Why SARC
SARC ships a self-hosted, tamper-evident evidence ledger — Fides (Go API + PostgreSQL + evidence vault + MCP), which replaces a SaaS evidence service — and the orchestration layer that wires it to ServiceNow and your CI. Everything runs inside your own cloud: no SaaS egress, hash-chained evidence, controls coverage across the frameworks your regulator asks about. It is the surface that turns pipeline data into the auditor-ready story your regulator, auditor, and CAB actually want.
The pain SARC removes
Four pain points repeat in every regulated delivery conversation:
- Evidence is scattered — and often leaves your perimeter. SonarQube, Snyk, Wiz, GitGuardian, Trivy, ServiceNow, a SaaS evidence vendor, GitLab, GitHub Actions, Azure DevOps — each owns part of the story, and none of it stays in your cloud. Nobody owns the whole story.
- Approvals are a bottleneck. A typo fix and a schema migration get the same 48-hour CAB review because risk is opaque.
- CMDB is always stale. What’s running in production, by month end, bears little resemblance to what the CMDB says.
- Cloud lock-in is forced early. Compliance tooling tends to be built around one cloud’s primitives, so moving workloads to a second cloud breaks the audit story.
What SARC actually delivers
SARC deploys a self-hosted Fides evidence ledger into your cloud and unifies it with ServiceNow into one auditable pipeline. Specifically:
- A self-hosted, tamper-evident Fides ledger (Go API + PostgreSQL + evidence vault + MCP) that receives SBOM, CVE, SAST and DAST evidence from the pipeline — hash-chained, in your cloud, no SaaS egress.
- A Fides risk score that gates the ServiceNow change request: low-risk changes auto-clear, risky ones get human eyes. No other system computes this at CR time.
- DORA metrics and CMDB reconciliation, plus vulnerability SLO burndown with cost-to-fix correlation — turning “find vulns” into “save $X / month.”
- One-button SOC 2 / ISO 27001 / NIST 800-53 / DORA / SOX / PSD2 / PCI-DSS evidence packaging, with controls-framework coverage mapped per change. Customers cite this first.
- A self-hosted, in-cluster AI assistant (Ask-AI on a CPU model — no cloud key) and MCP server so agents and auditors can query Fides, ServiceNow, and portal data in plain language — without breaking compliance or leaving your perimeter.
- Service-to-incident correlation via a directed graph that the evidence ledger doesn’t compute and ServiceNow can’t see.
See every operator surface in the full portal tour.
What this means for the executive
For the CFO
- Audit prep time drops from weeks-of-compilation to one click.
- Cost-vuln correlation quantifies remediation ROI in dollars, not severity labels.
- One platform replaces 4–6 manual processes previously held together by spreadsheets.
For the CIO / CTO
- Cloud parity is real. Same Terraform shape and ArgoCD GitOps on AWS / Azure / GCP / OpenShift.
- CI parity is real. Same compliance gates on GitLab CI / GitHub Actions / Azure DevOps.
- No vendor capture. You own the open architecture end-to-end, deployed in your cloud, audited by you.
For the Chief Compliance Officer / Head of GRC
- Auditors get their own time-boxed session — magic-link login, read-only to audit + compliance routes only.
- Evidence is reproducible per deployment, not compiled per quarter.
- AI Governance for the EU AI Act + NIST AI RMF + ISO 42001 is built in, not bolted on.
Scope guards — what SARC is NOT
Explicit non-goals — read this carefully so expectations land cleanly:
- Not a SaaS competing with ServiceNow. Workflow control plane stays in ServiceNow.
- Not another compliance SaaS. The Fides evidence ledger is self-hosted in your cloud — no evidence leaves your perimeter, no token to trust.
- Not a CI platform. Use whichever you already own.
- Not a cloud. Deploys into yours.
- Not a CMDB replacement. Pushes into ServiceNow CMDB, doesn’t duplicate it.
- Not an authentication system. Use your existing IdP — Okta, Azure AD, Google Workspace, Keycloak.
How customers buy SARC
SARC is a customer demo platform + reference architecture. You don’t subscribe; you adopt. Calitti / Synechron sells the implementation engagement (typically 4–8 weeks for the MVP install) that stands up the self-hosted Fides ledger in your cloud and wires it to your existing ServiceNow + cloud + CI. After the engagement, you own and operate it. No SaaS bill, no per-seat fee, no evidence egress, no vendor capture.
Next step
- If you want to see it run, the demo scripts walk through compliance director, CTO, and CFO talk tracks.
- If you want to evaluate the architecture, the architecture docs cover system shape, multi-cloud, and multi-CI.
- If you’re ready to scope an engagement, contact Calitti / Synechron directly.