CompStack
The platformv1.4 · current

What used to take eight tools takes one.

Compliance teams stitch their work together with spreadsheets, email, shared drives, and people's memory. CompStack replaces the stitching. Every record carries a trail from the clause it satisfies to the evidence behind it.

Book a demoView modules
linked record graphtenant · acme-foods
Requirements
Controls
Documents
Evidence
Audits
Findings
CAPA
614 requirements76 controls · 138 docs
Foundation

Multi-tenant. Multi-site. Built for groups.

A single tenant can run dozens of sites with overlapping standards. Permission boundaries follow the org structure, not a folder tree.

Tenancy

Organizations, sites, and roles, modelled the way audits ask for them.

  • Org → sites → site groups. Audit scope can be drawn at any level.
  • Roles: admin, manager, auditor, viewer, extensible per-org.
  • Site-level access boundaries enforced in every query.
  • Memberships carry validity windows for contractors and consultants.
Standards library

Standards as structured data, not PDFs.

  • Clauses → requirements → expectations + audit prompts.
  • Cross-mapping between ISO, KEBS, FSSC and sector packs.
  • Search by clause, intent, or evidence type.
The eight workflows

Each surface is a real one, not a brochure render.

Below: deeper looks at the workflows highlighted on the home page. Same vocabulary your auditor will use.

01 · Scoping

Decide what applies, where, and prove why.

Mark requirements applicable, not-applicable (with justification), or deferred, by org or by site. Lock a baseline before each audit cycle.

  • Three-state applicability. Applicable / Not applicable / Deferred, every state defensible.
  • Justification required. Not-applicable cannot be saved without a written reason and an owner.
  • Audit-trail by default. Every scope change carries actor, timestamp, and prior state.
scope · mombasa-plant412 / 614 applicable
9001 · 7.5.3
Control of documented information
Applicable
9001 · 8.3
Design and development
Not applicable
14001 · 6.1.2
Significant aspects identification
Applicable
45001 · 8.1.4
Procurement (contractor mgmt)
Deferred
22000 · 7.2
Prerequisite programs
Applicable
27001 · A.5.10
Acceptable use of assets
Applicable
02 · Document control

Defensible policy lifecycle · from draft to obsolete.

Every controlled document, policies, procedures, work instructions, forms, manuals, moves through a real workflow with segregation of duties.

  • Draft → Review → Approved → Published → Obsolete. Stage gates with named approvers.
  • Author cannot self-approve. Hard rule. Verifier cannot be the document owner.
  • Distribution & ack. Track who acknowledged what version, when.
  • Retention windows. Auto-flag obsolete docs once the retention period elapses.
QMS-POL-014
Supplier evaluation policy
v3.2
Draft
Review
Approve
Publish
Obsolete
AuthorAdelaide Wachira (QM)
ApproversOperations Director · Plant Manager
RestrictionAuthor cannot approve own document, enforced
Distribution3 ack pending of 47
Retention7 years from publication
03 · Controls registry

What you do to satisfy each requirement · and the evidence it produces.

A central control register that maps controls to requirements, documents, and evidence types. No more orphan controls.

  • Type & frequency. Preventive, detective, corrective, directive, with cadence.
  • Owner. Every control has a named owner, not a department.
  • Expected evidence type. Pre-declared, so auditors know what to expect.
  • Many-to-many linking. One control can satisfy many requirements; one requirement can be covered by many controls.
id
title
type
freq
owner
CTRL-027
Calibration program
Preventive
Monthly
QA
CTRL-014
Supplier audit cadence
Preventive
Annual
Procure
CTRL-031
Pest control inspection
Detective
Weekly
Facil.
CTRL-009
Hold-and-release on out-of-spec batch
Corrective
Per event
QA
04 · Evidence library

Files and links that survive an audit.

Every artifact lives in a single library, files, certificates, screenshots, videos, external URLs. Validated, expiry-tracked, and linked to the records that need it.

