Security & Compliance

Lynx Compliance

Framework/control registry, assessment workflow, evidence linking, auditor export for NIST CSF 2.0 / ISO 27001 / SOC 2 / Law 25 / Bill C-26

Talk to sales See pricing

lynx_compliance · v19.0.1.4.1 · Premium

What this solves

Lynx Compliance — NIST CSF 2.0 System of Record

The system of record that lets a CISO honestly claim and prove alignment with NIST CSF 2.0, ISO 27001, SOC 2, Quebec Law 25, and Canadian Bill C-26 out of one Odoo instance — without spreadsheets, without GRC tooling, and without inventing controls.

Compliance frameworks all overlap. Stock GRC suites duplicate work by asking you to maintain CSF, ISO, and SOC 2 evidence separately; smaller teams give up and reach for Excel. Lynx Compliance treats the framework catalog as data: compliance.framework → compliance.function → compliance.category → compliance.control, all cross-linked. Each compliance.profile defines a scope (Lynx SaaS, Patrii Cloud, Corporate IT) and gets a row per control with status, owner, maturity tier 1-5, policy reference, and polymorphic evidence links pointing at any Odoo record, NetBox object, or attachment — so the auditor sees live data instead of screenshots.

Key Features

Framework registry — compliance.framework / compliance.function / compliance.category / compliance.control models hold CSF 2.0, ISO 27001:2022, SOC 2 TSC, Law 25, and Bill C-26 with cross-references in iso_27001_refs, soc2_tsc_refs, law25_refs, and billc26_refs so one piece of evidence proves multiple frameworks at once.
Per-scope profiles — compliance.profile is a scope (period, owner, framework); action_populate_assessments materialises one compliance.control.assessment per framework control with maturity, status, owner, policy reference, and evidence list.
Polymorphic evidence — compliance.evidence.link points at any Odoo record, a NetBox object, an external URL, or an attachment; action_open_target jumps the auditor right there from the row.
Cross-framework export — action_export_coverage_xlsx builds an XLSX matrix (CSF / ISO / SOC 2 / Law 25 / Bill C-26); action_generate_signed_export renders the profile PDF for CISO signature via lynx_sign.
Findings + remediation — compliance.finding aggregates gaps, overdue reviews, and incident-driven CAPAs with severity, owner, due date, and escalation workflow.
Weekly CISO digest — extends digest.digest with KPIs for overdue reviews, stale evidence, open incidents, overdue training, overdue DSAR, and DR exercises so issues surface before the auditor.

Integrates With

lynx_sign — signed evidence, profile sign-off, CISO attestations.
lynx_compliance_govern / _data / _training / _audit_log / _incident / _privacy / _resilience — companion modules that cover policies, BIA, training, tamper-evident logs, incidents, privacy (Law 25 / GDPR), and disaster recovery on top of this base.

Integrations

Lynx Compliance works with 56 other modules

Each bridge ships separately so you only install what your team uses.

Lynx Compliance - 1Password Events Connector

Pulls compliance evidence from the 1Password Events API - sign-in attempts, item usages, audit events - via Bearer-token auth. Business+ tenants only.

Lynx Compliance - AI Assist (Focused Actions)

Compliance-domain AI buttons that operate on platform data: draft SOC 2 narrative from assessment + evidence, suggest control remediation, draft NC/CAPA from a finding, draft DSAR response. Pluggable Anthropic / OpenAI provider. Generic chat is already covered by /chatgpt — this module does the things a generic chatbot can't do well without compliance-domain context.

Lynx Compliance - AWS Connector

Pulls compliance evidence from AWS — EC2 instances, security groups, IAM users/roles, S3 buckets, KMS keys, CloudTrail, RDS — via boto3. For Patrii Cloud customers running hybrid AWS workloads.

Lynx Compliance - Audit Log (Hash-Chained, Tamper-Evident)

Hash-chained tamper-evident audit log. Append-only at the DB level. ORM hooks on core models, HMAC-signed REST ingest for Patrii Cloud backend events, SIEM forwarding.

Lynx Compliance - Auditor Portal

Magic-link, scoped read-only portal for external auditors. Replaces 6-week PBC email cycles with a self-service workspace; every access is audit-logged.

