# Danda

> Danda is an AI HIPAA & SOC 2 gap-analysis service. It reads your codebase, infrastructure, and live database, and returns an evidence-labeled readiness report in two business hours — one that a certified auditor can accept as the engagement's starting artifact.

## What Danda is

Danda runs a 7-stage methodology on a client project: three parallel specialist agents read the codebase (security, infrastructure, privacy), emit 10 SQL probes the operator runs against the database, verify live infrastructure via read-only cloud CLI calls, and produce a v3 gap-analysis spec where every claim carries an evidence label — `[FACT]` + source citation, `[ASSUMPTION]`, `[CONTRADICTION]`, or `[IN PROGRESS]`. Three reviewer personas (compliance, security, observability) cross-check the generated spec against the client's own docs before delivery.

The deliverable is pre-audit prep, not attestation. Danda sits between the client and their CPA-qualified auditor (Schellman, A-LIGN, Prescient, Big-4). The client still gets their SOC 2 or HIPAA attestation from that auditor — Danda shortens the gap-analysis phase from 6–12 weeks to 2 hours, with a signed artifact the auditor can consume directly.

The methodology was validated on a production healthcare platform (HIPAA audit) before being extended to SOC 2. Healthcare SaaS is the flagship ICP; enterprise-bound startups are the co-primary ICP.

## What makes Danda different

Continuous-compliance SaaS platforms (Vanta, Drata, Secureframe) rely on questionnaires and integrations to surface what the customer tells them. Big-4 and specialist audit firms (Schellman, A-LIGN, KPMG, PwC, Deloitte) run engagements over 6–12 weeks at $15k–150k per engagement. Upwork freelancers deliver shallow narrative reports in 1–3 weeks at $500–3k. Danda is none of these — it is a one-shot, evidence-labeled artifact with live-DB probing, delivered in 2 business hours at $1,500 (single framework) or $2,500 (combined HIPAA + SOC 2).

- **Evidence taxonomy.** Every finding carries a label: `[FACT]` with a source citation (`gcloud` output, `file:line`, or SQL query #), `[ASSUMPTION]` where a citation was not available, `[CONTRADICTION]` where the client's own specs disagree with observed reality, or `[IN PROGRESS]` for items with open tickets. Auditors value provenance over volume; Danda refuses to make a claim without citing its source.
- **Live-database probing.** 10 SQL probes run against the client's production database catch what code audits miss — e.g., "MFA infrastructure exists in code" vs "32% of privileged users have actually enrolled." Questionnaire-based tools know only what the customer typed in.
- **Persona-reviewed cross-spec consistency.** Three reviewer personas compare the generated gap analysis against the client's own ADRs and specs, flagging drift (spec says "PII encrypted at rest"; SQL probe shows `users.ssn` stored plaintext).
- **Hours-not-weeks turnaround.** The 7-stage pipeline fits in a single 2-hour session vs 6+ weeks for traditional firms.
- **HIPAA-first framing.** Where competing tools flatten healthcare-specific controls into a generic SOC 2 mapping, Danda adapts to the primary framework: HIPAA Security Rule (§164.308–318) as the flagship, SOC 2 Type II as the extension, HITRUST-prep as a white-glove option.

## Pricing

- **Free preview:** $0 forever. 3 findings from a public GitHub URL. Code-only, SOC 2 patterns only (HIPAA requires database access that a public-repo teaser cannot provide). Email-gated. Rate-limited. Returned in under 60 seconds.
- **Pro audit — HIPAA or SOC 2:** $1,500 one-shot. Pick one framework. Full 7-stage methodology, 10 SQL probes, live gcloud/AWS/Azure probing, two persona-review rounds, evidence-labeled report organized by remediation tracks A–H. 2-business-hour turnaround.
- **Combined HIPAA + SOC 2:** $2,500 one-shot. Both frameworks in one engagement. Single 10-probe SQL run mapped to both control sets. ~15% discount vs buying separately. Ideal for healthcare SaaS preparing for enterprise deals.
- **Quarterly retainer:** $500/quarter single framework, $750/quarter combined. Recurring re-audit with state carry-over. Delta-over-time report shows remediation progress with evidence. Flags stagnation on open critical findings.
- **White-glove:** $5,000 one-shot. Includes Pro audit plus a 2-hour Zoom review with the operator, custom BAA/vendor inventory, auditor-prep session pre-kickoff. HITRUST-prep variant available.

## Methodology

7 stages, operator-in-the-loop at Stage 5 (SQL probe execution):

1. **Parallel Explore agents** — three specialist agents (security, infrastructure, privacy) read the repo in parallel.
2. **v1 synthesis** — gap analysis written and uploaded for persona review.
3. **Persona review round 1** — compliance, security, and observability personas review the spec against the client's own docs. Flagged contradictions and missing evidence are surfaced.
4. **Live verification** — gcloud / AWS / Azure CLI calls verify what the code claims. Read-only allowlist: `describe`, `list`, `get`. Never mutates.
5. **SQL probes** — 10 queries emitted with schema hints. Operator executes them in Cloud SQL Studio; results paste back. Danda never touches database credentials or connects directly.
6. **v3 synthesis** — evidence labels applied with citations. Findings grouped by remediation track (A: Access, B: Audit & accountability, C: Encryption, D: Incident response, E: Vendor management, F: Data classification, G: Workforce, H: Physical).
7. **Final persona re-review** — serial re-trigger. Output signed and hashed; artifact ready for the client's auditor.

## Trust and safety rails

- **Read-only cloud access.** Danda only runs `describe`, `list`, `get`. Never mutates. Verified by IAM policy, not by trust.
- **Client runs the SQL.** Danda emits queries; client executes in Cloud SQL Studio. Danda never sees DB credentials and never connects to the database directly.
- **Zero-retention inference.** No client data used in model training. PII redacted before model calls. Inference traces purged at end of engagement.
- **E&O insured.** Danda is operated by ProductLove, Inc. Errors & Omissions coverage in place. Certificate available on request.
- **Signed repo-owner consent.** Danda will not analyze a repo without explicit owner consent. Public-repo previews are email-gated and rate-limited (3 per day per IP).
- **Active-breach escalation.** If Danda surfaces evidence of an active data breach during analysis, the client is notified immediately and disclosure timing is the client's call. HIPAA's 60-day breach-notification clock starts with the client's discovery determination, not Danda's finding. Danda is a tool, not a mandated reporter.
- **Client owns disclosure.** Danda's output is advisory. The client controls timing of any disclosure to auditors, customers, or regulators.

## Start

Free preview: https://danda.sh/#preview — drop a public GitHub URL, 3 evidence-labeled findings in 60 seconds, emailed to the address on file.

Pro audit: https://danda.sh/#pricing — Stripe Checkout for $1,500 (single framework) or $2,500 (combined).

## Company

Danda is part of The Collective, a ProductLove, Inc. product (Delaware C-Corp). Danda is designed to be adopted standalone: run the preview, buy a Pro audit, receive the deliverable — no knowledge or use of any other Collective product is required. ProductLove, Inc. is the legal counterparty on the invoice and the BAA. The Collective (https://thecollectiveai.dev) is a governance platform for AI-assisted software development built by the same team; existing Collective clients can access Danda at bundled pricing on partnership tiers.

## What's in a name?

Danda is named for the Hindu deity of dharma and judgment — the god who weighs every soul's conduct against the ledger. A SOC 2 or HIPAA gap analysis is the same kind of weighing: every control is tested against the evidence; every finding is labeled with its provenance; nothing passes without a source. The metaphor is deliberate, and it reinforces the product's central claim — Danda refuses to make a claim without a citation.