Compliance & Audit

Certification audit, evidence side ready

116 audit tabs, deep scans across four engines, A4-printable English/Turkish report — from KVKK disclosure to ISO 27001 / SOC 2 / PCI-DSS audits, every piece of evidence the auditor asks for is right here.

Explore the 116 tabs See frameworks

116Audit Tabs

4Engines — Unified Framework

7Framework Mappings

A4 PDFEnglish/Turkish Printable

Önemli ayrım — sertifika değil, denetim hazırlığı. SentinelDB360 ISO 27001, SOC 2, PCI-DSS gibi standartlara sertifikalı değildir. Yaptığı iş, bu çerçevelerin denetiminde sorulan teknik kanıtları (audit log, erişim kaydı, şifreleme durumu, segregation-of-duty kuralları vb.) sürekli toplayarak A4 PDF raporlara dönüştürmektir. Sertifika belgesi her zaman bağımsız denetçi firması tarafından, ayrı bir denetim süreci sonunda düzenlenir; biz o sürece kanıt setiyle hazır gelmeyi sağlarız.

Supported Frameworks

Audit-Ready · Evidence Preparation (not certification)

One scan, seven reports

SentinelDB360 runs a single compliance scan per engine; the resulting control set maps to the common requirements of multiple certification frameworks. The same evidence supports KVKK, ISO 27001, and SOC 2 reports. Certification is issued by an independent auditor; Sentinel prepares the evidence set.

KVKK

KVKK / Turkish Data Protection

Data controller records, access logs, anonymization, data minimization, and "right to erasure" evidence — collected in one report through query masking, bcrypt, and the audit_logs collection.

Personal data inventory (column-level)
Access and modification logs
Anonymization & masking controls

ISO 27001

ISO/IEC 27001:2022

Evidence sets for Annex A.8 (asset management), A.9 (access control), A.12 (operational security), A.18 (compliance). With CIS benchmark mapping, ~70 of the 93 controls are automatically audited.

Annex A → 70+ automated controls
CIS Database Benchmark output
Remediation plan for missing controls

SOC 2

SOC 2 Type II

Trust Service Criteria — Security, Availability, Confidentiality. Time-series evidence in the "control evidence" format SOC 2 auditors expect: who accessed which data, when.

Continuous monitoring (CC controls)
Access recertification report
Time-stamped evidence archive (90 days)

PCI-DSS

PCI-DSS 4.0

Cardholder data (PAN/CVV) storage audit — requirements 3 (storage), 7 (least privilege), 8 (authentication), 10 (logging). Evidence of TDE / Always Encrypted / pgcrypto usage.

PAN scanning (regex + format check)
At-rest / in-transit encryption evidence
Login lockout + MFA status report

HIPAA

HIPAA / HITECH

For data sources containing PHI (Protected Health Information), 164.312 technical safeguard controls — access control, audit log, integrity, transmission security.

PHI column tagging + access trail
Backup encryption verification
Breach risk score

GDPR

GDPR (EU 2016/679)

Significant overlap with KVKK; additionally, a 72-hour notification chain for Article 32 "data breach notification" and DPO access reporting are ready out of the box.

Right to erasure trail
Cross-border transfer control
DPIA (impact assessment) template

CIS Benchmark

CIS Database Benchmark

Center for Internet Security database benchmark mapping — SQL Server 2019, PostgreSQL 16, MySQL 8, MongoDB 7. Each engine has 80–130 controls automatically scored.

Per-engine benchmark score
Level 1 / Level 2 distinction
Automatic score tracking — trend

SentinelDB360 — Compliance · prod-mssql-01 · Security/TDE Cert Expiry

LIVE

🛡 Security75✓ 1⚠ 1✗

🔁 HA77✓

⚡ Perf109✓

💾 Storage44✓

📦 Backup22✓

🧠 Mem/CPU44✓

☁ Cloud22✓

🔧 Op11✓

TDE Certificate Validity ⚠ FAIL

core-bank-ag1.crt⚠ 23 days remaining

analytics-rw.crt✓ 187 days

Framework alignment:PCI-DSS 3.6.4 · ISO 27001 A.10

✦ AI: core-bank-ag1 TDE certificate expires in 23 days — renewal command ready.

Compliance module · left tab list (8 categories) · right tab content · "Print Report" one-click A4 English PDF

116 Audit Tabs

For each engine, shared framework, engine-specific depth

The compliance module does not show a single summary score; it surfaces engine-specific detailed audit tabs. Each tab corresponds to a query/DMV/log source; the output is raw evidence in the format auditors want to see.

SQL Server — 37 sekme

SQL Server audit tabs

CIS benchmark + Microsoft security baseline + Azure SQL features. Deepened in Sprints 17/18 (TDE expiry, AG endpoints, login lockout, crypto providers, stats histogram).

TDE / Always Encrypted / DDM / RLS / Ledger
CDC enable/disable, broker poison, replication lag
Plan guides, forced plans, plan cache top, DBCC CHECKDB
Login lockout, crypto providers, stats histogram, AG quorum

PostgreSQL — 29 sekme

PostgreSQL audit tabs

pg_audit, RLS, replication slot monitoring, logical decoding, pg_stat_statements deepened control set. Sprint A added 26 new methods.

Row Level Security policy audit
Replication slot lag + hot standby delay
pg_audit log collection + parsing
pgcrypto / SSL connection audit

MySQL — 27 sekme

MySQL audit tabs

Group Replication, audit_log plugin, sha2_password, validate_password, performance_schema events. Sprint B added 26 new methods.

