SW
Deployment architecture

SaaS control plane, private evidence runtime, and on-prem appliance.

ControlFrame should not be only a cloud GRC app. The optimal architecture is a web control plane plus customer-controlled collector runtimes for regulated systems, local browser evidence, local redaction, and approved package transfer.

web appprivate collectoron-prem appliancedesktop runner
Deployment modes
5
SaaS, private, appliance, runner, offline
Customer-control modes
3
Private cloud, appliance, air-gapped
Runtime layers
5
Control plane, collectors, agents, SDK, security
Market targets
5
Capabilities to match or beat
Recommended product shape

Keep one platform, ship multiple deployment envelopes

01
Web app

Company, framework, project, review, and audit-room workflows.

02
Private runtime

Browser/API/config collectors run inside the customer boundary.

03
Local database

Raw evidence can stay local until approved for export.

04
Package bridge

Only signed, redacted, approved bundles cross the boundary.

default

SaaS control plane

Hosted ControlFrame app for company onboarding, framework programs, evidence graph, review, package generation, and auditor rooms.

Data boundary

Evidence metadata and approved artifacts live in ControlFrame cloud. Connectors use least-privilege OAuth/API scopes.

Best for
SOC 2 / ISO 27001 startups
cloud-native SaaS teams
low-friction proof of value
Runtime
Next.js application
Postgres evidence graph
object storage for approved artifacts
managed queue and scheduler
connector workers
Flow
Connect sources
run scheduled collectors
classify evidence
human approve
export package
Not ideal when regulated buyers cannot allow raw evidence or screenshots to leave their perimeter.
regulated

Customer private cloud

Single-tenant ControlFrame deployment in the customer cloud or dedicated Locked In Labs-managed tenant with isolated storage and keys.

Data boundary

Customer controls network, storage region, encryption keys, service accounts, and artifact retention policy.

Best for
healthcare and payer platforms
financial services
CMMC / FedRAMP-adjacent customers
Runtime
containerized web app
customer Postgres
customer object storage
private worker pool
customer vault integration
Flow
ingest framework
connect internal systems
run private workers
local redaction
approve export
Requires deployment automation, customer infrastructure runbook, backups, monitoring, and upgrade path.
highest control

On-prem evidence appliance

A VM/Kubernetes/Docker appliance installed inside the corporate network, running collectors outbound-only with optional offline package transfer.

Data boundary

Raw screenshots, traces, and extracted text stay local unless explicitly approved for export. Jobs can be signed and pulled outbound over HTTPS.

Best for
legacy enterprise systems
mainframe/private database evidence
air-gapped or high-control audits
Runtime
appliance UI
local Postgres
local artifact store
browser runner pool
connector SDK
redaction queue
Flow
pull signed job
collect locally
hash and redact
review locally
sync approved manifest/artifacts
Needs installer, update channel, local admin guide, hardening baseline, and enterprise support model.
field runner

Desktop / field runner

Local desktop runner for consultant-led or assessor-assisted browser evidence collection when a full appliance is not necessary.

Data boundary

Credentials and browser state remain on the operator machine. Evidence is staged locally until reviewed.

Best for
CMS EDE smoke tests
auditor-observed collection
short-lived fieldwork sessions
Runtime
Electron shell
Playwright browser runner
local run folder
manual upload/export bridge
Flow
load project
authenticate locally
run scenario
review redaction
upload approved artifacts
Not a long-term substitute for scheduled continuous monitoring or enterprise connector management.
highest control

Air-gapped package transfer

Offline evidence package mode for environments where only signed manifests and approved bundles can cross the boundary.

Data boundary

Only signed, hashed, reviewer-approved packages leave the enclave by manual transfer.

Best for
high-security enclaves
defense evidence rooms
strict data-residency reviews
Runtime
offline framework bundle
local evidence database
checksums
portable HTML/CSV/JSON package
Flow
import framework bundle
collect offline
approve
export signed package
verify hash outside
Requires robust package signing, update provenance, and offline source/version management.
Runtime layers

Architecture components

Control plane

Company profiles, framework templates, projects, reviewer queues, package status, and auditor rooms.

ControlFrame cloud
web appframework registryevidence graphreview queueaudit package builder

Private collector runtime

Runs browser/API/config/document collectors near the target systems with local redaction and vault-backed credentials.

Customer environment
job pullerbrowser runnerAPI connector workerslocal artifact storeredaction queue

Agent swarm

Plans collection, classifies evidence, reviews sufficiency, drafts narratives, and proposes fixes behind human approval gates.

Shared
source-ingestion agentscenario plannerbrowser repair agentevidence classifierauditor simulator

Connector SDK

Lets customers and partners push custom system evidence into typed framework-native evidence contracts.

Shared
typed schemaspermission templatestest harnesssource mapping validatorpackage preview

Security evidence lane

Ingests vulnerability, pentest, cloud security, code scanning, and remediation proof as audit evidence without turning ControlFrame into a scanner first.

Shared
Tenable/Qualys/Wiz/Snyk importsBurp/pentest reportsGitHub Advanced Securityfindings SLAretest proof