Zero-custody compliance.
Your agent, your tokens.
Every mainstream compliance platform asks for the keys to your cloud, your repos, and your HR system. Zero-custody mode is our answer for teams that will not hand those over: your own agent collects the evidence, and Diligio never stores a credential to your systems.
What zero-custody means
Compliance automation runs on evidence: screenshots, configurations, check results, records. The industry default is a pull model, where the platform connects to your systems with read access and collects that evidence itself. It works, but it concentrates a lot of trust in one vendor: their credential vault now holds a path into your infrastructure.
Zero-custody inverts the flow. An agent you run, inside your own environment and on your own tokens, gathers the evidence and pushes results to your Diligio tenant over MCP or REST. With custody mode switched on, your tenant refuses file uploads and platform-held connectors outright, so there is no Diligio-side credential store to breach. The platform remains what your auditor needs it to be: the system of record for posture, with the integrity of every record independently checkable.
How it works
Six moving parts, all shipped and live today. No roadmap items on this page.
- 1
Your agent runs where your secrets live
It reads your cloud, repos, and systems with tokens that never leave your environment, over MCP or plain REST.
- 2
It pushes results, never credentials
Check runs, evidence references, and proposed control statuses flow one way, into your Diligio tenant. Custody mode disables uploads and platform-held connectors for the tenant, so there is nothing of yours in our vault.
- 3
The platform guides the work
Per-control recipes and a prioritised next-actions queue tell the agent what is worth collecting next, one control at a time.
- 4
Integrity is verifiable end to end
Evidence is hash-anchored on arrival, the audit log is hash-chained so tampering is evident, and exports are digest-signed.
- 5
A human certifies, always
Nothing the agent proposes becomes your attested posture until a person certifies it. There is an instant kill switch and a full audit trail.
- 6
Your auditor sees provenance, not promises
The auditor portal shows, per control, whether posture was platform-verified, self-attested, or human-certified, with the anchors to check.
Where the pull model still wins, honestly
If handing a vendor read access does not bother you, the pull model is less work: platforms like Vanta and Drata have larger integration catalogues and deeper continuous monitoring than we do today, and we say exactly that on our comparison pages. Diligio Compliance also offers a standard managed mode with uploads and platform connectors when that suits you better.
Zero-custody exists for the teams the pull model rules out: regulated buyers, security teams with a hard no-third-party-credentials policy, and anyone who has read a subprocessor breach notification and decided their compliance tool should not be on the blast radius. It is included in the standard Diligio Compliance price, and we run our own ISO 27001 programme through this same agent surface.
Frequently asked questions
What is zero-custody compliance?
A model where the compliance platform never holds credentials to your systems. Instead of granting a vendor read access to your cloud, repos, and HR tools, your own agent runs inside your infrastructure on your own tokens and pushes check results and evidence references to the platform. The platform stays the system of record for your auditor-facing posture; your credentials and raw data stay with you.
How is this different from Vanta or Drata?
Mainstream compliance automation uses a pull model: you connect your stack to the vendor, and the vendor's platform holds those connections and collects evidence. That is convenient, and we offer a managed mode that works the same way. Zero-custody mode flips the direction for teams that cannot or will not hand over credentials: the agent you run does the collecting, and Diligio receives only what it pushes.
How do I know the pushed evidence has not been tampered with?
Every pushed evidence item is hash-anchored when it arrives, the audit log is hash-chained so any alteration becomes evident, and exports carry a verifiable digest signature. Your auditor can see, per control, whether posture was platform-verified, self-attested, or human-certified.
Does zero-custody cost extra?
No. Everything in Diligio Compliance is included in the standard price of $1,999 per company per year. Zero-custody is a mode you switch on, not a tier.
Do I need to build my own agent?
No. Any MCP-capable agent (for example one you already run internally) can do the job, and the API is plain REST if you prefer scripts. Teams that do not want an agent at all simply use the standard managed mode with uploads and platform connectors.
See the product on the Diligio Compliance page, or how it stacks up in the comparison hub.