Lynx Compliance - Azure Connector

Pulls compliance evidence from Azure Resource Manager - subscriptions, VMs, Storage Accounts (with public-access checks), Key Vaults, NSGs, RBAC role assignments, activity log - via OAuth2 client-credentials auth.

Lynx Compliance - CSA CCM v4 (Cloud Controls Matrix)

Cloud Security Alliance — Cloud Controls Matrix v4. 197 controls across 17 cloud-specific security domains. Cross-mapped to NIST CSF 2.0 and ISO 27001:2022.

Lynx Compliance - Certification (ISO 27001 + SOC 2 mandatory artifacts)

Statement of Applicability, Internal Audit register, Management Review, Nonconformity/CAPA, Information Security Objectives, Risk Acceptance attestation. Mandatory ISO 27001:2022 clause 4-10 artifacts.

Lynx Compliance - Change Management Bridge

Turns lynx_change_management activity into compliance evidence: tamper-evident audit-log emit on state transitions, auto-evidence collectors for CCM CCC family + ISO A.8.32 + CSF PR.PS-01, finding scanners for unauthorized / overdue / failed changes.

Lynx Compliance - Cloudflare Connector

Pulls compliance evidence from Cloudflare - DNS zones, firewall rules, WAF packages, TLS certificates, Zero Trust Access apps and groups, audit log - via the Cloudflare API.

Lynx Compliance - Compliance Calendar

Unified calendar of every due/upcoming compliance task: DR exercises, vendor reviews, policy reviews, internal audits, management reviews, training due-dates, DSAR deadlines, finding due-dates, NC verification dates. Daily cron sync; calendar + list + kanban views.

Lynx Compliance - Connectors (External Data Sources)

Generic connector framework for pulling compliance evidence from external systems (cloud providers, IdPs, SIEMs). Pluggable per-system implementations.

Lynx Compliance - Continuous Control Verification (CCV)

Adversarial probes that actively test controls and produce matched/unmatched proofs. Goes beyond evidence collection — proves controls actually work, not just that they exist on paper.

Lynx Compliance - Data Classification & BIA

Data classification taxonomy, data inventory (with NetBox linkage when available), Business Impact Analysis. Covers NIST CSF 2.0 ID.AM-07/08, ID.RA-04, PR.DS.

Lynx Compliance - Datadog Connector

Pulls compliance evidence from Datadog - monitors, SLOs, synthetic tests, incidents, audit log, user / role inventory - via the Datadog REST API.

Lynx Compliance - Discuss Channels (Real-Time Alerts)

Real-time compliance alerts via Lynx Discuss channels — no external webhook setup needed. Pre-seeded #compliance-alerts / #compliance-digest / #compliance-audits, auto-populated by findings, CCV probe results, escalations, and daily digests.

Lynx Compliance - Evidence Collectors (Auto-Evidence Framework)

Auto-evidence collector framework — scheduled queries produce dated compliance.evidence records for CSF / ISO 27001 / ISO 14001 / Law 25 / SOC 1 Type II / SOC 2 Type I+II.

Lynx Compliance - Federated Trust Network

Issue scoped compliance trust grants to external partners — they get a token-based read-only view of your ISMS posture without an Odoo login.

Lynx Compliance - GDPR (EU 2016/679)

EU General Data Protection Regulation (Regulation 2016/679) — key articles seeded as a first-class compliance.framework with cross-refs to ISO 27001, ISO 27701, Quebec Law 25, PIPEDA.

Lynx Compliance - GitHub Connector

Pulls compliance evidence from GitHub - repository inventory, branch protection, signed-commit ratio, PR-review coverage, CODEOWNERS, secret-scanning alerts, Actions workflows - via the GitHub REST API.

Lynx Compliance - GitLab Connector

Pulls compliance evidence from GitLab - project inventory, protected branches, signed-commit ratio, MR-review coverage, CODEOWNERS, vulnerability findings, pipelines - via the GitLab REST API.

Lynx Compliance - Google Cloud Platform Connector

Pulls compliance evidence from Google Cloud - IAM service accounts and policy bindings, Cloud Storage buckets, KMS keys, Compute Engine VMs, admin audit logs - via OAuth2 service-account auth.

