v10 Frequently Asked Questions

Everything you need to know about Compliance Scorecard v10, BYOK, AI providers, security, and supported frameworks.

General Questions

What is v10?

v10 is the latest major release of Compliance Scorecard, featuring comprehensive AI-powered compliance automation. Key capabilities include:

AI-Generated Policies: Create CMMC-compliant policies in minutes, not weeks
Automated Gap Analysis: AI identifies missing controls across tons of frameworks
BYOK (Bring Your Own Key): Use your own OpenAI, Claude, Azure, or Google API key
Setup Wizard: Complete configuration from zero to production-ready
Plain Language Mode: Translate complex compliance jargon into client-friendly language
Multi-Framework Support: tons of compliance frameworks, including NIST, CMMC, ISO, HIPAA, SOC2

v10 is production-ready as of Feb 2026. Join our early adopter program to leverage AI-powered compliance automation.

How long does setup take?

30 minutes. The v10 Setup Wizard guides you through:

Step 1: Company Details (5 min)
Step 2: AI Provider Selection (5 min)
Step 3: Framework Selection (5 min)
Step 4: Integration Setup (10 min - M365, RMM, PSA)
Step 5: User Management (5 min)

After setup, you can immediately generate policies, run gap analysis reports, and onboard clients.

BYOK (Bring Your Own Key)

How does BYOK work?

BYOK lets you use your own AI provider API key instead of the platform default. Here's how:

Get an API key: Sign up with OpenAI, Anthropic (Claude), Azure OpenAI, or Google Gemini
Configure in platform: Dashboard → Settings → API Connection Setup → AI Provider
Enter credentials: Paste your API key (encrypted at rest with AES-256)
Select model: Choose gpt-4o, claude-3-5-sonnet, gemini-1.5-pro, etc.
Start using: All AI features now use your provider

Your compliance data goes directly from your browser to your AI provider, not through our servers. You maintain a direct contractual relationship with the provider.

What AI providers are supported?

Compliance Scorecard supports 5 major AI providers:

OpenAI: GPT-4o, GPT-4o-mini, GPT-4 Turbo, o1-preview (best performance/cost balance)
Anthropic Claude: Claude 3.5 Opus, Claude 3.5 Sonnet, Claude 3 Haiku (long context windows)
Azure OpenAI: GPT-4, GPT-4 Turbo custom deployments (enterprise Microsoft customers)
Google Gemini: Gemini 1.5 Pro, Gemini 1.5 Flash (Google Cloud customers)
DeepInfra: LLaMA 3.1 70B Instruct (platform default, no API key required)

How much does AI cost with BYOK?

You pay your provider directly at their standard rates. No markups. Example costs (subject to change)

OpenAI gpt-4o-mini: $0.15 per million input tokens, $0.60 per million output tokens
OpenAI gpt-4o: $2.50 per million input tokens, $10.00 per million output tokens
Claude 3.5 Sonnet: Volume-based pricing (contact Anthropic)
Azure OpenAI: Your enterprise contract pricing
Google Gemini: Pay-as-you-go or enterprise pricing

Real-world example: An MSP generating 50 policies/month (10M tokens) pays ~$2.40/month with OpenAI gpt-4o-mini BYOK. With typical SaaS markup (3-5x), that would cost $7.20–$12.00/month.

Can I switch providers?

Yes. Switch anytime without downtime. Go to Dashboard → Settings → AI Provider, select a different provider, enter a new API key, and save. All AI features immediately use the new provider.

Use cases for switching:

Price increases: If OpenAI raises rates, switch to Claude
Model preference: Test different models for output quality
Compliance needs: Switch to Azure OpenAI for BAA requirements
Provider outages: Temporarily switch during downtime

What happens if my provider fails?

Automatic failover with 99.8% uptime guarantee. If your BYOK provider experiences an outage:

3-attempt retry: System retries with exponential backoff (immediate, 1s, 2s)
Fallback to platform default: After 3 failures, the system automatically uses DeepInfra (LLaMA 3.1)
Transparent to users: AI features continue working, no error messages

Result: Users never experience downtime. AI features always work.

Do you store my API keys?

Yes, encrypted at rest with AES-256. Here's our security approach:

Encryption: API keys encrypted in the database using AES-256
Decryption: Keys are decrypted in-memory only when making AI requests
No logging: API keys never appear in application logs
Audit trail: Track who configured keys and when (but not key values)
Access control: Only authorized admin users can configure providers

We store keys to enable seamless AI features without requiring you to manually enter keys for every request.

Can clients use their own AI keys?

Roadmap 2026. Currently, BYOK is MSP-level only (one API key per MSP, used for all clients). Client-level BYOK is planned for Q2 2026, allowing:

Each client to configure their own OpenAI/Claude/Azure key
Client pays their own AI costs directly
Client maintains data sovereignty for regulated industries
Ideal for HIPAA, CMMC, FedRAMP clients requiring direct AI provider contracts

Until then, MSPs can configure BYOK at the MSP level and optionally bill clients separately for AI usage.

What's the difference between BYOK and platform default?

BYOK: Use your own API key; you control the provider, you pay AI bills directly, and you have full data sovereignty.

Platform Default: Uses DeepInfra (LLaMA 3.1), no API key required, AI cost included in subscription, zero configuration.

When to use BYOK:

Compliance requirements (need BAA, DPA, or specific data agreements)
High volume usage (want direct billing, no markups)
Data sovereignty (CMMC, FedRAMP, international data residency rules)
Model preference (prefer GPT-4o vs Claude vs Gemini)
Enterprise contracts (already have Azure OpenAI or Google AI)

When the platform default is fine:

Low volume usage (< 1M tokens/month)
No specific compliance requirements
Want zero-configuration AI
Testing the platform before committing to a provider

Security & Compliance

Is my data secure?

