Straight answers.

Aegis AI™ is an Agent-as-a-Service virtual-CISO platform from ElasticD3M, LLC. AI agents ingest your environment, map controls across SOC 2, ISO 27001, HIPAA, PCI-DSS, NIST CSF, and GDPR, draft documentation, collect evidence, and produce deliverables in your inbox. A named human executive stays in the loop on every material decision.

You don't log into a dashboard to assemble the work product. The work product ships.

NIST CSF 2.0 and CMMC 2.0 are live on every tier today. SOC 2 (Type II), ISO 27001, HIPAA, PCI-DSS v4.0, and GDPR are available by request and onboarded per engagement. What changes between tiers is cadence, scope (legal entities), and support — not framework availability. Full list and per-framework deliverable map at /frameworks.

No. The framing is operational leverage, not headcount elimination. Aegis AI™ handles continuous measurement, evidence collection, and document production. Your CISO and compliance leads keep making the executive decisions — what residual risk to accept, what to escalate, what to flag in board reporting. Human-in-the-loop by design.

If you want a dashboard that requires staff hours, this isn't the product. If you want outcome-shaped work product that frees those hours for executive work, it is.

No. Audits run exclusively through independent CPA firms (SOC 2), certification bodies (ISO 27001), assessors, and QSAs (PCI-DSS). We are virtual-CISO software, purpose-built for security leaders preparing for and operating against whichever framework their auditor reads. The audit firewall is a permanent structural commitment.

It means the deliverables — the control matrix, evidence binder, risk register, POA&M, board narrative — ship in your inbox each cycle. You don't open a dashboard to assemble them. You don't schedule a check-in to review them. The agents ingest your environment, map controls, draft documentation, and produce the deliverables. You and your team remain in the loop on executive decisions — what to remediate first, what to accept as residual risk, what to flag to your board — but the production work is done.

A PDF delivered within minutes of intake submission, covering your in-scope frameworks. Three things on it:

• A framework-by-framework gap map showing your current state against SOC 2, ISO 27001, HIPAA, PCI-DSS, NIST CSF, and GDPR.
• The top control deficiencies with framework-specific control IDs and the evidence file (SHA-256-hashed) backing each finding.
• A 30-day remediation list ordered by impact across the frameworks in scope.

7-day money-back guarantee if requested before the PDF is delivered. Once delivered, the engagement is final. The $1,995 credits 100% to month one if you continue within 30 days.

The Snapshot is a one-time measurement — a PDF in your inbox. A subscription is a continuous engagement: the control matrix, evidence binder, risk register, POA&M, and (on Vanguard+) the board narrative ship each cycle. Cycle cadence varies by tier (monthly through daily).

Five subscription tiers, all on monthly billing — month-to-month, no long-term contract:

• Sentinel — $4,500/mo. Single entity. Monthly cycle. Self-serve evidence binder, baseline control matrix.
• Guardian — $8,500/mo. Single entity. Twice-monthly cycle. Reviewer pass on each cycle's deliverables.
• Vanguard — $17,000/mo. Single entity. Weekly cycle. First monthly board narrative. Slack Connect channel.
• Fortress — $33,500/mo. Up to 10 legal entities. Continuous (daily) cycle. Concierge SLA, audit-defense exhibit assembly.
• Sovereign — $60,000/mo (quote-only). Unlimited entities. White-glove. M&A-grade control mapping. Board + audit-committee narratives.

Annual prepay on any tier is 10x monthly — two months free vs. month-to-month. Fair-use thresholds in Terms of Service.

Each connector is read-only, scoped, and revocable:

• AWS. One-click CloudFormation role with SecurityAudit + ReadOnlyAccess. Scans IAM, MFA, CloudTrail, S3 bucket policies, GuardDuty, Config, KMS, VPC.
• Azure / Microsoft 365. Service Principal with Reader + Security Reader at subscription scope. Scans Entra (Azure AD), Conditional Access, Defender for Cloud, Sentinel, Key Vault, Storage encryption.
• Okta. Read-only API token. Scans MFA enforcement, password policies, session settings, sign-on policies.
• CrowdStrike Falcon. Read-only OAuth2 client. Scans sensor coverage, detection posture, prevention policies.

Each connector is revocable in 30 seconds on Customer's side by deleting the IAM role, Service Principal, API token, or OAuth2 client. Revocation takes effect on the next scan.

No. Every connector is scoped to configuration metadata only, never the data itself. AWS uses managed read-only policies (no decryption, no object reads). Azure / M365 use Reader scopes. Okta and CrowdStrike use vendor-defined read-only token scopes. The agents read who has MFA enabled, whether CloudTrail is on, whether a bucket policy is permissive — not what's in the bucket.

Aegis AI™ does not request, accept, or process PHI, cardholder data, or GDPR Article 9 special categories. Details in the Privacy Notice and the DPA.

In the United States — AWS us-east-1 and us-west-2 primary regions, with backups encrypted by AWS KMS. For EU/UK/Swiss customers, transfers to the U.S. are governed by Standard Contractual Clauses (Module 2: Controller to Processor), the UK International Data Transfer Addendum, and equivalent Swiss adaptations available on request to [email protected].