Lynx Compliance - Google Workspace Connector

Pulls compliance evidence from Google Workspace - user inventory with 2SV enrollment, group memberships, admin audit activities, alerts, organisational units - via OAuth2 service-account auth with domain-wide delegation.

Lynx Compliance - Govern (Policies, Attestations, Risk, Vendors)

Policy register with versions + CISO attestations via lynx_sign; risk register; vendor/supply-chain risk assessments. Covers NIST CSF 2.0 GV.* controls.

Lynx Compliance - HIPAA Security Rule

HIPAA Security Rule (45 CFR §§ 164.302–164.318) seeded as a compliance.framework — Administrative, Physical, Technical, Organizational, and Documentation safeguards.

Lynx Compliance - Implementation Guides

Step-by-step Odoo runbooks for implementing each compliance control. Click any control assessment and see exactly which menus to click, which records to create, and how the resulting evidence proves the control is operating.

Lynx Compliance - Inbound Email Automation

Inbound email aliases that auto-create compliance records: dsar@ → DSAR request, vendor-evidence@ → vendor attachment, security@ → security incident, compliance@ → finding. Leverages Odoo mail.alias + mail.thread infrastructure.

Lynx Compliance - Incident (Security / Law 25 / Bill C-26)

Security incident tracking built on helpdesk.ticket. Law 25 72-hour notification countdown, Bill C-26 CCCS reporting, forensic timeline, notification log.

Lynx Compliance - Incident Playbook Starter Pack

Five generic incident-response playbooks (account compromise, data breach, ransomware, DDoS, lost device) that customers can adopt and tune. Beats the blank-playbook-on-day-one problem.

Lynx Compliance - Jira Connector

Pulls compliance evidence from Atlassian Jira Cloud - project + user inventory, recently-resolved issues (change management), open critical issues, audit log - via the Jira REST API v3.

Lynx Compliance - Microsoft 365 / Entra ID Connector

Pulls compliance evidence from Microsoft 365 / Entra ID via Microsoft Graph - user inventory, MFA registration, directory-role members, app registrations, audit logs, sign-in failures, Microsoft Secure Score.

Lynx Compliance - NIST SP 800-53 Rev 5

NIST SP 800-53 Revision 5 framework seed — 20 control families, ~322 base controls, ISO 27002 cross-refs from NIST Appendix H. CSF 2.0 controls also backfilled with nist_sp_800_53_refs.

Lynx Compliance - Navigation (Menu Reorganization)

Reorganises the Compliance app into the NIST CSF 2.0 functions: Dashboard, Govern, Identify, Protect, Detect, Respond, Recover, Prove (Auditor Hub), Configure.

Lynx Compliance - Northstar Connector

Pulls compliance evidence from Patrii Northstar - repository inventory, branch protection, signed-commit ratio, PR-review coverage, CODEOWNERS, secret-scanning alerts, CI workflows - over the Northstar API. Dogfood batch 1.

Lynx Compliance - Okta Connector

Pulls compliance evidence from Okta - user inventory, MFA enrollment, privileged groups, SaaS app inventory, sign-on / MFA / password policies, admin-action audit log - via the Okta REST API.

Lynx Compliance - PCI DSS v4.0.1

PCI DSS v4.0.1 framework seed — 12 Requirements with key sub-requirements as compliance.control rows.

Lynx Compliance - PIPEDA

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) — 10 fair information principles + breach reporting + Schedule 1 obligations seeded as a first-class compliance.framework.

Lynx Compliance - Patrii Cloud Connector

Pulls compliance evidence from Patrii Cloud — servers, networks, security groups, secrets, certs, S3 buckets, k8s clusters, DNS — via application credentials.

Lynx Compliance - Patrii Cloud Starter Profiles

Seeds Patrii Cloud's own ISMS profiles across all 5 frameworks (CSF 2.0, ISO 27001:2022, CCM v4, PCI DSS v4, HIPAA) so the dashboard reflects a real organisation immediately.

