Skip to main content

CAPABILITY · OPS & BACK-OFFICE

Compliance Binder

Ongoing compliance documentation maintained automatically — audit-ready at all times.

$10,000 build · $3,500–5,000/mo

Talk to us about a Compliance Binder build →

What it does

Monitors policy versions, tracks employee acknowledgments, and assembles compliance evidence packages on demand. Sends renewal alerts before deadlines. Generates audit-ready binders for SOC 2, HIPAA, and state licensing requirements.

Most regulated businesses don't have a compliance problem — they have a documentation problem. The policies exist. The training happened. The auditor attestations got signed somewhere. But when an audit notice lands, the next four weeks become a full-time scavenger hunt: who has the current version of that SOP, when did it last get reviewed, where are the training acknowledgments for the three employees who turned over last year, and which vendor contracts are still waiting on BAAs.

The Compliance Binder build changes that shape. We pull from the systems you already use — your document storage, your HR platform, your policy management tools — and assemble a living, framework-mapped binder that reflects the actual state of your program, not the state it was in when someone last updated a spreadsheet. Each regulatory framework (HIPAA, NIST 800-171, SOC 2, CLIA, Joint Commission, Title 31, and others) maps to a control library, and the build continuously checks whether the evidence behind each control is current, signed, and gap-free.

Gaps surface as alerts before they surface as findings. When a policy hits its review date, a reviewer gets notified. When an employee acknowledgment is missing, the build flags it. When a vendor's BAA expires, it's on a list — not discovered by an auditor. At audit time, you produce a structured evidence package per control: policy version with change log, attestation trail, supporting documentation, and gap remediation notes where applicable. The output is built for auditors, not for internal consumption — clean, cross-referenced, and defensible.

Golden Horizons scopes the build to your specific regulatory framework and existing system stack. Custom control libraries are supported for organizations with frameworks that don't fit a named standard.

Use cases

  • A clinical practice maps HIPAA Security Rule controls to current policies, employee training logs, and signed BAAs — producing an auditor-ready evidence package without a dedicated compliance officer.
  • A biotech company assembles CMC documentation across lab notebooks, SOPs, and change-control logs into a single FDA-submission-ready binder with version history intact.
  • A federal contractor running a NIST 800-171 program uses the build to track SSP control status, POA&M items, and evidence artifacts — keeping CMMC readiness current between assessments.
  • A clinical lab consolidates CLIA and CAP inspection documentation: proficiency testing records, QC logs, personnel qualification files, and corrective action reports, mapped to inspection checklist items.
  • A casino compliance team maintains Title 31 BSA/AML program documentation — training logs, SAR filing records, policy versions, and independent testing results — organized by exam category.

What’s included

  • Fixed scope with written acceptance criteria before any build starts
  • Customization layer for your brand voice and business rules
  • Clean handover with documented runbook and live training
  • Monthly ROI report for three months post-delivery
  • Source code delivered to your GitHub on handover

What’s NOT included

  • Third-party API subscription costs (billed to your accounts)
  • Data migration from legacy systems
  • Ongoing infrastructure costs after handover

Retainer

Monthly retainer covers monitoring, prompt tuning, config refinement, and minor integration additions. Range: $3,500–5,000/mo.

How clients use this

Fixed-scope build with clean handover, then an optional monthly retainer covering maintenance, monitoring, and minor changes. Most clients move to retainer within 60 days of delivery.

Part of

Used in: Law Firms , Dental Practices

Questions Compliance Binder clients ask

Which regulatory frameworks does the build support?

The build ships with control libraries for HIPAA (Privacy and Security Rules), NIST 800-171 and CMMC 2.0, SOC 2 Trust Services Criteria, CLIA and CAP inspection standards, Joint Commission accreditation requirements, and Title 31 BSA/AML program documentation. If your program runs on a custom or hybrid framework — a state-specific licensing standard, an internal audit methodology, or a client-mandated control set — we map those controls during the scoping engagement before the build starts. The framework layer is configurable; the evidence-collection and gap-alerting logic is the same regardless of which standard you're running against.

Is this a full compliance program, or just documentation support?

Documentation support, specifically. The build doesn't write your policies, conduct your risk assessments, or make legal determinations about what your program requires. What it does is take the program you already have and keep the evidence behind it organized, current, and audit-ready. If your underlying program has substantive gaps — missing policies, untrained staff, controls that exist on paper but not in practice — the build will surface those gaps clearly, but closing them is your team's work or your outside counsel's. Think of it as the difference between a well-organized filing system and a compliance attorney. Both are useful; they're not substitutes for each other.

Can this work alongside our existing GRC platform?

Yes. The build is designed to layer on top of existing tools, not replace them. If you're running a GRC platform — Vanta, Drata, Tugboat Logic, ServiceNow GRC, or a homegrown system — we can pull evidence from those sources, fill gaps where the platform doesn't cover, and produce formatted output for audit engagements. In practice, most mid-market organizations have a GRC platform that tracks control status but lacks the document assembly and change-log management that auditors actually request. The Compliance Binder fills that layer. For organizations without a GRC platform, the build handles the full evidence chain from source systems through to the audit package.

How accurate is the output under regulator or auditor review?

The build produces what the underlying sources contain — it doesn't infer, fabricate, or extrapolate compliance status. If a policy is unsigned, the binder shows it unsigned. If a control has no mapped evidence, the gap is flagged explicitly rather than papered over. That transparency is intentional: auditors routinely find problems with programs that looked clean on summary dashboards but fell apart at the evidence level. The output format is designed to match what examiners and certification bodies ask for, so reviewers can navigate it without a guided tour. Accuracy under review depends on the quality of your source documentation; the build's job is to assemble and organize that documentation faithfully, and flag where it's missing.

What does the retainer cover after the initial build ships?

Three things: framework updates, source-system changes, and audit-cycle support. Regulatory frameworks update — NIST releases revised guidance, Joint Commission modifies its standards chapter, a state licensing body changes its renewal documentation requirements. When that happens, we update the control mapping and flag any new evidence gaps. Source systems also change — your HR platform switches vendors, your document storage migrates, your policy management tool gets replaced. The retainer covers keeping the integrations live and the evidence pipeline intact through those transitions. During active audit cycles, we're available to produce supplemental packages, respond to auditor information requests that require pulling additional evidence, and support any remediation documentation the examiner requires before closing.

Start with an audit →