Eight, all U.S.-domiciled: Stripe (payments), Cloudflare (hosting/CDN/WAF), AWS (cloud infrastructure, S3, KMS), Resend (transactional email), Anthropic (Claude API for AI inference), Sentry (error telemetry), Railway (backend hosting), and AWS RDS PostgreSQL (managed database). Full list with purpose, data scope, and links at /subprocessors. None are in OFAC-embargoed jurisdictions.

The evidence binder retains thirteen (13) months on Sentinel and Guardian, twenty-five (25) months on Vanguard, thirty-seven (37) months on Fortress (three audit cycles plus a buffer), and the full Customer history on Sovereign. Configuration metadata read from connected clouds is retained only for the current cycle plus thirty (30) days for rollback. Backups are overwritten on a documented rotation within 180 days.

Yes. Aegis AI™ is sold only to entities not on any U.S. sanctions list. We certify this at both Stripe checkout (a required custom field at purchase) and again at intake. Customers in OFAC-embargoed jurisdictions (currently Cuba, Iran, North Korea, Syria, Crimea, Donetsk, and Luhansk) cannot subscribe. Full terms in AUP section 2 and Terms section 15A.

Yes. The DPA satisfies GDPR Article 28 Processor terms. Standard Contractual Clauses, UK IDTA, and Swiss FADP adaptations are available on request. We notify Customer of confirmed Personal Data Breach within seventy-two (72) hours.

SOC 2 Type I is targeted for Month 6 of the company timeline, Type II twelve months later. We will publish the report under NDA when issued. In the interim our technical and organizational measures are documented in the DPA Section 6 and available for customer due-diligence review.

Every cycle, the agents produce the bundle — control matrix changes, risk-register updates, POA&M closures, board narrative draft — and route it to your named executive reviewer for sign-off before the binder is finalized. Sign-off is captured in the audit trail and stamped on the deliverable for downstream auditor review. On Fortress and Sovereign, a named ElasticD3M senior also reviews the bundle before send.

On the next scan cycle. When the scan runs and a configuration has changed since the previous cycle, the diff appears on the first page of that cycle's deliverable bundle: which control moved, which API response changed, when it changed, and what the POA&M needs to reflect. Cycle cadence: monthly on Sentinel, twice-monthly on Guardian, weekly on Vanguard, daily on Fortress, configurable on Sovereign.

Control matrix as a PDF and an Excel workbook with framework-specific tabs. Evidence binder as a folder of JSON evidence files (one per finding, with SHA-256 hash) plus a PDF index that maps each evidence file to its framework control ID. Risk register as a Word .docx with an embedded table plus an .xlsx export. POA&M as a Word .docx plus an .xlsx export. Board narrative (Vanguard+) as a polished Word .docx and signed PDF.

P0 acknowledgment is 24/7 across all tiers (15 minutes). P1 is 24/7 on Fortress and Sovereign, business hours otherwise (1 hour). P2 (4 hours) and P3 (1 business day) run during U.S. Central business hours, Monday–Friday, excluding U.S. federal holidays. Concierge SLA on Fortress and white-glove escalation on Sovereign are additive. Full SLA.

Reply to any deliverable email with a question. Agents respond within minutes for P2/P3; humans inside the SLA window for P0/P1. Fortress includes a named ElasticD3M escalation contact on every P0 thread. Sovereign includes two named contacts plus a quarterly executive review.

Stripe Checkout at sign-up; card on file thereafter. The card is charged the tier price on the day you subscribe and on the same day each month thereafter. ACH or wire is available for annual prepay above Vanguard. Stripe sends receipts automatically; invoices on request to [email protected].

One click in the Stripe billing portal — no email, no call. Cancellation stops auto-renewal at the end of the current paid month; access continues through that period; fees already billed are not refunded mid-cycle. The Snapshot is non-refundable once the PDF is delivered. Full Cancellation Policy.

Both happen in the Stripe billing portal. Upgrades take effect on the next monthly cycle and are prorated to the end of the current period. Downgrades take effect at the end of the current paid month and do not refund the current cycle.

Customer owns the deliverables for internal compliance, audit-firm delivery, regulator submission, customer due-diligence response, and contract performance. Resale or distribution to third parties for compensation requires written consent. Full terms in Section 10.

No. Stripe checkout, intake, scan, deliverable in inbox — the entire buy-and-deliver path is self-service. Reply to any deliverable email with a question; agents answer in minutes, humans inside SLA windows when judgment is needed.

Sovereign engagements above ten entities or with custom MSA / NDA requirements are handled by [email protected].

Yes. CPA firms (SOC 2 auditors), ISO certification bodies, MSPs, MSSPs, and vCISO consultancies can refer customers under the Partner Program. Partners receive a discount code for referred customers plus revenue share on referred subscriptions. Partner contracts are contractually firewalled from any audit work the partner performs for the same customer — the auditor independence requirement is non-negotiable.

For Sentinel, Guardian, and Vanguard, the Stripe-signed terms cover the engagement. For Fortress and Sovereign, an ElasticD3M-signed mutual NDA is delivered for executive countersign within 24 hours of intake submission — most parent-organization legal teams require it before subsidiary data flows. Custom MSA: email [email protected] with "MSA request" and entity name.

Aegis AI™ is compliance software — not a legal opinion, not an audit, not a guaranteed pass. Every material compliance decision requires executive approval on your side. Liability is capped at 12 months of fees paid (or $100,000 USD, whichever is greater) for typical claims, with carve-outs for IP indemnification, payment obligations, gross negligence, and confidentiality. Full liability terms in Terms Section 13.