Lynx Compliance - Policy Library (30 starter policies)

30 starter policies (ISO 27001:2022 + SOC 2 + CSF 2.0) ready to tailor. Onboarding wow — new tenants drop in with a complete policy set instead of a blank slate.

Lynx Compliance - Policy Templates Library

Generic, public-domain-sourced security policy templates that customers can apply, customize, and route through Legal + CISO sign-off. Solves the "blank-page" problem without exposing Lynx to legal-advice liability.

Lynx Compliance - Privacy (Law 25, PIPEDA, DSAR)

Privacy Impact Assessments, Data Subject Access Requests with 30-day deadline, consent register, privacy breach register. Built for Quebec Law 25 and Canadian PIPEDA.

Lynx Compliance - Quebec Law 25

Quebec Law 25 (Loi 25) — Act respecting the protection of personal information in the private sector. Seeded as a first-class compliance.framework with articles structured as controls, cross-framework refs to ISO 27001 / GDPR / HIPAA.

Lynx Compliance - Resilience (DR, Backup Tests, BCP)

Disaster Recovery plans with RTO/RPO, backup-restore test evidence, Business Continuity exercises. Covers NIST CSF 2.0 RC.RP, RC.CO, PR.IR-03/04.

Lynx Compliance - SBOM Ingestion

Software Bill of Materials ingestion - upload CycloneDX or SPDX JSON, parse the components into a queryable model, attach to a vendor or service. Foundation for the supply-chain vulnerability pipeline.

Lynx Compliance - SOC 2 (TSP 2017)

AICPA Trust Services Criteria (TSP 100-2017, revised 2022) seeded as a first-class compliance.framework — Security, Availability, Processing Integrity, Confidentiality, Privacy.

Lynx Compliance - SOC 2 Type II Accelerators

Trust Services Categories scoping, third-person control narratives, period-bounded evidence, sample-selection wizard, subservice carve-outs, CUECs, bridge letter.

Lynx Compliance - Setup Wizard / Onboarding

In-app onboarding wizard. 16-step checklist that walks new users from "I just installed this" to "ready for ISO 27001 Stage 1 + SOC 2 Type II observation period started", with auto-detected step status.

Lynx Compliance - Slack / Teams Alerts

Real-time webhook alerts to Slack / MS Teams: critical finding raised, finding escalated to CISO, evidence stale, CCV probe mismatch, daily/weekly digests. Per-channel routing.

Lynx Compliance - Slack Connector

Pulls compliance evidence from Slack - channel inventory, user inventory, Enterprise Grid audit log - via the Slack Web API.

Lynx Compliance - Survey Templates

Compliance-tagged survey templates layered onto Odoo CE survey - CAIQ v4 starter, SIG Lite, NIST CSF 2.0 self-assessment, awareness quiz - with vendor linkage and finding auto-raise on red-flag answers.

Lynx Compliance - Training (Awareness & Specialized)

Security awareness + specialized training program tracking on top of core Odoo survey. Phishing simulation register. Covers NIST CSF 2.0 PR.AT-01 and PR.AT-02.

Lynx Compliance - Trust Portal

Public-facing trust page (/trust) — frameworks, certifications, control coverage, published policies, subprocessors, incident transparency, security contact. The default-on sales wedge.

Lynx Compliance - Trust Portal Cryptographic Proofs

Periodic SHA-256-sealed snapshots of compliance claims (control coverage, evidence counts, training completion) anchored to the tamper-evident audit-log tip hash. Visitors can mathematically verify we did not back-edit our numbers.

Lynx Compliance - Vendor Public Posture Monitoring

Daily public-posture probes against each tracked vendor (TLS, security headers, DMARC/SPF/DKIM, breach exposure, IP reputation). Composite letter grade A-F with drift findings auto-raised on degradation.

Lynx Knowledge - Compliance Bridge

Bridge between Lynx Knowledge and Lynx Compliance - attaches knowledge.article records to policy versions, vendor assessments, findings, incidents, and implementation guides via Many2many. Auto-installs when both base modules are present.

Depends on

web lynx_sign portal lynx_base mail base digest lynx_license_enforcer spreadsheet_dashboard

Try Lynx Compliance on your team.

Free trial, no credit card. Talk to sales when you're ready.

Start free trial Browse all modules