Compliance

Estokad is built so a customer can hand a regulator a download of their compliance posture and walk away. The five surfaces:

• DORA evidence pack — auto-assembled PDF + JSON ZIP covering ICT risk, third-party register, incident log, business continuity test results, exit plan.
• Residency proofs — daily-signed attestations that data lived only in the chosen country during the period.
• Audit chain — append-only log with hash chaining and daily Merkle roots; customer-verifiable end-to-end.
• Sub-processor register — every third-party with potential access to customer data, listed with categories and EU jurisdiction status.
• Exit plan export — schema, content, assets, and audit log in a portable archive within 90 days of request.

All five live behind /settings/compliance in the Studio. They are documented separately because each has its own evidence requirements.

Who needs this

Customers in DORA scope (financial entities listed in Article 2 of the regulation, plus their critical ICT third-party providers) need each of the five surfaces by January 2025. Insurance, banking, and investment firms across the EU are the primary buyer profile.

Customers outside DORA scope still benefit from the same surfaces — the GDPR audit trail, the BIPT registration in Belgium, the BaFin requirements in Germany — but the urgency is lower.

How the modules combine

The platform fee includes the audit log and basic residency in Frankfurt. The DORA evidence pack and country-specific residency are paid modules; see pricing for the full module list.

The Regulated preset bundles platform + SAML/SCIM + advanced RBAC + DORA pack + 7-year audit retention at €1,699/mo, saving €245 vs à la carte.

In depth

• DORA evidence pack — what's in it, how to download it, the chain of custody for each artifact.
• Residency — per-country regions, daily proofs, the cryptographic attestation format.