LEGALO COMPLIANCE OPERATING SYSTEM — ALL SYSTEMS OPERATIONAL
ISO 27001 SOC 2 TYPE II DPDP READY
Compliance Operating System — v4.3 Operational

Audit-ready compliance proof. Not dashboards.

Legalo converts statutory law into executed compliance artifacts — obligations, evidence, approvals, and locked audit packs.

⊘  If proof is incomplete, the system refuses.

Request Enterprise Demo View Sample Audit Pack
legalo — artifact-engine — Q1-2026.log LIVE
09:14:01Ingesting DPDP Act §8(3)(b) — Principal Rights
09:14:02Obligation mapped: OBL-2026-0143
09:14:03Evidence vault — EVD-7823 hash verified
09:14:04SHA-256: e8f3a1c2d4b9f7a3...
09:14:05Approval: J. Sharma (CFO) — MFA confirmed
09:14:06Running refusal engine validation...
09:14:07All checks passed — generating artifact
09:14:08Locking pack — immutable state enforced
✓ Artifact Generated & Locked
AUDIT-PACK-Q1-2026
7 obligations · 11 evidence items · 4 approvals · SHA-256 sealed
09:14:09Auditor access — read-only scoped
01Statutory Law
02Obligation
03Evidence
04Approval
05Audit Artifact

"Most compliance systems track tasks, controls, or policies.

Legalo produces defensible artifacts.

Every compliance output is built from statutory law, mapped obligations, verified evidence, human approvals, and immutable artifacts."

The system of record for compliance proof
§ —
Statutory law sections
Every obligation anchored to a specific section of statute. The law is always visible.
⊕ —
Mapped obligations
Legal text converted to executable obligations with evidence requirements and deadlines.
# —
Verified evidence
SHA-256 hashed, versioned, tamper-evident. A ledger system for compliance proof.
✓ —
Human approvals
Maker-checker workflow embedded structurally. Who approved what and when — always recorded.
🔒 —
Immutable audit artifacts
Locked, versioned, traceable. A complete compliance record auditors can trust.
0%
Statutory Traceability
Every obligation references a specific section of law. No orphaned controls.
Zero
Incomplete Artifacts Shipped
The system blocks generation if any evidence or approval is missing. Non-negotiable.
0%
Faster Audit Preparation
Auditors review structured artifacts — not scattered documents and emails.
SHA-0
Evidence Hashing Standard
Cryptographic integrity on every evidence record from the moment of ingestion.
Regulations covered — DPDP Act 2023 Companies Act 2013 SEBI Regulations RBI Guidelines IT Act 2000 IRDAI Directions GDPR SOX ISO 27001 SOC 2 Type II
How Legalo Works

Compliance execution
becomes deterministic

Legalo converts statutory law into an execution model that produces verifiable compliance proof. Every artifact follows the same immutable chain.

01 —
Statutory Law
Every obligation anchored to a specific section of statute. Full regulatory context preserved.
02 —
Obligation Mapping
Law sections converted to executable obligations with evidence requirements and deadlines.
03 —
Evidence Collection
Evidence ingested, versioned, hashed. Audit-grade integrity enforced at point of capture.
04 —
Human Approval
Maker-checker workflow with structural segregation of duties. Every decision logged immutably.
05 —
Audit Artifact
Structured, locked, immutable pack generated. Compliance is an artifact — not an explanation.
Statute Reference
Every compliance obligation in Legalo is anchored to a specific statutory section. No generalized controls. The Law Navigator keeps the statute always visible — regulators can verify the source of every obligation directly.
Statute RecordSection Indexed
StatuteDigital Personal Data Protection Act, 2023
Section§8(3)(b) — Data Principal Rights & Obligations
JurisdictionRepublic of India Active
Effective11 Aug 2023 Enforced
Obligations4 mapped obligations derived from this section
Obligation Execution
Statutory text converted into executable obligations. Each obligation carries evidence requirements, a deadline, a responsible owner, and a status that blocks artifact generation if incomplete.
Obligation RecordIn Execution
IDOBL-2026-0143
Law RefDPDP Act §8(3)(b)
Deadline30 Jun 2026 Due in 81 days
OwnerData Protection Officer — R. Patel
Evidence3 required · 3 submitted Complete
Evidence Vault Entry
Evidence is stored like a ledger — every record versioned and hashed at ingestion. Evidence cannot be overwritten, only superseded. Cryptographic integrity verifiable years later during regulatory review.
Evidence RecordHash Verified
Evidence IDEVD-7823
SHA-256e8f3a1c2d4b9f7a3e2c1d6b8a4f9e3c7...
Captured14 Jan 2026 · 09:14:03 IST
Versionv3 — supersedes v2 Current
Integrity✓ Verified — tamper-evident ledger
Approval & Accountability
Human approvals are embedded structurally into the compliance lifecycle. The maker-checker model enforces segregation of duties — the data model structurally prevents a submitter from approving their own evidence.
Approval RecordSigned & Immutable
Approved ByJ. Sharma — Chief Financial Officer
Timestamp15 Jan 2026 · 11:42:07 IST
Auth MethodDigital signature + hardware MFA
SegregationApprover ≠ Evidence submitter ✓ Enforced
StatusApproved — record locked in vault
Audit Artifact — Locked
Once all obligations are satisfied and approvals recorded, Legalo generates a structured, cryptographically locked audit pack. Compliance is no longer an explanation — it is an immutable artifact.
Audit Pack — LOCKED🔒 Immutable
Pack IDAUDIT-PACK-Q1-2026
Contents3 law sections · 7 obligations · 11 evidence items · 4 approvals
Generated 15 Jan 2026 · 14:00:00 IST
Pack Hashf1a9b2c8e7d3a6f5b1c4d9e2a8f7b3c6...
State🔒 Locked — cannot be modified or deleted
Platform Architecture