Group Replication member health
audit_log plugin status + log collection
Password policy (validate_password)
SSL/TLS connection ratio + cipher

MongoDB — 23 sekme

MongoDB audit tabs

Replica Set health, sharding balancer, role-based access control, network encryption, audit destination controls. Sprint C added 22 new methods.

Replica Set primary/secondary lag
Sharding chunk distribution + balancer state
RBAC + custom role usage audit
TLS / SCRAM-SHA-256 enforcement

Sample Deep Checks

Not just a score — see the concrete evidence

TDE Certificate Validity

TDE expiry monitoring

In SQL Server: remaining days on Transparent Data Encryption certificates, last master key rotation, key encryption hierarchy chain. Automatic alert if expiry is under 30 days.

Login lockout policy

Which logins have failed-attempt limits enabled, which sa-style accounts are still open, password policy (CHECK_POLICY = ON) status. Direct evidence for PCI-DSS 8.1.6 and 8.1.7.

RLS Policy Audit

Row Level Security inventory

In PostgreSQL: which tables have RLS enabled, which role has which USING / WITH CHECK clause. Direct mapping for KVKK / GDPR Article 25 (privacy by design).

Crypto Providers

Active cryptographic providers

SQL Server cryptographic provider DLLs, currently enabled, last rotation. Automatic evidence for ISO 27001 A.10 (cryptography) control.

Backup Chain

Backup chain integrity

Gaps in the full + diff + log backup chain, last CHECKSUM verification date, encryption status. A single view for SOC 2 Availability and PCI 9.5.

Audit Log Tahsisi

Audit log destination

MongoDB auditDestination, MySQL audit_log_format, PostgreSQL pg_audit log_directory, SQL Server XEvent ring buffer status — is the log written to non-erasable storage?

Veri Bağımsızlığı

Verileriniz nerede kalır?

Kurumsal alıcı için ilk sorulan sorulardan biri: "İzlediğiniz veritabanı içeriği nereye gidiyor?" SentinelDB360'ta cevap nettir: hiçbir yere. Yazılım müşterinin kendi altyapısında çalışır, izlenen verileri DMC sunucularına ya da yabancı bir buluta aktarmaz.

Yerleşim

Kurum altyapısı içinde

Sentinel container'ları müşterinin Linux sunucusunda (on-premise veya kendi bulut hesabında) çalışır. Metrik verisi, sorgu örnekleri ve audit kayıtları kurum içindeki MongoDB'de saklanır.

KVKK Madde 9

Yurt dışı aktarımı yok

İzlenen veritabanı içeriği kurum dışına çıkmadığı için KVKK Madde 9 (yurt dışı veri aktarımı) yükümlülüğü doğmaz. Açık rıza ya da Kurul izni gerektirmez.

Air-Gap

İnternete kapalı çalışma

Banka çekirdek ağı, kamu kapalı ağı ve savunma sektörü için air-gap kurulum desteklenir. Lisans Ed25519 imzalı JWT olarak teslim edilir, online doğrulama gerekmez.

Exit Hakkı

Veri taşınabilirliği

Sözleşme sona erdiğinde tüm metrik veri ve audit kayıtları MongoDB dump (BSON) formatında müşteriye teslim edilir. Vendor-lock yok; veri sizindir, formatı standart.

İstisnalar: Müşteri Azure OpenAI veya OpenAI servislerini açıkça yapılandırırsa AI analiz çağrıları o servise gider (varsayılan kapalı). Yerel Ollama veya kural tabanlı analiz seçilirse hiçbir veri kurum dışına çıkmaz. Telemetri ve hata raporlama yalnızca opsiyonel ve agregatedir — müşteri istemediği sürece DMC'ye veri akışı yoktur.

Output Formats

Three formats you can hand to your auditor

A4 PDF

Printable PDF (English/Turkish)

Sentinel + DMC branded, A4 page-aligned, cover + table of contents + finding list per tab. Printable without an intermediate file, blank space ready for auditor signature.

Cover: client logo, date, auditor name
Per finding: control ID, result, evidence
Footer signature/approval area

Excel

Excel control matrix

The format auditors most often request: control ID, description, status (Pass / Fail / N/A), evidence reference, owner, last review. Easily adapted to SOC 2 audit firm templates.

Filterable control matrix
Pivot by framework (KVKK / ISO / SOC 2)
Action column for open findings

JSON / API

REST API + JSON evidence

If your compliance data flows into another GRC tool (Drata, Vanta, ServiceNow GRC), pull the raw evidence as JSON. /api/v2/compliance endpoints are time-stamped and idempotent.

REST endpoint for every tab
Webhook: push on finding state change
Time-series evidence — 90-day archive

Certification Journey

The scan is ready, consultancy is optional

The compliance module is ready to produce technical evidence; for processes like auditor interpretation, gap analysis, and action planning, the DMC consultancy team can be engaged.

Self-service

Scan it yourself

If your license is active, the compliance module is bundled — connect your sources, hit "Scan", download the report. No add-on license required.

Consulting

DMC certification consultancy

For your first audit: gap analysis, auditor simulation, remediation of missing controls, final pre-audit scan. Backed by a Microsoft Data Platform MVP.

Spend 10 minutes before your next audit

Let's run a live scan against your own engine and produce the report together in a demo session.

Request a compliance demo Pricing