DEV Community

Chris King
Chris King

Posted on

Open Sourcing TrustOS

#hipaa #python #node #backboardio

Your One Stop Shop for Compliance: SOC2 and HIPAA, Built on Backboard.io

We Got Tired of Paying for Compliance Theater, So We Built Our Own

Security compliance is supposed to make your company more trustworthy.

Too often, it turns into:

  • screenshot farming
  • spreadsheet archaeology
  • chasing policy acknowledgements
  • manually proving the same control 14 different ways
  • paying a premium for a dashboard sitting on top of APIs you already own

So we decided to stop renting the illusion and build the system we actually wanted.

What we built

We built TrustOS — a compliance partner and trust center for continuous audit readiness.

Instead of treating compliance like a once-a-year panic attack, TrustOS makes it operational:

  • automated evidence collection
  • continuous control monitoring
  • audit-ready evidence snapshots
  • policy and training workflows
  • vendor and BAA tracking
  • access reviews
  • auditor workspaces
  • customer trust sharing

It supports SOC 2 readiness today and extends cleanly into HIPAA Security Rule readiness.

The architecture

We didn’t reinvent everything.

We stitched together solid OSS building blocks and built the workflow layer ourselves:

  • OSCAL for canonical control modeling
  • Compliance Masonry for control mappings
  • CloudQuery for asset/config ingestion
  • Steampipe for fast compliance queries
  • Prowler for AWS posture checks
  • OPA/Rego for custom control evaluation
  • Checkov for IaC scanning
  • Trivy for vuln/config evidence
  • Temporal for recurring workflow orchestration
  • Postgres + S3 for metadata and evidence storage

The real value wasn’t in scanning cloud configs.
The real value was building the missing system around it:

  • evidence graph
  • point-in-time audit history
  • remediation workflows
  • policy acknowledgement tracking
  • vendor workflows
  • auditor-facing exports
  • trust center operations

Why we built it

Because most teams don’t need more compliance theater.
They need:

  • fewer manual tasks
  • better evidence provenance
  • less duplicated work
  • cleaner audit prep
  • a faster way to answer customer security reviews

We wanted something that felt like an engineering system, not a bloated admin tax.

What surprised us

The hardest part was not pulling data from APIs.

The hardest part was making compliance outputs:

  • defensible
  • repeatable
  • understandable
  • useful to humans who aren’t security engineers

The scanners are the easy part.
The workflow and audit trail are the product.

How to get started

Getting started with TrustOS is simple:

  1. Clone the repo git clone https://github.com/Backboard-io/TrustOS.git copy .env.example to .env and fill in your backboard API key (see my other post about how frictionless it is to sign up for backboard.io)

  2. Start the app

    ./start.sh

  3. Open TrustOS

    Navigate to http://localhost:8000

    Or deploy the container/image anywhere you want.

  4. Create your project

    Set up a new compliance project and select the control frameworks you want to manage.

  5. Upload your evidence

    Load policies, reports, screenshots, training records, vendor documents, and other audit artifacts into the platform.

  6. Create an auditor workspace

    Generate a dedicated workspace for your auditor so they can review controls, evidence, and audit-ready materials in one place.

Takeaway

A lot of modern compliance software is really just:
connectors + rules + evidence storage + workflow glue

That doesn’t mean it’s trivial.
It does mean you might not need to keep paying forever for something your own stack can increasingly handle.

Sometimes the best way to cut compliance cost is to stop buying compliance theater and start building compliance infrastructure.

Top comments (0)