Compliance proof flows
through every layer

Legalo is built as a complete compliance operating system — from your operational systems all the way to regulators and auditors. Every layer enforces one chain: Law → Obligation → Evidence → Approval → Artifact.

Operational SystemsEvidence Sources
🔧 ServiceNow
📋 Jira
📄 Google Drive
📁 SharePoint
💬 Slack
User Interface LayerCompliance Workspace
⚖️
Law Navigator
📋
Obligation Workspace
🏛️
Evidence Vault
Approval Workflow
📦
Audit Pack Builder
Application ServicesDistributed Service Layer
⚖️
Law Service
📌
Obligation Service
🏛️
Evidence Service
Approval Service
📦
Audit Pack Service
Refusal Engine™
AI Intelligence Layer
Regulatory Corpus
Obligation Inference
Semantic Search
AI Assistant
Compliance Engine — Core OrchestrationEnforcement · Proof · Artifact Generation
Proof Verification
Every obligation, evidence item, and approval is validated to a complete standard before any artifact can proceed
Refusal Enforcement
Incomplete compliance proof is blocked structurally — the system cannot be bypassed or overridden by any user or process
Artifact Generation
A structured, locked, immutable audit pack is produced and sealed only when proof is complete
Obligation Knowledge Graph™ (OKG)Proprietary Graph Intelligence
LAW
Statutory Sections
OBLIGATION
Execution Tasks
EVIDENCE
Hashed Records
APPROVAL
Signed Records
Query: Show evidence supporting Section 173
Query: Which regulations reuse this evidence?
Evidence Integrity LayerLedger-grade evidence storage · Cryptographic integrity
🗂
Versioning
#
SHA-256 Hashing
🔐
Access Control
📋
Audit Logs
Data & InfrastructureEnterprise Cloud Infrastructure · Multi-region · Encrypted
🗄
Relational Store — Transactional Data
🕸
Graph Store — OKG Relationships
🪣
Object Store — Evidence Files
🧠
Semantic Store — AI Intelligence
🏛️
Regulators & Auditors
Receive structured, immutable compliance artifacts. Review evidence manifests and approval histories directly — no document-chasing, no manual collection.
Audit Pack

Artifacts auditors
can rely on

Legalo compiles compliance artifacts into structured audit packs. Once generated, packs are locked and immutable. Auditors review artifacts — not scattered documents, emails, or spreadsheets.

§
Statutory Sections
Direct law references underpinning every obligation. Full regulatory lineage — section, jurisdiction, effective date, and all derived obligations.
Evidence Manifests
Complete inventory of evidence linked per obligation. Metadata, version history, SHA-256 hash, source, and full approval chain.
🔒
Immutable Once Generated
Pack state cryptographically sealed on generation. No post-hoc edits possible. Auditors see exactly what happened — always.
AUDIT-PACK-Q1-2026🔒 LOCKED
Generated 15 Jan 2026 · 14:00:00 IST · Legalo Artifact Engine v4.3
Statutory Sections — 3 law references
COMPLETE
Obligation Mapping — 7 obligations
EXECUTED
Evidence Manifest — 11 items, all hashed
VERIFIED
Approval Records — 4 approvals, MFA signed
SIGNED
SHA-256 Integrity Hashes
HASHED
Timestamps & Full Audit Trail
SEALED
🔒 Pack Locked — Immutablef1a9b2c8e7d3a6f5...
Refusal Enforcement Engine

Compliance without
proof cannot ship

Most compliance systems generate reports even when evidence is missing. Legalo enforces proof at the artifact generation layer. The Refusal Engine validates every element — and cannot be bypassed, even by AI.

