Compliance evidence. At compile time.
Not after the audit. Not after the incident. At compile time. Your verified code generates auditor-ready evidence automatically. We say “evidence,” not “compliance” — because we are honest about scope. We cover the software correctness layer. The rest is yours.
One command. Auditor-ready output.
Run brikc certify against any PCD file. The compiler verifies Φ_c = 1, maps your certified constraints to the applicable regulatory articles, and generates a JSON + PDF evidence package. Your compliance team walks into the audit with mathematical proof, not screenshots.
$ brikc certify --evidence mifid2 trading_algo.pcd
✓ Parsing trading_algo.pcd... 4 domains, 3 assertions
✓ Φc = 1.000 — circuit closed
✓ MiFID II Art. 17 evidence: 5 controls mapped
✓ Scope limitation included
Output: evidence_mifid2.json + evidence_mifid2.pdf
Six standards. Honest about every one of them.
Every compliance vendor claims full coverage. We show you exactly what we cover and what we do not. Our coverage percentages reflect the fraction of each standard where software correctness verification is directly applicable. No inflation. No marketing math.
MiFID II
Algorithmic trading controls
Art. 17(1), Art. 17(2), RTS 6, RTS 7
What we cover
- ✓ Pre-trade risk controls (domain constraints as risk limits)
- ✓ Kill switches and circuit breakers (assert/reject)
- ✓ Algorithm testing evidence (Φc = 1 formal verification)
- ✓ Change management (certification hash audit trail)
- ✓ Order-to-trade ratio controls (rate limiting via domains)
Out of scope
- — Market data quality and connectivity
- — Client order handling and best execution
- — Transaction reporting (Art. 26)
- — Organizational requirements (Art. 16)
SOC2
Processing Integrity
PI1.1–PI1.5, CC6.1, CC8.1
What we cover
- ✓ Input completeness (domain constraints)
- ✓ Processing accuracy (assert/reject validation)
- ✓ Processing completeness and determinism (Φc = 1)
- ✓ Change detection (certification hash)
- ✓ Input validation security (bounds checking)
Out of scope
- — Availability (uptime, SLAs, failover)
- — Confidentiality (encryption at rest/transit)
- — Privacy (PII handling, consent)
- — Most Security criteria (access, auth)
SOX
Internal controls over financial reporting
Sec 404, PCAOB AS 2201
What we cover
- ✓ Financial calculation integrity (Φc = 1)
- ✓ Input validation (domain constraints)
- ✓ Business logic controls (assert/reject)
- ✓ Code change detection (hash-based)
Out of scope
- — CEO/CFO certification (personal attestation)
- — IT General Controls (access management)
- — Entity-level controls
- — Business formula correctness (structural only)
PCI-DSS
Secure development + audit trails
Req 6.2.4, Req 10.3, Req 11.5
What we cover
- ✓ Input validation at development (Req 6)
- ✓ Business logic security controls
- ✓ Code review complement (formal verification)
- ✓ Integrity monitoring (hash change detection)
Out of scope
- — Network segmentation (Req 1)
- — Encryption (Req 3, 4)
- — Access control (Req 7, 8)
- — Physical security (Req 9)
- — 10 other requirement categories
DORA
ICT risk prevention (EU)
Art. 6, Art. 9, Art. 15
What we cover
- ✓ ICT risk management — software integrity
- ✓ Protection and prevention — input validation
- ✓ Third-party risk — vendor code verification
Out of scope
- — Asset identification (Art. 8)
- — Detection and monitoring (Art. 10)
- — Response and recovery (Art. 11)
- — ICT incident reporting (Art. 23–27)
Basel III
Verified financial calculations
RWA, VaR/CVaR, LCR
What we cover
- ✓ RWA calculation verification
- ✓ VaR implementation verification
- ✓ Liquidity ratio input bounds
Out of scope
- — Capital adequacy (about bank capital, not software)
- — Supervisory review (Pillar 2)
- — Model risk (verifies implementation, NOT model)
- — Stress testing (requires market data)
Other tools generate reports. BRIK64 generates proof.
Tamper-proof by construction
Every certified function carries an immutable SHA-256 hash. Change one character — the hash changes. Change the hash — the certification breaks. Your auditor sees mathematical certainty, not a PDF that anyone could have written.
Evidence at commit time, not audit time
The GitHub App posts a certification report to every pull request. By the time the auditor asks, you have 12 months of continuous evidence. Not a scramble to reconstruct what happened. A complete, timestamped mathematical record.
Scope honesty is the product
We cover the software correctness layer. 10–40% of each standard, depending on how much is about code behavior. We document exactly which articles apply and why. Your auditor respects evidence-based scope. So do we.
The auditor walks in. You hand them mathematics.
Every compile. Every function. Every constraint. Automatically documented, hashed, and ready. Compliance stops being a fire drill and becomes a build artifact.