Continuous, audit-ready evidence — not a once-a-year snapshot.
Merlonix watches your endpoints continuously and turns every observation into tamper-evident compliance evidence: per-control dashboards, auditor-grade evidence packs, and logged read-only auditor access. Built for teams that have to prove encryption-in-transit and availability across the whole audit period — not just the day the auditor looks.
$699· 14-day trial, no card required · we monitor and evidence; we do not certify.
What you get
Per-control dashboards across 8 frameworks
Your live TLS, DNS, and uptime evidence is mapped to the specific controls it satisfies — SOC 2 (CC6.7, A1.2), HIPAA §164.312(e), PCI DSS 4.2.1, NIST SC-8, CMMC, NY DFS §500.15, GDPR Art. 32, and FedRAMP — so you can see, per period, exactly which transmission-security and availability controls your monitoring backs up.
Tamper-evident evidence-pack export
Generate an auditor-grade evidence pack on demand: a summary PDF, the underlying check and certificate-inventory CSVs, and a manifest with a SHA-256 hash of every file, so an auditor can verify nothing was altered. Shared as a 30-day tokenized link.
Read-only auditor access — scoped and logged
Give an auditor a token-scoped, read-only view of your evidence — no account to create, no access to the rest of your workspace. Every auditor view is logged, so you have a record of who looked at what and when.
Automatic quarterly audit-prep summaries
Each quarter, Merlonix emails a per-client summary to your configured compliance contact, so a fresh evidence snapshot lands in your audit file on a schedule instead of being assembled in a scramble the week before the audit.
13 months of continuous evidence retention
A full year-plus of continuous observations is retained and queryable — enough to cover an annual audit period end to end, so you can show the whole window, not just the day the auditor happened to look.
Signed availability & incident evidence
Uptime percentage, downtime, mean-time-to-recovery, and incident counts are recorded as signed, timestamped metrics for the SOC 2 Availability criteria — the proof auditors ask for. Periods we did not measure are recorded as such, never fabricated.
Frameworks
One evidence stream, mapped to the controls auditors ask about.
Your live TLS, DNS, and uptime checks are mapped to the transmission-security and availability controls across eight frameworks — so the same monitoring you already run becomes the evidence for the controls it satisfies.
Why it's different
Live evidence, not a stale snapshot.
Compliance platforms like Vanta and Drata snapshot your posture at a point in time; pure uptime monitors tell you whether a site is up but carry no control framework. Merlonix is the one product that does both — continuous monitoring fused with the compliance-evidence layer — so your evidence accrues on every check rather than being assembled the week before the audit. Stale evidence is the named failure of most trust tooling; continuous evidence is the fix.
Common questions
Does Merlonix make me SOC 2 compliant?
No — and any tool that says it does is overstating things. Merlonix continuously monitors your endpoints and produces the audit-ready evidence for the transmission-security and availability controls (encryption-in-transit, uptime, incident response). Your auditor still issues the report; we give you the evidence to hand them.
How is this different from Vanta or Drata?
Tools like Vanta and Drata snapshot your posture at a point in time. Pure uptime monitors check whether your site is up but carry no control framework. Merlonix does both at once — continuous monitoring fused with the compliance-evidence layer — so the evidence accrues on every check instead of being assembled at audit time.
What evidence does the auditor actually get?
A downloadable evidence pack: a summary PDF, the raw check and certificate-inventory data as CSVs, and a manifest with a SHA-256 hash of every file so they can confirm it has not been altered. You can also give them a token-scoped, logged, read-only view of the live dashboards.
Which controls and frameworks are covered?
The per-control dashboard maps your live TLS, DNS, and uptime evidence to the relevant controls across SOC 2, HIPAA, PCI DSS 4.0, NIST 800-53, CMMC, NY DFS 500, GDPR, and FedRAMP. The scope is transmission-security and availability evidence — it is not a full GRC program.
How do I start?
Start a 14-day Compliance trial, no card required. Add the endpoints you need to evidence, invite your auditor as a read-only seat, and export an evidence pack whenever you need one.
Walk into your next audit with the evidence already in hand.
$699· 14-day trial, no card required.