Missing evidence — an obligation cannot be satisfied without attached, hashed, verified evidence records
Missing approval — human sign-off with MFA required before any obligation reaches fulfilled state
Incomplete obligation — every mapped law section must reach full execution state before the pack can lock
legalo — refusal-engine — BLOCKED
14:02:11✗ ARTIFACT GENERATION REFUSED
14:02:11→ Validating: AUDIT-PACK-Q1-2026
14:02:12✗ OBL-2026-0143: evidence missing
14:02:12✗ OBL-2026-0147: approval not recorded
14:02:13✗ §12(1)(a): obligation incomplete 0/3
14:02:13→ Pack status: BLOCKED (3 unresolved)
14:02:14→ Owner notifications dispatched
⊘ GENERATION BLOCKED — PROOF REQUIRED
Resolve 3 incomplete items to enable artifact generation. The system enforces proof at all times — this cannot be overridden.
Evidence Lifecycle

Evidence managed as
a ledger — not a folder

Every evidence record moves through a structured lifecycle. No evidence can skip stages. Approved versions are locked — only superseded by a new submission. The complete chain is preserved for auditors, always.

01
📝
Draft
Evidence submitted by owner — metadata, source system, period covered, and version note required before submission.
02
📤
Submitted
SHA-256 hash recorded at ingestion. Uploader, timestamp, and source locked. File enters the immutable ledger.
03
🔍
Under Review
Approver reviews against pass/fail criteria. Comment threads open. "Request more evidence" sends task back to owner without rejecting.
04a
Approved
Approver signature + MFA confirmation recorded. Version locked — no edits possible. Satisfies linked obligation.
→ Obligation satisfied
04b
Rejected
Structured rejection reason recorded. Owner notified with required changes. New version must be submitted — original is preserved in ledger.
→ Obligation blocked
05
Expired / Superseded
Expiry tracked automatically. Alerts issued before compliance gap emerges. Superseded versions retained — auditors see full history.
Classification at submission
Every evidence item tagged as Public, Internal, or Confidential at the point of upload — controls visibility for external auditors and board views.
Access controlled
Exceptions register
When evidence cannot be obtained, an accepted exception is logged with rationale and compensating controls. Auditors see the gap and its governance — not silence.
Auditor-visible
Legal hold
Evidence under legal hold cannot be deleted or expired — organisation-wide or obligation-scoped. Protects defensibility during active regulatory proceedings.
Deletion blocked
Audit Readiness

Your audit readiness
score — always live

Legalo maintains a transparent, real-time audit readiness score across every active regulation. No guesswork before an audit. Every gap is surfaced before the auditor arrives.

Audit Readiness Dashboard LIVE ILLUSTRATIVE EXAMPLE ILLUSTRATIVE EXAMPLE
84
Audit readiness score
DPDP Act 2023 — Q1 2026 programme · 2 gaps outstanding
Obligation coverage
100%
Evidence completeness
88%
Approvals signed
92%
Control effectiveness
79%
Exceptions resolved
67%
Evidence expiry risk
95%
§
Transparent scoring model
Every score component is visible and explainable. Auditors and regulators can inspect the exact formula — no black-box compliance metrics.
Gaps surfaced before the audit
Missing evidence, expiring records, unsigned approvals, and outstanding exceptions — all flagged in real time, not discovered by the auditor on day one.
Control effectiveness — design and operating
Each obligation carries a Design Effective / Operating Effective toggle — the Big-4 distinction between a control that exists and a control that works. Scored separately.
#
SLA metrics for evidence and approvals
Average time-to-approve evidence, overdue closure rates, and escalation frequency — all tracked. Compliance velocity is measurable and improvable.
Evidence Vault

Evidence with integrity

Evidence is stored like a ledger system — every record versioned, hashed, and traceable. Evidence cannot be overwritten, only superseded, with a full version trail preserved.

01 —
Evidence Versioning
Every update creates a new version. All prior versions retained in full. Auditors see the complete history with no gaps or overwrites possible.
02 —
SHA-256 Hashing
Cryptographic hash recorded at ingestion. Tampering detected instantly. Evidence authenticity provable at audit time — even years later.
03 —
Metadata & Timestamps
Source, author, timestamp, and obligation linkage for every item. No orphaned documents. No missing context at audit time.
04 —
Owner Accountability
Every evidence item has a named owner. Responsibility is structural — not dependent on process or memory. Cannot be diffused.
05 —
Expiration Alerts
Evidence expiry tracked automatically. Owners alerted before compliance gaps emerge. Proactive — not reactive fire-fighting.
06 —
Approval Workflows
Evidence reviewed and approved before satisfying an obligation. Maker-checker separation enforced at the data model level — structurally.
Built For

