What does KollGuard do?

KollGuard connects read-only to your GitHub repositories and databases (Postgres, Supabase), scans them for security gaps, and maps every finding to the controls auditors check. The first scan is free and takes minutes.

Which compliance frameworks does KollGuard support?

Twelve: SOC 2 and HIPAA are asserted directly from the technical checks, while ISO 27001, ISO 27701, PCI DSS, GDPR, NIST CSF, NIST 800-53 (the basis for NIST 800-171 and CMMC), HITRUST CSF, CIS Controls and the Joint Commission (JCAHO) Information Management standards are crosswalked from the same checks.

How is KollGuard different from Vanta, Drata, or Secureframe?

KollGuard actually scans your systems rather than only collecting evidence or sending questionnaires, starts free in minutes, is transparently and affordably priced, and lets vendors prove their posture without sharing source code or credentials.

Can KollGuard monitor my AI agents?

Yes. KollGuard's Agent Watch monitors the AI agents you deploy — MCP servers, CI bots, service accounts, and LLM agents — recording every run as a tamper-evident, hash-chained heartbeat, raising health and behavior-drift alerts, and emailing a nightly digest. It maps agent activity to the same SOC 2 and HIPAA controls as the rest of your security posture, so the AI agents touching your data are continuously monitored for compliance.

Does KollGuard need access to my source code?

No. KollGuard performs read-only checks against repository and database metadata and configuration; it never copies or stores your source code, and credentials are encrypted in a vault.

How much does KollGuard cost?

The first scan is free. Paid plans are Starter at $19.89/month and Growth at $99/month, with custom Enterprise pricing. There are no quote-based contracts to get started.

Can you become HIPAA compliant without a $30k/yr platform?

Yes. HIPAA has no certification body and no mandatory platform — you demonstrate compliance through a documented risk analysis, signed BAAs, written policies, and technical-control evidence. A scanner like KollGuard (free first scan, $19.89/mo) can verify and map the §164.312 technical safeguards, and you handle the administrative pieces with templates.

Is there a HIPAA certificate?

No. Unlike SOC 2 (an attestation by a CPA) or ISO 27001 (a certification), HIPAA compliance isn't certified by anyone. You prove it through evidence on request and stand behind it if the OCR or a customer asks. Some teams pursue HITRUST CSF as a certifiable proxy that maps to HIPAA.

What technical controls does HIPAA actually require?

The §164.312 technical safeguards: access control (unique IDs, least privilege, automatic logoff), audit controls (logging ePHI access), integrity controls, and transmission security (encryption in transit). KollGuard scans your repos and databases for exactly these and maps each finding to the relevant safeguard.

Do AI features change my HIPAA obligations?

Yes. Any AI provider or agent that touches PHI needs a BAA and model-training opt-out, and its activity is ePHI access you must log. If you deploy AI agents against PHI, monitor them — KollGuard's Agent Watch records and control-maps agent runs. See our HIPAA-for-AI-startups guide for the provider BAA matrix.

Self-serve HIPAA — without a $30k/yr GRC platform

Not legal advice

This is a practical engineering-led playbook, not legal advice. For your specific obligations — especially the risk analysis and BAA terms — involve counsel or a qualified HIPAA advisor.

The seven-step plan

1.Confirm HIPAA actually applies — and how
HIPAA applies if you're a covered entity (provider, health plan, clearinghouse) or a business associate (you handle PHI on behalf of one). If you build software that touches PHI for a healthcare customer, you're almost certainly a business associate. That determines which obligations and which BAAs you owe — settle it before anything else.
2.Sign BAAs up and down the chain
You need a signed Business Associate Agreement with every party that touches PHI: your customers (covered entities), and every sub-processor you use (cloud host, database, AI provider, email, logging, error monitoring). No BAA = no PHI may flow there. Consumer AI tiers won't sign one; you need enterprise tiers.
3.Implement the §164.312 technical safeguards
The Security Rule's technical core: access control (unique user IDs, least privilege, automatic logoff), audit controls (log ePHI access), integrity (detect improper alteration), and transmission security (encryption in transit). On a modern stack this is RLS, IAM, TLS everywhere, and tamper-evident logging — exactly what a scanner can verify for you.
4.Run a Security Risk Analysis (§164.308(a)(1))
This is the one auditors and the OCR always ask for, and the one teams skip. Document where PHI lives, the threats to it, your current safeguards, and the residual risk for each. It must be written down, dated, and revisited — not a one-time exercise.
5.Cover the administrative + physical safeguards
Workforce: access-management procedures, security-awareness training, sanction policy, a designated Security Official. Physical: facility access controls and device/media handling (for cloud-only teams this is mostly your provider's BAA plus your laptop/MDM policy). Write the policies; you'll need them as evidence.
6.Collect evidence as you go
HIPAA has no certificate — you demonstrate compliance through evidence: your risk analysis, signed BAAs, policies, access reviews, and technical-control proof (encryption, audit logs, scan results mapped to §164.312). Assemble it continuously so a customer security review or an incident doesn't catch you scrambling.
7.Monitor continuously — HIPAA is never "done"
Controls drift: a new table ships without RLS, a BAA lapses, an AI agent starts touching PHI. Schedule recurring scans and re-review BAAs and access on a cadence. Continuous monitoring is the difference between 'compliant on the day we checked' and 'compliant.'

Frequently asked

Can you become HIPAA compliant without a $30k/yr platform?: Yes. HIPAA has no certification body and no mandatory platform — you demonstrate compliance through a documented risk analysis, signed BAAs, written policies, and technical-control evidence. A scanner like KollGuard (free first scan, $19.89/mo) can verify and map the §164.312 technical safeguards, and you handle the administrative pieces with templates.
Is there a HIPAA certificate?: No. Unlike SOC 2 (an attestation by a CPA) or ISO 27001 (a certification), HIPAA compliance isn't certified by anyone. You prove it through evidence on request and stand behind it if the OCR or a customer asks. Some teams pursue HITRUST CSF as a certifiable proxy that maps to HIPAA.
What technical controls does HIPAA actually require?: The §164.312 technical safeguards: access control (unique IDs, least privilege, automatic logoff), audit controls (logging ePHI access), integrity controls, and transmission security (encryption in transit). KollGuard scans your repos and databases for exactly these and maps each finding to the relevant safeguard.
Do AI features change my HIPAA obligations?: Yes. Any AI provider or agent that touches PHI needs a BAA and model-training opt-out, and its activity is ePHI access you must log. If you deploy AI agents against PHI, monitor them — KollGuard's Agent Watch records and control-maps agent runs. See our HIPAA-for-AI-startups guide for the provider BAA matrix.

Scan for §164.312 gaps — free Related: Self-serve SOC 2 →

Self-serve HIPAA — without a $30k/yr GRC platform

The seven-step plan

1.Confirm HIPAA actually applies — and how

2.Sign BAAs up and down the chain

3.Implement the §164.312 technical safeguards

4.Run a Security Risk Analysis (§164.308(a)(1))

5.Cover the administrative + physical safeguards

6.Collect evidence as you go

7.Monitor continuously — HIPAA is never "done"

Frequently asked