Self-hosted Australian compliance and posture proof

Prove security posture from inside your own boundary.

Compliance On Demand brings Australian controls, cloud and SaaS posture, vendor intelligence, evidence automation and auditor review into a single-tenant deployment your team runs.

Book a product briefing Explore the platform

No SaaS control plane

AU frameworks first

Local AI option

Air-gapped support

Signed releases

Assurance dossier

Evidence room view

Single tenant

Control scope

In scope

E8, ISM, APRA, Privacy

Frameworks pinned, tailored and mapped to one control library.

Live sources

In scope

CISA, ACSC, SEC, Statuspage

Public vendor signals matched back to products and suppliers.

Evidence state

In scope

Collected, drifted, verified

Scheduled proof stays attached to controls and audit comments.

Vendor intel event

Live signal

New

Acknowledged

Verified

Self-hosted single tenantEssential Eight and ISMCloud and SaaS posturePublic-source vendor intelTrust portal publishing

Platform map

One workspace for posture, controls, vendor risk and proof.

The homepage now shows the product as an evidence system. Deeper pages carry the long-form search intent, while this view keeps the operating model clear.

CSPM + SSPM

Posture collection

Scan AWS, Azure, GCP, Microsoft 365, Google Workspace, GitHub, Okta, Auth0, Clerk and Azure DevOps from the same deployment.

Cloud accountsSaaS tenantsIdentity providers

GRC core

Australian control work

Track Essential Eight maturity, tailor ACSC ISM applicability and map evidence across APRA CPS 234, Privacy Act, ISO 27001, SOC 2 and NIST CSF.

ML0 to ML3ISM editionsReusable evidence

Intel feed

Vendor intelligence

Watch public sources for exploitable CVEs, Australian advisories, cyber disclosures and vendor outages that affect your supplier register.

Acknowledge eventsTrack severityKeep source links

Audit Hub

Audit proof

Invite external auditors into scoped engagements, answer control questions and export evidence bundles with verification status and comments.

Scoped accessReview statusEvidence exports

External proof

Trust Portal

Publish selected security material for customers, vendors and stakeholders without exposing the internal compliance workspace.

Published scopeCustomer reviewInternal boundary

Inside the product

Show the workflow, not a generic compliance promise.

The central product object should feel like a real assurance workspace: scoped controls, current evidence, vendor events and auditor review status in one place.

Assurance workspace

Evidence collection

Control proof stays attached to the review.

Today

73%

controls with current evidence

E8 patching

Evidence fresh

Verified

ACSC ISM 1501

Applicability due

Review

AWS IAM root MFA

Scan passed

Mapped

Vendor outage

New intel event

Acknowledge

Product views

Inspect the actual workspace surfaces.

The site now uses captured product screens for the core workflows buyers ask to see: posture, Trust Portal publishing, audit review, vendor intelligence and document control.

Dashboard overview screenshot — Posture, framework coverage, integrations, open findings and acceptance state in the main workspace.

Compliance controls screenshot — Compliance controls
Framework coverage, maturity targets, applicability and control-level evidence status.

Trust Portal admin screenshot — Trust Portal admin
Publishing controls, vendors and documents into a scoped external portal.

Public Trust Portal screenshot — Public Trust Portal
Approved security material exposed without opening the internal evidence room.

Audit Hub review screenshot — Audit Hub review
Auditor questions, control status and evidence review in one engagement surface.

Vendor intel screenshot — Vendor intel
Supplier risk context, public-source signals and review state attached to vendors.

Documents screenshot — Documents
Published policies, generated material and controlled download paths.

Assurance workflow

From scope to exported proof, without rebuilding the audit story.

Each stage keeps context attached: source systems, frameworks, evidence, vendor events, auditor comments and exportable records.

Scope the assurance work

Choose frameworks, set maturity targets, decide applicability and define the systems in scope.

Connect systems and vendors

Add cloud accounts, SaaS tenants, identity providers, repositories, endpoint agents and supplier records.

Collect evidence continuously

Scheduled scans and evidence jobs keep control status, drift and mapped proof current between reviews.

Watch public vendor risk

Vendor intel events from CISA, ACSC, SEC and status pages are matched to the register.

Work with auditors

Scoped engagements keep questions, comments and verification status attached to each control.

Publish and export proof

Generate assessments, evidence bundles, policies and Trust Portal updates from reviewed records.

Australian procurement

Developed by Yuma IT, a Supply Nation Certified Indigenous business.

Compliance On Demand is developed by Yuma IT, a Canberra-based Indigenous-led technology company. For Australian Government and enterprise buyers working under Indigenous procurement targets, the platform combines sovereign assurance software with a verified Indigenous supplier pathway.