Who Legalo is
built for

Legal & Compliance
CFO & Finance
Internal Audit
External Auditors
Board & CXO
CFO & Finance
Leaders
Reduce audit preparation time and regulatory risk. Compliance proof exists before auditors arrive — not assembled in the week before an inspection under pressure.
Audit preparation time reduced by over 70% — artifacts pre-built
Regulatory risk quantified and tracked continuously
Board-ready compliance status available at any moment
Immutable records eliminate post-hoc disputes and revisionism
72%
Reduction in audit preparation time
Zero
Evidence disputes during audit review
Always
Board-ready compliance status
Internal
Audit Teams
Continuously monitor compliance readiness. Real-time visibility into obligation status across every regulation, every business unit, every evidence item.
Live dashboard of obligation status across all frameworks
Evidence gaps flagged automatically — weeks before external audit
Full tamper-evident audit trail of all system actions
Historical pack comparison for trend analysis
Live
Continuous obligation monitoring
Instant
Automated gap detection & alerts
Complete
System-wide tamper-evident trail
External
Auditors
Review evidence manifests and approval histories directly — without manual document collection, email chains, or spreadsheet reconciliation.
Scoped read-only access to specific audit packs
Evidence integrity verified via SHA-256 hashes
Full approval history with identity, timestamp, MFA
Self-contained artifacts — no document-chasing
Scoped
Read-only auditor access to relevant packs
Self-contained
Artifacts — no external document requests
Cryptographic
Evidence integrity verification
Board &
CXO Leadership
Governance accountability without operational noise. Risk, readiness score, and penalty exposure — delivered in decision-grade format. One-click board pack for quarterly governance meetings.
Compliance percentage and trend — without raw evidence clutter
Top 10 penalty exposure areas — configurable by regulation
Exceptions register with accepted gaps and compensating controls
One-click Board Pack PDF — "what changed since last quarter" included
1-click
Board Pack PDF for quarterly governance
Zero
Raw evidence files surfaced to board view
Instant
Penalty exposure view by regulation category
Early Access Feedback

The compliance record
that auditors trust

Feedback from compliance leaders and counsel across Indian regulated enterprises who participated in Legalo's early access programme. Outcomes reflect their specific regulatory contexts.

"
EARLY ACCESS
For the first time, our external auditors reviewed our DPDP compliance pack without requesting a single additional document. The statutory reference, evidence chain, and approval records were all in one locked artifact. Our audit closed in two days instead of three weeks.
JS
Jayant S.
CFO · Large-cap NBFC · Maharashtra
"
EARLY ACCESS
The refusal engine is the feature no GRC platform has built. Our previous system would generate a compliance report even when evidence was missing — you only discovered the gap during the audit. Legalo simply refuses to proceed. That changes everything.
RP
Riya P.
Data Protection Officer · Listed IT Company
"
EARLY ACCESS
We manage simultaneous compliance across Companies Act, SEBI, and DPDP. Every obligation traced back to the actual statutory section, every evidence item hashed and timestamped. When the SEBI inquiry came, we handed over a locked artifact pack. The inquiry closed in a week.
AK
Arjun K.
General Counsel · SEBI-regulated Fund House
Security & Governance

Built for regulated
environments

Enterprise-grade security and governance controls designed to withstand audit scrutiny — RBAC, audit logs, encryption at rest and in transit, and multi-tenant isolation throughout.

01 —
Immutable Evidence Vault
Version control and cryptographic hashes. Records cannot be deleted or altered — only superseded with a full version trail preserved.
02 —
Role-Based Access Control
Granular permissions across submitters, approvers, reviewers, and auditors. Scoped access enforced at the data layer — not via UI controls alone.
03 —
Segregation of Duties
No single user can submit evidence and approve it. Maker-checker controls are structural — built into the data model, not left to process or policy.
04 —
Comprehensive Audit Logs
Full tamper-evident history of every action, approval, and artifact generation event. Timestamped, immutable, available for regulatory review at any time.
05 —
Evidence Versioning & Hashing
Every version retained. SHA-256 on capture. Authenticity verifiable at audit time — not retrospectively reconstructed from memory or metadata.
06 —
Multi-Tenant Isolation
Enterprise-grade deployment with strict tenant isolation. Encryption at rest and in transit. RBAC, legal hold support, and data residency controls throughout.
ISO 27001
SOC 2 Type II
DPDP Act
Companies Act
SEBI
RBI
GDPR Ready
Integration Layer

Connect with your
existing stack

Operational systems generate activity. Legalo captures the compliance proof. Evidence ingested automatically from connected systems via the Integration Service — event ingestion, evidence linking, workflow notifications, all while maintaining audit-grade integrity.

