Customer · Acme Foods Group

We stopped preparing for audits. The platform is the preparation. When KEBS arrived, we opened a tab.

AW
Adelaide Wachira
IMS Manager · multi-site beverage manufacturer, Kenya
14 → 4 days
evidence-pack assembly
across 5 sites, 3 ISO standards
71%
reduction in CAPA aging
median open-to-close, 6-month rolling
0
major NCs in last 3 audits
2 OBS, 4 OFI · all closed in cycle
2.4 days
onboarding to first scoped audit
9001 module + KEBS pack installed
Read the case studymetrics verified · Q1 review
Built for the audit

The compliance trail is the product.

The same controls that keep your data safe are the ones the certification body asks about during a vendor review. Honest answers, on one page.

Your tenant is yours

Your records never sit next to another customer's records. The same query, run by a different tenant, returns nothing.

Auditor doesn't see admin

Per-role and per-site boundaries on every read. The contractor working at the Mombasa plant can't see the Lagos plant.

No one approves their own work

Authors can't approve their own documents. CAPA verifiers can't be the CAPA owner. The platform refuses, not the policy.

Every change is on the record

Approvals, scope changes, evidence acceptances, AI actions. Append-only log with actor and prior state. Export to CSV.

No public file links

Evidence is reached through time-limited signed URLs. TLS in transit, AES at rest. The cert PDF you shared in November isn't reachable today.

Your data lives where you say

EU, US, or Africa. Pick once, the tenant stays there. Cross-region replication is opt-in.

Read the security overviewSOC 2 in progressISO 27001 alignedGDPR · data residency
A working session, not a slideshow

See your standards inside CompStack, on your real scope.

Bring three policies, a recent audit report, and one CAPA that's been open too long. We index your records into a scoped tenant and run the workflow your team would run on Monday. Forty-five minutes.

Book a working sessionBrowse modules45 min · no slides · bring your scope
what you walk away with
  • A scoped tenant loaded with the standards you actually run.
  • That open CAPA, walked from finding to verification.
  • A two-page brief on which modules to install first.
  • An honest no, if it's not a fit.
average time-to-first-audit-pack · 9 days