Compliance
Governance, Risk
& Compliance
Every API call your organisation makes is a potential compliance event. RequestRocket sits between your systems and every third-party or internal API — enforcing access policies, capturing a complete audit trail, and redacting sensitive data before it reaches the wrong hands. No code changes on the upstream. No credentials shared with callers.
Frameworks
Built to Support Auditor Requirements
RequestRocket is designed to enhance your compliance posture across the frameworks your auditors care about — without requiring changes to the APIs you call or the services you run.
Framework alignment
RequestRocket maps directly to controls required by SOC 2 (CC6, CC7), ISO 27001 (A.8, A.9), GDPR (Article 25, 30, 32), HIPAA (§164.312), and PCI DSS (Req. 7, 8, 10). Centralised policy enforcement and structured request logs give auditors the evidence they need without manual data collection.
Auditor-ready evidence
Every proxied request produces a structured, tamper-evident record containing auth decisions, rule evaluations, filter actions, timing, and upstream response status. Records are queryable via the Requests API — export them directly into your GRC tooling or SIEM without manual extraction.
Capabilities
Platform Features That Map to GRC Controls
Audit Trail
Every proxied call produces a per-request record including auth outcome, authorization decisions, rule matches, filter actions, and upstream response status. Records carry a 90-day hot retention window and can be archived to S3 with Object Lock for long-term tamper-evidence.
Observability →Access Governance
RBAC covers four roles (owner, admin, devops, user) across every resource in the control plane. Per-proxy authorization rules match on HTTP method, path, headers, query parameters, and request body — all four attachment layers must allow before a request is forwarded.
Authorization →Data Minimisation
Response filters apply retain or destroy operations on JSON paths before data reaches callers. Strip PII, PHI, or cardholder data at the gateway layer — no upstream changes required, and no risk of sensitive fields propagating into out-of-scope systems.
Data Redaction →Credential Security
Upstream secrets — API keys, OAuth tokens, Basic credentials — are stored encrypted at rest using AES-256-GCM and injected by RequestRocket on every forwarded request. Callers authenticate against a proxy credential and never see the upstream secret. All traffic is encrypted in transit via TLS.
Authentication →Evidence & Policy
Continuous Evidence. Declarative Policy.
Compliance isn't a point-in-time exercise. RequestRocket collects evidence on every request and enforces policy as code — so your posture is maintained continuously, not just at audit time.
Continuous evidence collection
The Telemetry API and Requests API give auditors and GRC tooling direct programmatic access to structured usage data. Enterprise customers can stream request records to an external SIEM or archive them to S3 with immutable Object Lock — providing tamper-evident logs that satisfy long-term retention requirements under SOC 2, ISO 27001, and GDPR.
Request Lifecycle →Policy as auditable artifacts
Authorization rules are declarative resources managed through the RequestRocket API — not logic buried in application code. Every allow and deny rule is visible to auditors, can be reviewed for least-privilege compliance, and changes are reflected immediately without a deployment. Deny decisions are recorded in the request audit trail.
Control Plane →GRC Use Cases
Common Compliance Scenarios
How RequestRocket supports real audit and governance requirements across SOC 2, ISO 27001, GDPR, HIPAA, and PCI DSS.
Add outbound API security
without changing code
Start on your own or talk to our team about improving the security of every API call you make.