Supply Nation CertifiedIndigenous-ledCanberra basedAustralian owned

View Yuma IT on Supply Nation

Opens the public supplier profile used by procurement teams to verify certification.

Open supplier profile

Trust Portal

Publish selected security material without opening the evidence room.

Trust Portal publishing gives external viewers a controlled surface for approved security and assurance material, while internal records stay inside the self-hosted workspace.

Public view

Trust Portal

A selected external view for customers, vendors and stakeholders who need security material without internal workspace access.

Security overviewPublished

Policy summaryPublished

Evidence statementPublished

Vendor assurance packPublished

Internal boundary

Workspace stays private

The portal should expose only approved material. The evidence room, credentials, comments and raw collection detail remain inside the single-tenant deployment.

Credential recordsPrivate

Raw scan outputPrivate

Auditor commentsPrivate

Unpublished control notesPrivate

Sovereign by design

Built for teams that cannot use a SaaS data sink.

The self-hosted model is not a footnote. It shapes credentials, evidence custody, AI defaults, release hygiene and offline operation.

Read about self-hosted GRC

Docker Compose deployment with no managed SaaS control plane

Cloud credentials, evidence and generated documents remain on customer infrastructure

Bundled Ollama and Gemma option for local policy and report drafting

Air-gapped mode, offline release bundles and offline licence attestations

Cosign-signed GHCR images, pinned releases and SPDX SBOMs

Trust artifacts

Use verifiable product substance instead of invented logo proof.

Until there are public customer stories to cite, the strongest trust signals are operational: release hygiene, public sources, local AI options and evaluator-friendly resources.

Signed release chain

Cosign-signed GHCR images, pinned versions and SPDX SBOMs support supply-chain review before deployment.

Trust Portal publishing

Selected security material can be published for external review without opening the internal compliance workspace.

Public-source intelligence

Vendor events come from sources buyers can inspect: CISA KEV, ACSC, SEC cyber filings and vendor status feeds.

Local-first AI path

Policy and report drafting can use bundled Ollama and Gemma rather than defaulting to a third-party LLM.

Buyer routes

Route evaluators by the job they came to solve.

The homepage now behaves more like a mature product site: a concise front door that moves each buyer to the page that matches their question.

I need the product map

Platform overview

How CSPM, SSPM, control work, vendor intelligence and audit review fit together in one self-hosted product.

CSPMSSPMGRCAudit Hub

Open page

I need Australian controls

Essential Eight and ACSC ISM

How Compliance On Demand handles Australian control work, maturity, applicability and regulator obligations.

E8ISMAPRAPrivacy Act

Open page

I need vendor risk signals

Vendor threat intelligence

How public CVE, advisory, disclosure and status feeds become acknowledgeable vendor risk events.

CISA KEVACSCSEC 8-KStatuspage

Open page

I need controlled deployment

Self-hosted GRC

Why credentials, evidence, generated documents and local AI stay inside the customer's boundary.

Single tenantAir-gappedLocal AISBOM

Open page

I need audit evidence

Audit evidence automation

How scheduled evidence collection, drift detection and scoped auditor review reduce assessment scramble.

Evidence jobsDriftAuditorsExports

Open page

I need system coverage

Integrations

Cloud, SaaS, identity, ticketing and collaboration integrations currently represented in the product positioning.

AWSM365GitHubOkta

Open page

I need commercial fit

Pricing

Commercial scoping for core deployments, MSP packaging and controlled-boundary enterprise requirements.

AUDSelf-hostedMSPEnterprise

Open page

Buyer questions

Direct answers for security, risk and audit searches.

Short answers stay on the homepage. Deeper explanations now live on focused pages that can rank for specific Australian compliance and self-hosted GRC searches.

What is Compliance On Demand?

Compliance On Demand is self-hosted Australian compliance and security posture software. It combines CSPM, SSPM, control mapping, vendor intelligence, evidence automation and auditor collaboration in a single-tenant deployment.

Is it a SaaS product?

No. Customers run their own instance, so credentials, evidence, documents and audit records stay inside their infrastructure boundary.

Which Australian frameworks are supported?

The platform supports Essential Eight maturity, ACSC ISM tailoring, APRA CPS 234, Privacy Act incident workflows and cross-mapping to ISO 27001, SOC 2 and NIST CSF.

How does vendor intelligence work?

The product watches public sources including CISA KEV, ACSC advisories, SEC 8-K cyber incident filings and vendor status pages, then matches relevant events to the vendor register.

Does Compliance On Demand include a trust portal?

Yes. Trust Portal publishing is positioned for selected security material that customers, vendors and stakeholders can review without access to the internal compliance workspace.

Product briefing

Stand up self-hosted compliance proof before the next evidence request lands.

Talk through deployment boundaries, frameworks in scope, vendor intelligence needs and auditor access requirements.

Book a product briefing Return to homepage