A number you can prove.

Vellorum gives you a compliance posture. It also gives you every input, formula, and audit event that produced it — so you never have to ask your system to trust itself.

Posture Score

weighted · deterministic

DORA Art. 2838%

MiCA CASP74%

BaFin KMAG0%

Every number traceable to its formula. Hover any metric to see derivation.

Determinism

Same inputs, same output, always. The scoring engine is a pure function — injectable date, no global state, unit-tested at every boundary. Hover any number to see its derivation.

Provenance-locked AI

The AI assistant answers strictly from your workspace data. Every sentence carries an inline citation. No retrieval = no answer. Offline fallback produces the same structure without an API key.

Immutable audit trail

Every mutation — status change, evidence upload, member action — writes an audit event. Your auditor reads the same history you do. Nothing is editable after the fact.

Self-hostable for EU finance

EU CASPs and banks cannot load compliance data into US-SaaS. Vellorum runs entirely on your infrastructure via docker-compose. No phone-home. Ed25519-signed offline license.

Built for the actual regulation. Not a checkbox.

Every framework parsed to the article and scored the same deterministic way — versioned requirement trees, never paraphrased prompts.
DORA Register of Information: ESA ITS B_01.01–B_99.01 column names, enumerations, and sheet structure — validated against the live spec, not approximated.
Incident deadlines per RTS (EU) 2024/1772: initial report within min(4h from classification, 24h from detection). Pure function. Tested against edge cases.
TLPT scheduling per DORA Art. 26: 3-year cadence enforced deterministically. Overdue tests surface as graph insights.
BaFin KMAG, GwG/KryptoWTransferV, BAIT/MaRisk: national supervisor layer included as first-class regulation packs — not mapped from a US framework.
MiCA CASP authorisation obligations: article-level requirements, versioned, with EUR-Lex CELEX source links.

Demo data & privacy

Our public demo stores the email you enter so we can follow up, plus your IP address solely to prevent abuse. Both are deleted automatically after 90 days, and all data stays within the EU.

See the numbers. Prove the posture.

Request a demo Try the gap report free →