Automatic Evidence Ingestion
Connected tools push evidence directly into the vault. Integrity maintained at ingestion. No manual uploads or data re-entry required.
🔗
Audit-Grade Integrity Preserved
Every ingested item hashed and timestamped regardless of source system. The chain of custody is unbroken from origin to artifact.
Enterprise API Connectivity
Custom integrations via the Legalo connector layer. Any operational system can become a compliance evidence source with full audit-grade integrity preserved.
🔧
ServiceNow
📋
Jira
📄
Google Drive
📁
SharePoint
💬
Slack
🛡
SIEM
Why Legalo

Not a dashboard.
Not a GRC tool.

Compliance platforms track tasks. Legalo produces defensible artifacts — the difference between an explanation and proof.

Capability
Legalo COS
GRC Platforms
Spreadsheets & Manual
Statute-level traceabilityEvery obligation anchored to the exact law section
✓ Always
✗ Controls only
✗ None
Proof enforcement at generationSystem refuses if evidence or approval is missing
✓ Non-bypassable
✗ Reports anyway
✗ No enforcement
Cryptographic evidence integritySHA-256 hash on every evidence record from ingestion
✓ SHA-256
~ Partial
✗ None
Immutable locked audit packsArtifacts sealed — no post-hoc edits possible
✓ Immutable
✗ Mutable reports
✗ Editable files
AI-powered obligation mappingRAG engine maps statutory text to execution obligations
✓ Built-in RAG
~ Limited AI
✗ Manual
DPDP 2023 & Indian regulation supportNative support for Indian regulatory framework
✓ Native
~ Configurable
✗ Manual
Regulator-ready artifact on demandAuditor can be handed the pack directly — no assembly required
✓ Always ready
~ Reports only
✗ Manual assembly
Pricing

Enterprise compliance
infrastructure pricing

Every plan includes the full compliance chain — Law, Obligation, Evidence, Approval, and Audit Artifact. Legalo scales with your regulatory footprint.

Tier 01 — Foundation
Essentials
For teams beginning DPDP or Companies Act compliance with a defined regulatory scope.
Contact us
Annual contract · per-regulation pricing
  • Up to 2 active regulations
  • Law Navigator — statute reference layer
  • Obligation mapping & execution workspace
  • Evidence Vault with SHA-256 integrity
  • Maker-checker approval workflow
  • Audit Pack generation — up to 4 per year
  • 2 integration connectors
  • AI / RAG obligation mapping
  • Obligation Knowledge Graph™ (OKG)
Request Essentials Demo →
Most Selected
Tier 02 — Professional
Professional
For regulated enterprises managing multiple statutory frameworks simultaneously with AI-powered obligation mapping.
Contact us
Annual contract · multi-regulation pricing
  • Up to 6 active regulations
  • All Essentials capabilities
  • AI / RAG obligation mapping engine
  • Obligation Knowledge Graph™ (OKG)
  • Unlimited Audit Pack generation
  • Up to 6 integration connectors
  • Role-based access control (RBAC)
  • Cross-regulation evidence reuse
  • Priority support — 4hr response SLA
Request Professional Demo →
Tier 03 — Enterprise
Enterprise
For large regulated entities, financial institutions, and groups managing cross-entity, multi-jurisdiction compliance.
Custom
Custom contract · dedicated infrastructure
  • Unlimited regulations & entities
  • All Professional capabilities
  • Dedicated compliance infrastructure
  • Private cloud or on-premise deployment
  • Custom integrations via Legalo API
  • Regulator-scoped artifact access controls
  • Executive compliance dashboard
  • Dedicated Customer Success Manager
  • 1hr critical response SLA · 24/7
Request Enterprise Demo →

All plans include ISO 27001-aligned security, infrastructure hosted on SOC 2 Type II certified cloud, and DPDP-ready data residency in India.  ·  Talk to our team for a custom quote

Compliance Resources

Everything you need to
evaluate and deploy

Guides, templates, and reference material for compliance leaders, auditors, and technical teams. Every resource is free — no form required.

Featured Resource

Sample Audit Pack

A complete annotated example of a Legalo-generated DPDP Act audit pack — the exact artifact you hand to a regulator or auditor. Every section is labelled with what it contains and why it is structured that way.