  • Validation workflow. Pending → Accepted / Rejected with validator identity.
  • Expiry tracking. Valid-until dates trigger alerts before the auditor notices.
  • Time-limited signed URLs. No public file links, ever.
  • Bidirectional linking. Find every requirement / control / audit / CAPA an artifact supports.
evidence library1,948 items
ISO 22000 cert · Mombasa
PDF
Mar 12, 2027
Calibration cert · MD-04
PDF
in 23 days
Forklift operator · J. Otieno
PNG
expired
Q1 batch records (Op-09)
ZIP
·
Internal audit report · Q4 2025
PDF
·
Supplier audit · Pkg-Acme
PDF
Jun 2026
05 · Audits

Generate checklists from real scope. Run them. Report.

Audit programs run from your scoped requirements, not from a generic checklist. Findings convert to CAPAs without re-typing.

  • Internal · external · supplier. Same engine, different stakeholders.
  • Auto-generated checklists. Pulled from applicable requirements at the chosen sites.
  • Verdicts. Conformity / Nonconformity / Observation / OFI / Not assessed.
  • Structured report. Executive summary, metrics, breakdown, full detail tables.
AUDIT-2026-Q1-INT
Q1 internal. Mombasa & Naivasha
closed
Conform
178
Obs
14
OFI
9
NC
3
Standards9001 · 14001 · 22000
Sites2
Lead auditorA. Wachira
Findings → CAPA3 NC + 4 OFI auto-converted
06 · Findings & CAPA

Close the loop with verification by someone else.

Findings convert directly to CAPAs. Root cause is mandatory. Effectiveness verification is performed by a different person than the owner, enforced.

  • Auto-numbering. CAPA-2026-0118 style, scoped per tenant.
  • 5-Whys built in. Root cause cannot be skipped.
  • Verifier ≠ owner. The platform refuses to advance if you try.
  • Kanban view. Open / In progress / Verifying / Closed, with overdue alerts.
Open
5
CAPA-2026-0116
Calibration drift · MD-04
CAPA-2026-0117
Calibration drift · MD-04
In progress
3
CAPA-2026-0114
Calibration drift · MD-04
CAPA-2026-0115
Calibration drift · MD-04
Verifying
2
CAPA-2026-0113
Calibration drift · MD-04
CAPA-2026-0114
Calibration drift · MD-04
Closed (30d)
14
CAPA-2026-0125
Closed by K. Mbeki
CAPA-2026-0126
Closed by K. Mbeki
07 · Risk

ISO 31000-style register, linked to controls and CAPA.

A risk register that talks to the rest of the system: cause, consequence, likelihood × impact, treatment strategy, residual, and review date.

  • 5×5 matrix. With customisable bands and treatment strategies.
  • Treatments → CAPA. Mitigations become trackable actions in CAPA.
  • Residual after treatment. Not optional. Required before sign-off.
  • Overdue review alerts. Risks that haven't been reviewed since their due date are flagged.
register · 38 risks
4 critical
likelihood →impact ↑
RGT-094
Calibration drift
L4 × I3 = 12
RGT-067
Single-source preservative
L3 × I5 = 15
RGT-101crit
Pwd reuse on shop-floor
L4 × I4 = 16
08 · Management review

Decisions, attendees, actions · recorded for audit.

Management review meetings stop being free-form Word docs. Inputs come straight from audits, risks, and CAPA, outputs are tracked actions.

  • Required inputs. Audits, findings, CAPA, risks, customer feedback, KPIs.
  • Decisions become actions. Each decision auto-creates an owner + due date.
  • Quorum & attendance. Recorded; required for sign-off.
  • Immutable record. Minutes export to PDF and CSV for the audit folder.
meetingApr 24
quorum9 / 12 attended
inputsaudits · risks · CAPA
10:14ExecApprove scope reduction · KEBS KS 2466
10:21QMAllocate budget · 4 calibration units
10:33BoardDefer SA8000 onboarding to Q4
10:48QAOpen CAPA on supplier audit overdue
immutable record · PDF + CSV export
Cross-cutting

Everything is linked. Nothing is loose.

The platform's value compounds: change a requirement, and every linked control, document and evidence inherits the change with a full trail.

AI Copilot

Cited answers. Approval-gated agents. Every action logged. See /ai-copilot.

Module store

Standards as installable modules with version diffs. See /modules.

Security

Tenant isolation, immutable audit log, signed access. See /security.

See it on your scope

Bring three policies and one stuck CAPA. We'll do the rest.

A working session, not a slideware demo. We load the same workflow your team will run on Monday.

Book a working sessionView pricing45 min · no slides