Canadian defence suppliers, subcontractors, and MSPs use Solymus to turn compliance evidence into cryptographically signed, independently verifiable records — ready before the assessor asks.
DND asks for your CPCSC evidence.
Your defence contract requires Level 1 certification by April 2026. Your team has evidence scattered across shared drives and email threads.
With Solymus, you export a complete evidence index with per-artifact verification links — ready for the assessor.
An assessor reviews your ITSP.10.171 controls.
They need evidence for 97 controls. Your team has 30 days. Last time it took three months of back-and-forth.
With Solymus, every artifact is cryptographically signed and mapped to controls. Export the package in minutes.
A prime asks if you handle specified information properly.
You're a subcontractor bidding on a defence contract. The prime needs proof your security controls meet CPCSC requirements — not a promise, evidence.
With Solymus, you hand them a self-verifying evidence package they can check independently.
Your compliance team collects screenshots, policies, and scan reports across shared drives and email threads. When an assessor asks for proof, someone spends weeks assembling a binder. When DND or a prime asks for CPCSC evidence, you send a PDF that nobody can independently verify.
The result: delayed audits, repeated evidence requests, and no way for regulators, assessors, or your own board to independently confirm that your evidence hasn't been altered.
Show the board what you can prove
See evidence coverage across every framework at a glance — no spreadsheet required.
End the binder scramble
Upload once. Controls map automatically. Export when the assessor or regulator asks.
Hand your assessor a link, not a binder
Every artifact includes a verification link regulators and auditors can check independently.
ProlixoTech stores your compliance evidence, signs every artifact with AWS KMS, maps it to controls in your selected frameworks, and generates shareable verification links anyone can check — without accessing your systems.
Upload evidence once. Enable framework packs to map artifacts to the controls that matter to you.
Every artifact gets a SHA-256 hash, a KMS signature, and a position in a Merkle chain. Any modification is detectable.
Share a verification link with your assessor, buyer, or regulator. They confirm integrity independently.
Generate an evidence index with per-artifact verification URLs. Hand it to your auditor as a self-verifying binder.
Upload policies, screenshots, scan reports, or training records. PDF, Office docs, images, text. Each upload goes to encrypted storage (S3 with SSE-KMS).
ProlixoTech computes a SHA-256 hash, signs it with AWS KMS (ECDSA_SHA_256), and links it to a Merkle chain. You get a tamper-evident receipt with a unique event ID.
Your framework pack maps the artifact to relevant controls automatically. Policy documents map to AC-1, SC-1. Identity configs map to AC-2, IA-2. Adjust or tag as needed.
Generate an evidence index — every artifact, its hash, control mappings, and a verification URL. Share the package or individual links with anyone.
Framework packs configure how your evidence is organized, which controls artifacts map to, and what your exports look like. Same vault, same receipts, different lenses.
For Canadian defence suppliers, subcontractors, and consultants handling specified information. Maps artifacts to ITSP.10.171 controls (Canada's adaptation of NIST SP 800-171 Rev 3). Exports produce evidence indexes aligned to CPCSC assessor expectations.
CMMC 2.0 cross-border support and AI governance frameworks (EU AI Act, NIST AI RMF) are on our roadmap. The same evidence vault and cryptographic receipts will extend to additional frameworks as they become available.
CPCSC is the primary framework today. Additional framework packs are on the roadmap. Your underlying evidence — and its cryptographic receipts — stays the same regardless of which packs are active.
Assessors get a structured index they can walk through artifact by artifact, clicking verification links to confirm integrity without requesting access to your systems.
Every artifact in ProlixoTech has a verification URL. When someone opens that link, the system:
No login required. No access to your workspace. The verifier sees the artifact's hash, signature status, and chain linkage — not the artifact contents. You decide what to share; the verification link proves it hasn't changed.
Every receipt is signed with ECDSA_SHA_256 using a dedicated AWS KMS key. Signing keys are never exported.
Artifacts are stored in S3 with SSE-KMS encryption at rest.
Events are linked in a hash chain with daily attestations producing a Merkle root. Modifying any event breaks the chain.
Each workspace has its own artifacts, exports, API keys, and access controls. No cross-workspace data leakage.
We make modifications detectable. We do not claim modifications are impossible. That distinction matters, and we respect it.
Automated connectors pull data on their own schedule and transform it behind the scenes. Manual upload gives you full control over what enters your evidence chain, when, and from where.
You know exactly which file, from which system, at which point in time entered the vault.
No OAuth tokens or IAM roles granted to a third party. Your identity provider stays under your control.
Export from CrowdStrike, Qualys, Splunk, Entra, AWS Console, or any tool you already use. Upload the file directly.
Assessors and auditors see artifacts you deliberately submitted — not opaque sync dumps they can't trace back to a source.
Upload up to 100 MB per file. Every artifact — regardless of type or source — gets the same SHA-256 hash, KMS signature, control mapping, and Merkle chain linkage. The cryptographic receipt is identical whether you upload a screenshot from your phone or a 50-page policy document.
From sign-up to your first signed receipt and shareable verification link.
Go to app.prolixotech.com/sign-up. Enter your work email and password, or use Google SSO. Every account starts on Solymus Starter (C$1,500/mo, 1,000 events/month, 7-day retention).
Enter your company name and select CPCSC as your compliance framework. CMMC and AI governance frameworks are on the roadmap. This creates your workspace with a unique tenant ID.
Go to Settings > API Keys and click "Generate New Key." Copy it immediately — it's shown only once. You'll need this for SDK/API access or testing verification endpoints directly.
Click "Upload Evidence" in the dashboard. Drop a policy document, scan report, screenshot, or training record. Select the evidence type (e.g., policy_document, vulnerability_scan, audit_log) — this determines which controls are auto-mapped.
Click "Finalize." The system computes a SHA-256 hash, signs the digest with AWS KMS (ECDSA P-256), maps it to controls in your selected frameworks, and writes an immutable record to the evidence ledger. You see your signed receipt immediately.
Click the verification link on any artifact. The system re-verifies the KMS signature, confirms the hash, and validates the Merkle chain position. Every artifact also has a public verification URL (no login required) that your assessor can check.
One artifact isn't a compliance program. Upload access reviews, configuration screenshots, incident reports, vulnerability scans, training records, and risk assessments. Each gets the same cryptographic receipt and auto-maps to the relevant controls.
Go to Exports and generate an Evidence Index (JSON grouped by control family), SSP (System Security Plan), or POA&M (Plan of Action & Milestones). Every artifact in the export includes a public verification URL your assessor can click to confirm integrity.
Send the export to your assessor, prime, or DND. They receive a self-contained package where every artifact is independently verifiable via its public URL. No VPN, no shared credentials, no trust assumptions.
C$1,500/mo
For Level 1 readiness
C$10,000/mo
For Level 2 preparation
Custom pricing
For primes, MSPs, and multi-entity orgs
All plans include: KMS-signed receipts, shareable verification links, exportable evidence indexes, workspace isolation, and API access.
We support audit readiness by making your evidence organized, signed, and independently verifiable. Compliance outcomes depend on your controls, your assessor, and your organization's practices.
Give your compliance team a single place where every piece of CPCSC evidence is signed, mapped to ITSP.10.171 controls, and verifiable by anyone — including your assessors and DND.