⚖️
Statutory reference index All 14 DPDP Act sections cited in the pack, each linked to the obligation it grounds.
📋
Obligation execution table 50 obligations across 13 audit sections — each with status, evidence count, and approval record.
🏛️
Evidence manifest Sample evidence entries with SHA-256 hashes, submission timestamps, and version history.
🔒
Lock record and integrity seal The cryptographic seal structure — how the pack is locked and how integrity is verified at any future point.
Preview — what the pack looks like
AUDIT-PACK-DPDP-Q1-2026 🔒 LOCKED
4. Consent & Lawful Basis 8 obligations · 8/8 complete
Ensure consent meets DPDP standard (§6(1)-(2))APPROVED
Implement consent withdrawal mechanism (§6(4)-(6))APPROVED
Maintain consent logs and records (§6(10))APPROVED
7. Security & Safeguards 6 obligations · 5/6 complete
Document reasonable security safeguards (§8(5))APPROVED
Implement and document RBAC (§8(5))APPROVED
Encrypt personal data at rest and in transit (§8(5))PENDING
SHA-256: f1a9b2c8e7d3a6f5b1c4d9e2... ⊘ Generation blocked — 1 item outstanding

This is an illustrative preview. The full sample pack includes all 13 audit sections, a complete evidence manifest, approval records, and the lock certificate with integrity hash.

Guide

DPDP Act 2023 Compliance Guide

A practical, section-by-section walkthrough of the Digital Personal Data Protection Act for Data Fiduciaries. Written for compliance leads and General Counsels — not just lawyers.

Which organisations qualify as Data Fiduciaries and when the Act applies
All 50 compliance obligations mapped to specific Act sections
Consent notice requirements, withdrawal mechanisms, and log obligations
Data Principal rights — access, correction, erasure, nomination
Security safeguards under §8(5) and breach notification under §8(6)
Significant Data Fiduciary (SDF) obligations and when they apply
DPDP-compliant audit pack structure and evidence requirements
In preparation
Governance Kit

Companies Act 2013 Governance Kit

A structured reference kit covering all 60 compliance obligations under the Companies Act 2013 — filings, board composition, audit requirements, and statutory registers — for Company Secretaries and compliance teams.

Complete obligation map: 60 obligations across 8 audit sections
Board composition requirements — Women, Independent, and Resident Directors
Audit Committee and Vigil Mechanism — specific section citations
ROC filing calendar — MGT-7, AOC-4, DIR-12, MGT-14, ADT-1 and more
Statutory registers — which ones, who maintains them, and when
Related party transaction approval requirements and thresholds
Secretarial audit (MR-3) applicability thresholds and process
In preparation
Setup Guide

Auditor Portal Setup Guide

A step-by-step guide for compliance leads to configure Legalo's three-tier auditor access model — CXO view, Internal Auditor view, and External Auditor view — before an audit engagement begins.

How to create scoped, time-limited auditor access credentials
Configuring what each access tier can and cannot see
Sharing audit packs without sharing the full compliance workspace
Audit log of every access event — who viewed what and when
Revoking access at end of engagement with full log preservation
In preparation
Template

Enterprise RFP Template

A structured RFP template for compliance and procurement teams evaluating GRC or compliance infrastructure platforms. Pre-loaded with the right questions to ask any vendor — including questions specifically designed to test refusal and enforcement capabilities.

Statutory traceability — does the system cite specific sections or generic controls?
Evidence enforcement — what happens if evidence is missing at export time?
Artifact integrity — can the audit pack be edited after generation?
Indian regulation coverage — DPDP, Companies Act, SEBI, RBI native support
Data residency, security certifications, and SLA structure
Integration connectors — ServiceNow, Jira, SharePoint, Slack
In preparation
Common Questions

