SOC 2 Sprint
Startups (< 50 Employees)
$1,500/ quarter
- Up to 3 Core Systems (AWS, Google Workspace, etc.)
- SOC 2 CC6.3 Logical Access Mapping
- Automated Manager Approval Campaigns
- Prioritized Revocation Hit-List
Quarterly UAR Execution
Done-For-YouUser Access Reviews.
Custodia runs the entire review cycle for you. We map the data, chase down manager approvals, and deliver a CPA-ready attestation report so your internal teams never have to do it again. Secure SOC 2, ISO 27001, and HIPAA compliance without lifting a finger.
License Waste
$10K+
Dormant accounts and duplicate seats often surface during a single quarterly review cycle.
No Admin Access
0 Privileged Integrations
Reviews run from secure CSV exports instead of Global Admin rights, agents, or live connectors.
Audit Trail
100% Manager Sign-Off
Every access decision is tied to an owner approval and preserved for auditor review.
Time Back
Weeks Saved Per Quarter
Internal teams stop chasing reviewers, wrangling spreadsheets, and assembling audit evidence by hand.
How it works
The Custodia Execution Engine
Zero API integrations. Zero Global Admin rights. Maximum compliance. We built a frictionless, asynchronous UAR pipeline so your engineering team never has to configure a dashboard.
Step 01
The Secure Data Drop
You never give us API keys or admin access. On day one of the quarter, your IT team drops standard CSV user exports (HR roster, AWS, SaaS apps) into our encrypted, SOC 2-compliant Custodia Portal. That is your only technical requirement.
Step 02
The Automated Approval Campaign
We kill the "Spreadsheet of Doom." Our proprietary Python engine maps your system accounts to HR identities and routes secure, single-click approval forms to your department managers. We automatically badger the stragglers until we hit 100% completion.
Step 03
The Certified Attestation Delivery
Within 7 days, you receive a CPA-ready Certified Attestation Report signed by an ISO 27001 Lead Auditor. You get a prioritized revocation hit-list for orphaned accounts, and immutable timestamps of every manager's approval to upload straight to your auditors.
SOC 2 quarterly logical access evidence
ISO 27001 access rights review support
HIPAA workforce access documentation
Quarterly cleanup and sign-off orchestration
Why this matters
Frameworks keep pointing back to the same problem: someone has to review access and prove it.
Your auditor may use different wording, but the evidence burden is consistent: validate access, close stale privileges, and show a defensible trail. That is where Quarterly Access Review Partner fits.
SOC 2
AICPA TSC CC6.1, CC6.2, CC6.3
Auditors expect evidence that access is approved, limited, and periodically reviewed against job responsibility.
ISO 27001
ISO 27001:2022 Annex A 5.15, 5.16, 5.18
Access control, identity management, and access rights reviews commonly require repeatable quarterly evidence.
HIPAA
45 CFR 164.308(a)(4), 164.312(a)(1)
Covered entities need controlled workforce access and documentation showing who had access and why.
PCI DSS
PCI DSS v4.0 Requirements 7 and 8
Privileges and user access must be justified, maintained, and reviewed with evidence suitable for assessors.
NIST / StateRAMP / FedRAMP
NIST SP 800-53 AC-2, AC-6
Account management and least-privilege controls are often evidenced through formal access review procedures.
SOX ITGC
Logical access control testing
External auditors routinely test whether finance-impacting systems have periodic user access reviews and clean remediation trails.
Your tools still stop at alerts
SMB teams without SailPoint-class tooling still have to pull CSVs, chase managers, and translate results into evidence by hand.
This is a human task
Manager judgment, HR context, exception follow-up, and revocation decisions need an IAM professional driving the quarter close.
A named partner runs it with you
Custodia assigns a company partner who manages your quarterly review cycle and leaves you with auditable proof every time.
What you get every quarter
A clean audit package and a cleaner access environment.
- Certified attestation report with evidence references mapped to your framework expectations
- Cleanup record for orphaned accounts, stale privileges, and unnecessary SaaS spend
- Manager sign-off history, partner notes, and timestamps that stand up in audit review
Quarterly Evidence Viewer
Q2 access cleanup and attestation package
Report overviewAuditor-ready
Accounts reviewed
218
Privileges removed
34
SaaS savings
$6.2k
Manager approvals96% closed
Control mapping
SOC 2, ISO 27001, HIPAA, PCI, and NIST evidence references included.
Partner notes
Named IAM specialist documented decisions, follow-ups, and manager escalations.
Cleanup summary
Removed ex-employee access, downgraded idle licenses, and exported sign-off evidence.
Pricing
Transparent, Flat-Fee Execution.
No hourly billing surprises. No long-term software lock-in. Pay per quarter, cancel anytime.
Global Standard
Mid-Market (50 - 200 Employees)
$2,500/ quarter
- Up to 7 Core Systems
- ISO 27001 A.9.2.5 & HIPAA Attestation
- SaaS License Waste ROI Report
- "Big 4" Quality Certified Evidence PDF
- 15-Minute Quarterly Risk Briefing
Federal / Regulated
Defense Base & Pre-IPO (200+ Employees)
$4,500+/ quarter
- Unlimited Core Systems
- CMMC 2.0 / NIST 800-171 Compliance
- Strict Segregation of Duties (SoD) Checks
- Custom Identity RBAC Matrices
- Audit Defense Liaison (We sit in on your audits)
Consultation
Book Your Audit Scoping Call
Stop pushing spreadsheets around. Spend 15 minutes with an ISO 27001 Lead Auditor to see exactly how Custodia automates your compliance.
- No Hard Selling: Just an engineer-to-engineer review of your current compliance stack (Vanta, Drata, Secureframe).
- Scope Your Systems: We will identify your core target systems (AWS, Salesforce, GitHub) and HR roster mapping.
- Identify ROI: We will discuss how to spot SaaS license waste during your first true-up.
- Launch in 48 Hours: If we are a fit, we can initiate your first automated campaign within two days.