Workflow-level evidence mapped to your auditor's controls.
Flowcerta tags every governance rule with the specific compliance controls it supports. When a finding lands in a workflow scan, it carries the framework references with it — so you can show an auditor not just that a finding was caught, but exactly which control it relates to and how the exception was reviewed.
Downloadable signed audit evidence
One click in the dashboard generates a signed PDF (or JSON) snapshot of your org's governance posture — workflow inventory, framework coverage, recurring findings, and a per-workflow detail view. Hand it to auditors. Attach it to a vendor review. The HMAC-SHA256 signature lets anyone verify the file is exactly what Flowcerta produced.
- Org pack — portfolio health, framework coverage, top recurring findings.
- Workflow pack — per-validation findings, effective policy, controls touched.
- Signed & portable — base64 HMAC over canonical JSON; no server round-trip needed to verify.
How the mapping works
Every rule in the Flowcerta catalog declares the controls it speaks to via compliance tags on the rule definition. When a validation runs, each resulting finding inherits those tags. The dashboard groups findings by control to produce per-framework reports, and the API exposes a per-validation export endpoint for audit evidence packages.
e.g. FC-UIP-HCD-001 (hardcoded credential) tags SOC2-CC6.1 and PCI-DSS-6.3.
The findings[].compliance_tags array on every validation response surfaces the same data programmatically.
The dashboard's Compliance view and the /api/v1/results/{id}/compliance/{frameworkId}/export endpoint produce per-framework evidence.
SOC 2 Type II
Trust Services Criteria for security, availability, and processing integrity.
SOC2-A1.1Availability — performance capacitySOC2-A1.2Availability — recovery and resilienceSOC2-CC6.1Logical and physical access controlsFC-ANY-CRED-001FC-ANY-CRED-001: Hardcoded connection stringcriticalUiPath / Power Automate / Blue Prism / automationanywhereFC-ANY-CRED-002FC-ANY-CRED-002: Hardcoded API key or credential variablecriticalUiPath / Power Automate / Blue Prism / automationanywhereFC-UIP-HCD-001FC-UIP-HCD-001: Hardcoded credential or sensitive valuecriticalUiPathPA-002PA-002: Power Automate hardcoded secretcriticalPower AutomateFC-UIP-HCD-007FC-UIP-HCD-007: Hardcoded portmediumUiPathFC-UIP-HCD-008FC-UIP-HCD-008: Hardcoded database namemediumUiPath
SOC2-CC6.8Logical access controls — transmission and outputSOC2-CC7.2System monitoringFC-ANY-EXC-001FC-ANY-EXC-001: Swallowed exceptionhighUiPathFC-ANY-HTTP-001FC-ANY-HTTP-001: Missing try/catch around external callhighUiPathFC-ANY-RETRY-001FC-ANY-RETRY-001: Infinite retry without limithighUiPathFC-UIP-RETRY-001FC-UIP-RETRY-001: Try/catch inside retry scopehighUiPathFC-UIP-UI-001FC-UIP-UI-001: Unguarded UI actionhighUiPathPA-001PA-001: Power Automate HTTP action without failure handlerhighPower AutomatePA-003PA-003: Power Automate retries disabled on external callhighPower AutomatePA-004PA-004: Power Automate Do Until loop without a limithighPower AutomateFC-UIP-STOP-001FC-UIP-STOP-001: Stop workflow activitymediumUiPathPA-007PA-007: Power Automate recurrence trigger fires too frequentlymediumPower AutomatePA-008PA-008: Power Automate event trigger without conditions filtermediumPower AutomatePA-010PA-010: Power Automate Foreach with very high concurrencymediumPower Automate
SOC2-CC8.1Change managementPA-005PA-005: Power Automate hardcoded endpoint URLmediumPower Automate
HIPAA Security Rule
US healthcare privacy and security requirements for systems handling protected health information.
HIPAA-164.312Technical SafeguardsFC-ANY-CRED-001FC-ANY-CRED-001: Hardcoded connection stringcriticalUiPath / Power Automate / Blue Prism / automationanywhereFC-ANY-PII-001FC-ANY-PII-001: PII access without audit logcriticalUiPathPA-002PA-002: Power Automate hardcoded secretcriticalPower AutomateFC-ANY-PII-002FC-ANY-PII-002: PII value in log messagehighUiPathFC-ANY-PII-003FC-ANY-PII-003: PII hardcoded defaulthighPower Automate / Blue Prism / automationanywhere
General Data Protection Regulation
EU regulation governing processing of personal data, including the obligation to ensure appropriate security.
GDPR-Art32Security of ProcessingFC-ANY-CRED-001FC-ANY-CRED-001: Hardcoded connection stringcriticalUiPath / Power Automate / Blue Prism / automationanywhereFC-ANY-PII-001FC-ANY-PII-001: PII access without audit logcriticalUiPathPA-002PA-002: Power Automate hardcoded secretcriticalPower AutomateFC-ANY-PII-002FC-ANY-PII-002: PII value in log messagehighUiPathFC-ANY-PII-003FC-ANY-PII-003: PII hardcoded defaulthighPower Automate / Blue Prism / automationanywhere
PCI DSS
Payment Card Industry Data Security Standard for any entity that stores, processes, or transmits cardholder data.
PCI-DSS-6.3Internal and external software applications developed securelyFrameworks on the roadmap
NIST SP 800-53, ISO/IEC 27001, and the CIS Controls are supported in the dashboard's framework selector but currently have no rules tagged against them — they will populate as the catalog expands. If you have a specific framework or control your audit needs mapped, tell us which controls matter most and we'll prioritise rule tagging accordingly.