Everything you need
to evaluate Legalo

Still have questions?
Our team includes compliance architects who have worked directly with SEBI, RBI, and MCA. We can walk through your specific regulatory context.
Response within 1 business day
No sales pressure — architecture first
Live refusal engine demo included
Sample audit pack walkthrough
Request Demo →
How is Legalo different from GRC platforms like OneTrust or ServiceNow GRC?
+
GRC platforms track tasks, controls, and policies — they produce status reports. Legalo produces defensible artifacts: every obligation is anchored to a specific statutory section, every evidence item is cryptographically hashed, every approval is structurally recorded. Critically, Legalo's Refusal Engine blocks artifact generation if any element is missing — most GRC tools produce a report regardless. The output is what differentiates: a locked, immutable audit pack vs a dashboard that says "compliant."
Is Legalo ready for the Digital Personal Data Protection Act (DPDP) 2023?
+
Yes. DPDP Act 2023 is natively supported — statutory sections are pre-indexed in the Law Navigator, obligations are pre-mapped for Data Fiduciaries, and the Evidence Vault handles data-principal consent records with full integrity. Evidence residency is maintained within India. The audit pack format is structured to support MeitY audit requirements. Legalo also supports simultaneous compliance across DPDP, Companies Act, SEBI, and RBI from a single obligation chain.
What happens if the system refuses to generate an artifact?
+
The Refusal Engine returns a structured error state listing exactly which checks failed — missing evidence records, unsigned approvals, or obligations that have not reached full execution state. The system will not produce a partial pack. This is a feature, not a limitation — an incomplete artifact is worse than a refusal, because it creates false assurance. Users are directed to the exact gap in the compliance chain, which can then be remediated and the generation re-triggered.
Can regulators and auditors access the audit pack directly?
+
Yes. Legalo supports regulator-scoped read-only access — auditors and regulators can be granted time-limited, scoped access to specific audit packs without access to the broader compliance workspace. The pack includes statutory references, evidence manifests, approval records, and integrity hashes. No document chasing, no email threads — just the artifact.
How long does onboarding take for an enterprise?
+
Most enterprises are live with their first regulation in 4–6 weeks. The onboarding process includes: statutory mapping review for your regulatory context, integration configuration (ServiceNow, Jira, SharePoint), obligation workspace setup, team training, and a supervised first audit pack generation. Enterprise deployments with private cloud infrastructure may require 8–12 weeks depending on security review timelines.
How is evidence integrity guaranteed over time?
+
Every evidence record is SHA-256 hashed at ingestion — the hash is stored immutably in the Evidence Vault alongside the record. Evidence cannot be overwritten; only a new version can be submitted, which supersedes the previous. The hash is verifiable at any point in the future — regulators can confirm years later that a specific piece of evidence has not been tampered with since its original submission.
Does Legalo support multi-regulation and cross-entity compliance?
+
Yes. The Obligation Knowledge Graph (OKG) maps relationships between regulations — evidence submitted for one obligation can satisfy requirements under another regulation where legally permissible. For group entities and subsidiaries, Legalo supports separate obligation chains per entity with consolidated reporting for the parent. This is particularly relevant for conglomerates managing SEBI, Companies Act, and DPDP simultaneously.
Auditor Access Model

Three scoped views.
Zero over-sharing.

Every stakeholder accesses Legalo through a controlled scope — not the full system. The right information reaches the right person, with full audit logging of every access event.

Tier 01 — Executive
CXO &
Board View
Risk, readiness, and trend — not evidence files or internal comments. One-click board pack. Penalty exposure view. Decision-grade information only.
Executive compliance dashboard — % + trend
Risk heatmap (category × risk × status)
Top 10 penalty exposure areas
Exceptions & decisions register
One-click Board Pack PDF export
"What changed since last quarter" summary
Raw evidence files, internal comments, full audit logs — hidden by default
Executive scope
Tier 02 — Internal
Internal
Audit View
Full traceability inside the organisation boundary — test controls, review evidence, inspect approval chains, and add internal observations without disturbing the compliance team.
Audit readiness dashboard — score + gaps
Obligations workspace (read-only) — requirement, applicability rationale, owners
Evidence library (read-only) — metadata, versions, approvals, hashes
Internal audit workspace — sampling notes, test steps, observations
Control effectiveness view — design vs operating
Audit logs (read-only) — exportable, full actor/action/timestamp
Org settings, user management — not accessible
Programme scope
Tier 03 — External
External
Auditor Portal
Zero-trust. Access only to what you explicitly share. Separate portal login. Scoped to specific audit packs. Every auditor action logged. No accidental over-sharing possible.
Audit packs list — only shared packs visible
Pack detail — sections, obligations, evidence completeness
Obligation read-only view — requirement + mapped evidence + approval status
Evidence viewer — view/download per policy + manifest (hash + version + timestamps)
Q&A workflow — raise question → tracked task → timestamped response
Full logging of auditor access and downloads
Users, org settings, other regulations, internal notes, evidence outside the pack — never accessible
Pack scope · Zero-trust
Auditor Q&A workflow
External auditors can raise structured queries directly within the pack. Each query creates a tracked task — response is timestamped, assigned, and closes the loop immutably.
01 —Auditor raises query within the pack — question tagged to specific obligation or evidence item
02 —System creates a tracked task — assigned to compliance owner with due date and priority
03 —Response submitted — text + supporting evidence if needed — timestamped and locked
04 —Auditor marks resolved — full Q&A thread retained in the immutable audit log
Visibility tags on content
Every comment, note, and file carries a visibility policy — controlling exactly who sees what, without managing separate copies of the same workspace.
Internal onlyNever visible to external auditors or board — compliance team notes, draft observations
Auditor-visibleShared with external auditors when pack is released — responses, clarifications
Board-visibleSurfaced in CXO executive view and board pack export — decisions, exceptions
Redaction policySensitive fields auto-redacted per policy before pack is shared externally
Traceability & Impact Analysis

Ask the system what
changes if X fails.

