danda
Start free preview
Pre-audit prep, delivered in hours

SOC 2 & HIPAA gap analysis,
signed before your kickoff.

Danda is an AI SOC 2 and HIPAA gap-analysis service for any SaaS heading into an audit — fintech, devtools, AI platforms, B2B infrastructure, healthtech, and beyond. It reads your codebase, infrastructure, and database and returns an evidence-labeled readiness report — in two business hours, with every claim sourced. Every finding is labeled [FACT] with a source citation. From $1,500.

Start free preview → See sample report
Pre-audit prep — not an attestation service. Your CPA-qualified auditor still issues the report.
1 flagship audit · 28 findings surfaced · 2-hour turnaround PLACEHOLDER · beta proof
The problem

Six-week spreadsheets at $15–50k.

SOC 2 gap analysis from traditional firms takes 6–12 weeks and costs $15–50k. You need it in 30 days, and you need to spend the saved budget on remediation.

The wedge

AI can read code faster than humans.

An agent can ingest your repo, probe your infrastructure, and cross-check specs in parallel. But most "AI compliance" tools are still questionnaires with a chatbot bolted on — they don't read your code.

The promise

Two hours. Evidence-labeled. $1,500.

Danda returns a signed, auditor-accepted gap analysis in two business hours, with every claim sourced to a file, an SQL probe, or a `gcloud` call. Not a brittle script — a defensible artifact.

How it works

Three phases. One artifact. Two hours.

No agents in your VPC, no credentials shared, no model-training on your code. You stay in control of the data; Danda stays in control of the methodology.

01 — Upload

Point Danda at your repo and cloud.

Submit your GitHub URL and grant read-only cloud auth (gcloud / AWS / Azure). Danda spawns three specialist agents — security, infrastructure, privacy — that read in parallel.

02 — Probe

Danda emits SQL. You execute.

Ten SQL queries are emitted for your database. You run them in Cloud SQL Studio — Danda never touches credentials. Results flow back. Three reviewer personas cross-check findings against your specs and ADRs.

03 — Deliver

Signed report, grouped by track.

Every finding labeled [FACT] + source, [ASSUMPTION], [CONTRADICTION], or [IN PROGRESS]. Remediation grouped in Tracks A–H. Ship it to your auditor.

Choosing a framework

Which framework do you need?

SOC 2 SaaS selling into enterprise, mid-market, or regulated buyers

SOC 2 Type II is the default enterprise unlock. Fintech, devtools, AI platforms, B2B infrastructure, data tooling, internal-tools SaaS — if procurement is asking for an attestation, this is what they want. Start here.

+ HIPAA If your product touches PHI or you sign BAAs

HIPAA layers on top of SOC 2. Healthtech, healthcare SaaS, and Business Associates typically run both. Danda's methodology was validated on a production healthcare platform, so the HIPAA depth is battle-tested — but it's an add-on to the same core audit, not a separate product.

Same 7-stage methodology, same evidence-labeled deliverable. Your auditor gets one artifact regardless of framework.

Danda vs Vanta, Drata, Big-4, freelancers

Nobody else does all four.

Continuous-compliance SaaS knows what you typed into a questionnaire. Big-4 firms know what you said in a kickoff. Danda knows what your codebase, your infrastructure, and your live database actually look like — and labels every claim with a citation.

Capability Danda Vanta / Drata Big-4 auditor Upwork freelancer
Turnaround 2 hours Continuous SaaS
— no one-shot		 6–12 weeks 1–3 weeks
Price $1,500 one-shot $3k–25k / year $15k–150k / engagement $500–3k, variable
Evidence provenance [FACT] + source per finding Questionnaire-based Manual notes Narrative report
Live-DB probing 10 SQL probes — none Spot interviews only — none
Persona cross-review 3 specialist personas — none Single partner — none
Ships a document auditors accept ✅ Signed bundle
Ed25519 + SHA-256		 dashboard only ✅ Attestation letter ⚠ varies

Evidence taxonomy

Every claim, labeled. No hand-waving.