Yes. Compliance Scorecard employs enterprise-grade security:

Data encryption: TLS 1.3 in transit, AES-256 at rest
Database security: Encrypted MYSQL on AWS RDS
API key encryption: AES-256 encrypted, decrypted in-memory only
BYOK data flow: Compliance data goes directly from your browser to YOUR AI provider (not through our servers)
Access control: Role-based permissions, 2FA available
Audit logging: All configuration changes tracked
Backups: automated backups, 30-day retention

When using BYOK, YOU have the direct contract with OpenAI/Claude/Azure/Google, ensuring you can enforce BAAs, DPAs, or other data processing agreements.

What compliance frameworks are supported?

54 frameworks across government, healthcare, financial services, and general cybersecurity:

Government/Defense: NIST SP 800-171, NIST Cybersecurity Framework, CMMC Level 1, CMMC Level 2, CMMC Level 3, FedRAMP, FISMA, DFARS, ITAR, CJIS
Healthcare: HIPAA, HITECH
Financial Services: PCI-DSS, SOC2, GLBA
Privacy: GDPR, CCPA, FERPA
International Standards: ISO 27001, ISO 27002, ISO 27017, ISO 27018
Industry Best Practices: CIS Controls, NIST SP 800-53, AICPA TSC
Custom Frameworks: Client-specific requirements

Framework data is updated regularly. Each framework includes control count, version, industry applicability, and certification requirements.

Features & Capabilities

What AI features are included?

v10 includes 12+ AI-powered features:

Policy Generation: Create framework-compliant policies in minutes
Gap Analysis Reports: AI identifies missing controls across tools and frameworks
Executive Summaries: Plain-language compliance status for clients
Test Question Generator: Generate quiz questions for compliance training
Plain Language Mode: Translate compliance jargon into client-friendly language
Remediation Recommendations: AI suggests specific tools/configurations to close gaps
Framework Context: All outputs reference specific controls from selected frameworks
Custom Prompts: Configure AI behavior per MSP/client

What integrations are supported?

v10 integrates with 30+ MSP tools:

Microsoft 365: Azure AD, Intune, Defender, SharePoint, Exchange
RMM Platforms: ConnectWise Automate, Datto RMM, NinjaOne, Syncro
PSA Platforms: ConnectWise Manage, Autotask, Halo PSA
Security Tools: EDR, SIEM, vulnerability scanners, backup solutions
Documentation: IT Glue, Hudu

Setup Wizard configures integrations in 10 minutes. AI uses integration data for automated gap analysis.

How does MSP multi-tenancy work?

MSPs manage multiple end clients from one dashboard:

Client hierarchy: MSP → End Clients
Per-client settings: Each client has its own frameworks, policies, and compliance data
MSP-level BYOK: One API key for all clients (client-level BYOK coming Q2 2026)
Bulk operations: Generate policies for all clients at once
White-label reports: MSP branding on client-facing outputs

What reporting is available?

v10 includes 10+ report types:

Gap Analysis Report: Framework compliance status, missing controls
Executive Summary: Plain-language compliance overview
Tool Coverage Report: Which tools address which frameworks
Policy Compliance Report: Policy existence vs. framework requirements
Risk Assessment Report: High/medium/low risk findings
Remediation Roadmap: Prioritized action plan

All reports are exportable as PDF, DOCX, or JSON. AI-generated summaries are included in each report.

Pricing & Plans

What's included:

All AI features (policy generation, gap analysis, plain language mode)
All compliance frameworks
30+ integrations (M365, RMM, PSA, security tools)
BYOK support (bring your own AI key)
White-label reporting
Setup Wizard (30-minute onboarding)
Email support (Professional/Enterprise: priority support)

AI costs: Platform default AI included in subscription. BYOK users pay their provider directly (typically $2–$10/month for average usage).

Support & Resources

What support is available?

All plans include:

Email support: support@compliancescorecard.com (24-hour response)
Knowledge base: docs.compliancescorecard.com
Setup Wizard: Guided 30-minute onboarding
Video tutorials: Feature walkthroughs, best practices

Is training required?

No. The 30-minute Setup Wizard handles complete configuration. After setup, the platform is self-service:

Intuitive UI: Dashboard-driven, no technical expertise required
Contextual help: Tooltips and inline guidance throughout
Video tutorials: Optional 2-5 minute walkthroughs for each feature
Best practices guide: Recommended workflows for common scenarios

What's on the roadmap?

Upcoming features in 2026:

Q2 2026: Client-level BYOK (clients use their own AI keys)
Q2 2026: OSCAL export (export compliance data in OSCAL format)
Q3 2026: Evidence collection automation (auto-gather compliance evidence)
Q3 2026: Continuous monitoring (real-time compliance drift detection)
Q4 2026: MCP server integration (AI agents for compliance automation)

Technical Questions

What are the system requirements?

Compliance Scorecard is a cloud-based SaaS platform. No installation required. Requirements:

Browser: Chrome, Firefox, Safari, Edge (latest 2 versions)
Internet connection: Required for all features
Screen resolution: 1280x720 minimum (responsive design supports mobile)

For integrations:

M365: Global Admin or Security Admin role
RMM/PSA: API access enabled
AI providers: API key with billing enabled

Where is data stored?

AWS US-East-1 (Virginia). Data residency:

Application database: MYSQL on AWS RDS (encrypted at rest)
File storage: AWS S3 (encrypted at rest)
Backups: AWS RDS automated backups (30-day retention)
AI requests: With BYOK, data goes directly to YOUR provider (OpenAI, Claude, Azure, Google)

Enterprise customers can request custom data residency (additional cost).