[FACT] TLS 1.0 deprecated; load balancer enforces 1.2+
gcloud compute ssl-policies describe lb-prod · minTlsVersion=TLS_1_2
[ASSUMPTION] Incident response runbook is current
no source — last-modified field absent in docs/ir.md; operator must confirm
[CONTRADICTION] Spec says PII encrypted at rest; column `users.ssn` plaintext
specs/data-handling.md §3.2 ↔ SQL probe Q7 · 4,182 rows
[IN PROGRESS] Annual penetration test scheduled with NetSPI Q2
jira/SEC-118 · status: in-flight · attestation pending

Auditors want provenance. Volume without source is noise. Danda refuses to make a claim without citing gcloud output, a file:line, or an SQL query #. Every finding carries a label so your auditor knows exactly how much weight to assign it.

The labels are deliberately narrow. [FACT] means a citation exists. [ASSUMPTION] means we couldn't find one and we're saying so out loud. [CONTRADICTION] means your own specs disagree with reality. [IN PROGRESS] means there's an open ticket — handed back to you, not buried.

Honest about the hard parts

Some gaps require human judgment — is the sub-processor DPA signed? is the vendor contract formalized? Danda doesn't guess. It flags these as [IN PROGRESS] and returns them to you for operator resolution.

Sample finding

What a single finding looks like.

A real finding from a beta engagement (anonymized). Severity, evidence, remediation track, and the underlying source — all in one inspectable card.

CRITICAL [FACT] SOC 2 · CC7.2 · Monitoring

Production audit logs retain only 30 days

Remediation track: Track B — Audit & accountability · estimated effort: 6 engineering hours
[FACT] SOC 2 CC7.2 requires the entity to monitor system components and the operation of controls; auditor-defensible evidence requires audit log retention covering the full Type II observation window (typically 12 months).
[FACT] terraform/logging.tf:L47 — retention_days = 30.
[FACT] Verified via Q2 SQL probe: oldest audit_log entry is 28 days old (max log_date = 2026-03-24, current 2026-04-21).
Source code terraform/logging.tf 
44resource "google_logging_project_sink" "prod_audit" {
45  name        = "prod-access-audit"
46  destination = "bigquery.googleapis.com/projects/${var.project}/datasets/audit_logs"
47  retention_days = 30   // ⚠ SOC 2 Type II observation window is typically 12 months
48  filter      = "resource.type=\"cloudsql_database\" AND protoPayload.authenticationInfo.principalEmail!=\"\""
49}
SQL probe output Q2 · audit_retention.sql 
-- Q2: oldest production audit log entry
SELECT MIN(log_date) AS oldest_entry,
       MAX(log_date) AS newest_entry,
       AGE(MAX(log_date), MIN(log_date)) AS retention_span
FROM audit_logs
WHERE resource_type = 'privileged_action';

 oldest_entry | newest_entry | retention_span
--------------+--------------+----------------
  2026-03-24  |  2026-04-21  |  28 days
(1 row)

Deliverables

Six artifacts auditors will actually read.

Every paid engagement produces a signed, reproducible artifact bundle. Executive Summary for the CTO, Deep Technical Analysis for engineering, Shareable Web View for the auditor, Signed Artifact Bundle for compliance archives.

Executive Summary PDF

Two pages. What you have, what you need, what's next. For the CTO and the board — signed and ready to forward.

Pro Combined Retainer White-glove

Deep Technical Analysis PDF

30–80 pages. Every finding cited to file:line or SQL probe. Evidence taxonomy throughout. For engineering remediation.

Pro Combined Retainer White-glove

Shareable Web View

Hosted at danda.sh/audit/:token. Send the link to your auditor. Read-only, token-scoped, revocable.

Pro Combined Retainer White-glove

Signed Artifact Bundle

ZIP with MANIFEST.json, SHA-256 manifest, and Ed25519 signature. Proves the report wasn't modified post-generation.

Pro Combined Retainer White-glove

BAA / Vendor Inventory

CSV + JSON. GRC-ingestable into Vanta, Drata, Sprinto. Every vendor with PHI access, BAA status, and date signed.

White-glove

Quarterly Delta Report

5–10 pages with trend graphs. What changed, what remediated, what regressed. Flags stagnation on open critical findings.

Retainer

Trust & safety

Guardrails that don't bend.

Danda operates in your account boundary, not above it. Seven rails govern every audit — none of them are configurable, and none are skipped on a faster tier.

01

Read-only cloud access.

Danda only runs describe, list, get. Never mutates. Verified by IAM policy, not by trust.

02

You run the SQL.

Danda emits queries; you execute them in your Cloud SQL Studio. Danda never sees your DB credentials and never connects to your database.

03

Zero-retention inference.

No client data in model training. PII redacted before inference. Inference traces purged at end of engagement.

04

E&O insured.

Danda is operated by ProductLove, Inc. Errors & Omissions coverage in place. Certificate available on request.

05

Signed repo-owner consent.

Danda won't analyze a repo without explicit owner consent. Public-repo previews are email-gated and rate-limited.

06

Active-breach escalation.

If Danda surfaces evidence of an active data breach, you're notified immediately and disclosure timing is your call. HIPAA's 60-day breach-notification clock starts with your discovery determination, not Danda's finding. Danda is a tool, not a mandated reporter.

07

Client owns disclosure.

Danda's output is advisory. You control timing of any disclosure to auditors, customers, or third parties.

Pricing

Pay per audit. Or stay current quarterly.

No seat licenses. No annual contracts. The Pro audit is the product — everything else is a wrapper around it.

Free preview
$0· no card
60 sec · email-gated · SOC 2 patterns only
  • 3 findings from a public GitHub URL
  • Code-only — no infra or DB probing
  • SOC 2 patterns (HIPAA requires DB access)
  • Lead-magnet only; not a Pro substitute
Run a preview →
Pro audit — HIPAA or SOC 2
$1,500· one-shot
pick one framework
  • Executive Summary PDF (2 pages, signed)
  • Deep Technical Analysis PDF (30–80 pages, file:line cited)
  • Shareable Web View at danda.sh/audit/:token
  • Signed Artifact Bundle (ZIP + SHA-256 manifest + Ed25519 signature)
  • Full 7-stage methodology, 10 SQL probes, persona-reviewed
Book a Pro audit →
Most popular
Combined HIPAA + SOC 2
$2,500· one-shot
both frameworks · shared probing
  • Everything in Pro, across both frameworks
  • Dual-framework cross-reference appendix
  • Single SQL probe run mapped to both control sets
  • ~15% discount vs buying separately
Book combined audit →
Quarterly retainer
$500/ qtr single · $750 / qtr combined
recurring · state carry-over
  • Re-audit every quarter with state carry-over
  • Quarterly Delta Report (5–10 pages, trend graphs)
  • Flags stagnation on open critical findings
  • Each quarter ships a new Signed Artifact Bundle
Start retainer →
White-glove
$5,000· one-shot
includes Pro audit · either framework
  • Everything in Pro audit
  • BAA/Vendor Inventory (CSV + JSON, GRC-ingestable into Vanta/Drata/Sprinto)
  • 2-hour Zoom walkthrough with the operator
  • Custom auditor-prep session (pre-populated Big-4 questionnaire answers)
  • HITRUST-prep variant available
Talk to operator →

FAQ

Questions an auditor would ask.

Danda is built for one specific moment: the 30–90 days before your SOC 2 or HIPAA kickoff. If your question isn't here, email travis@thecollectiveai.dev.

What is Danda?

Danda is an AI SOC 2 / HIPAA gap-analysis service. It reads your codebase, infrastructure, and live database, then returns an evidence-labeled readiness report in two hours. It is pre-audit prep — it sits between you and your certified attestation auditor (Schellman, A-LIGN, Prescient, Big-4).

How is Danda different from Vanta, Drata, or Secureframe?

Vanta, Drata, and Secureframe are continuous-compliance SaaS. They ingest evidence via 300+ integrations and maintain a dashboard of control status. They're excellent at keeping you compliant once you've achieved compliance. They don't ship a document. They don't read your code. They don't probe your database.

Danda is a one-shot artifact — a signed gap analysis you can hand your auditor. We read your codebase (file:line citations), probe your infrastructure (10 SQL queries, read-only), and cross-check against your own specs. Danda runs before Vanta; Vanta runs after. They're complementary, not competitive. The White-glove tier even exports BAA/Vendor Inventory in Vanta/Drata-ingestable CSV/JSON format so the two tools plug together.

Can Danda replace my SOC 2 auditor (Schellman, A-LIGN, Big-4)?

No. Danda is pre-audit prep, not an attestation service. Your CPA-qualified auditor still issues the SOC 2 report. Danda hands them a signed gap analysis before the kickoff so the engagement starts on solid ground — and so you don't pay attestation rates to discover gaps you could have fixed in week one.

What does the free preview include?

Three findings from a public GitHub URL. Code-only, no infrastructure or database probing. Email-gated, rate-limited, returned in under 60 seconds. It's a top-of-funnel sample so you can see the evidence taxonomy in action — not a substitute for the Pro audit.

How does the $1,500 audit actually get delivered?

You sign a repo-owner consent form and grant read-only cloud access. Three specialist agents (security, infrastructure, privacy) read in parallel. Danda emits 10 SQL probes you run yourself in Cloud SQL Studio. Three reviewer personas cross-check findings against your specs and ADRs.

Two business hours after kickoff, you receive an evidence-labeled report with Track A–H remediation. The report is signed and hashed; you can hand the artifact directly to your auditor.

What about HIPAA? Is the methodology different?

Same 7-stage methodology, different control mappings. HIPAA adds BAA / vendor inventory, PHI-flow tracing, and breach-notification readiness checks. The SQL probe set adjusts to focus on PHI handling and access logging.

Is Danda a HITRUST assessor?

No. HITRUST CSF certification requires a CSF-licensed assessor; we're not one. Danda is pre-audit gap analysis, framework-agnostic. Output works for HIPAA attestation, SOC 2 Type II, HITRUST prep, and enterprise customer due-diligence questionnaires.

Can we share the Danda report with our SOC 2 auditor?

Yes. The Signed Artifact Bundle is explicitly designed to be accepted by attestation auditors (Schellman, A-LIGN, Prescient, Big-4) as pre-audit gap analysis. The MANIFEST.json + Ed25519 signature prove the report wasn't modified post-generation. Several auditor firms are exploring partnership recognition, which would let you discount their attestation fee by landing their engagement with a signed Danda artifact in hand.

Can Danda provide continuous compliance monitoring?

The Quarterly Retainer tier delivers a re-audit every 90 days with a Delta Report showing what changed, what remediated, what regressed. For daily/hourly monitoring, use Vanta/Drata/Secureframe — that's their strength. For periodic rigorous gap analysis with signed artifacts, Danda.

Do I need to share my database credentials?

No. Danda emits SQL queries; you execute them yourself in Cloud SQL Studio (or your equivalent) and paste the results back. Danda never sees your DB credentials and never connects to your database directly. This is a non-negotiable rail, not a tier feature.

Is Danda appropriate for a 5-person startup?

Yes. Startups with an auditor kickoff date in the next 30–90 days are the sweet spot. Danda de-risks the gap-analysis phase before you burn $15–50k on a traditional firm, and gives you a signed artifact to walk into your kickoff with. If you've already hired Schellman or A-LIGN, you can still buy a Pro audit to pre-empt their findings list.

How is Danda related to The Collective?

Danda is part of The Collective, a portfolio of focused AI products from ProductLove, Inc. Danda is sold and operated standalone — you do not need to know or use any other Collective product to buy a Danda audit. The relationship is mostly relevant to procurement: ProductLove, Inc. is the legal counterparty on your invoice and BAA.

Run a free preview now.

Drop a public GitHub URL. We'll surface 3 findings — fully evidence-labeled — and email them to you in under 60 seconds.

3 findings, evidence-labeled No card required ~60 seconds