The Obligation Knowledge Graph (OKG) maps every relationship in your compliance programme — law to obligation, obligation to evidence, evidence to system, system to owner. Impact analysis runs in real time.

If evidence EVD-7823 expires, what obligations go red?
"3 obligations blocked across DPDP §8 and Companies Act §134 — 1 audit pack generation suspended."
The OKG traces every obligation that depends on this evidence record. Before expiry, owners are alerted. Compliance gaps are surfaced proactively — not discovered by the auditor on day one.
EVD-7823 OBL-143 OBL-144 PACK-Q4
If ServiceNow is decommissioned, which controls are affected?
"14 evidence records sourced from ServiceNow — 6 obligations at risk across ITSM and access control categories."
System changes trigger an impact sweep across the OKG. Compliance teams see the full blast radius before the system change is executed — not after the audit finds the gap.
ServiceNow 14 Evidence 6 Obligations 2 Packs
Which evidence items satisfy obligations under both DPDP and Companies Act?
"7 evidence records satisfy obligations under both regulations — reducing duplication by 34%."
The OKG identifies cross-regulation evidence reuse where legally permissible. One piece of evidence satisfies multiple obligations — compliance effort is not duplicated across frameworks.
EVD-4412 DPDP §8+ Cos Act §134
Show all obligations where evidence was approved by the same person who submitted it.
"0 violations detected — segregation of duties enforced structurally across all 47 obligations."
The data model structurally prevents a submitter from approving their own evidence. SoD is not a policy — it is an architectural constraint. Auditors can verify this programmatically, not just on paper.
47 Obligations 0 SoD violations
Does Legalo support a board-level or CXO view separate from the compliance team workspace?
+
Yes. The Executive View gives CXOs and board members scoped, decision-grade information — compliance percentage and trend, risk heatmap by category, top penalty exposure areas, and the exceptions register. Raw evidence files, internal comments, and operational audit logs are hidden by default. A one-click Board Pack PDF exports for quarterly governance meetings, including a "what changed since last quarter" summary. The board gets governance accountability information without the noise of the operational workspace.
What is the Auditor Portal and how does it work for Big-4 / EY engagements?
+
The Auditor Portal is a zero-trust, read-only environment separate from the main Legalo workspace. External auditors receive scoped access to specific audit packs only — they cannot see your user list, org settings, other regulations, or evidence outside the shared pack. Every auditor action (view, download, query raised) is logged immutably. Auditors can raise structured queries within the pack — each creates a tracked task assigned to your compliance team with a timestamped response. This is the access model EY, Deloitte, KPMG, and PwC expect from enterprise compliance infrastructure.
How does Legalo handle compliance gaps, exceptions, and compensating controls?
+
When an obligation cannot be fully satisfied, Legalo records a formal exception in the Exceptions Register: the obligation, the nature of the gap, the rationale for acceptance, and the compensating control in place. Exceptions are visible to auditors in the relevant pack — with full accountability for who accepted the gap and when. A documented, governed exception is defensible. A hidden gap is a liability. The refusal engine still blocks artifact generation until the exception is formally registered and approved.
The Compliance Proof Layer

Replace compliance
explanations with proof

Legalo is the system where compliance proof is finalized — between enterprise operations and regulators. Not a dashboard. Not a workflow tool. Compliance infrastructure.

Request Enterprise Demo Download Sample Audit Pack
⚖️
Not a compliance dashboard
Legalo produces defensible artifacts — not charts and status indicators that mean nothing to a regulator
Not a workflow tool
Compliance execution is deterministic — not dependent on human process adherence
🏛️
Compliance infrastructure
The system where compliance proof is finalized, sealed, and delivered to auditors and regulators
Enterprise Demo

Request an
Enterprise Demo

Our team will walk you through how Legalo generates audit-ready compliance artifacts from statutory law — live in the platform.

01 —
Statutory traceability walkthrough
See how law sections map to obligations in your regulatory context.
02 —
Live artifact generation — and refusal
Watch a compliance artifact generated and refused in real time.
03 —
Evidence vault & approval workflow
Full walkthrough of integrity controls and approval chains.
04 —
Architecture & integration review
Six-layer architecture walkthrough and integration planning session.

Book a walkthrough

Confirmed within 1 business day · No commitment required

Confirmed within 1 business day · No commitment required

Privacy Policy

Privacy Policy

EFFECTIVE DATE: 1 JUNE 2026  ·  VERSION 1.0

1. Who we are

Legalo Technologies Pvt. Ltd. ("Legalo," "we," "us," or "our") is a company incorporated under the Companies Act, 2013, with its registered office in Mumbai, Maharashtra, India. We operate the website legalo.in and the Legalo Compliance Operating System™ platform.

This Privacy Policy applies to personal data collected through this website — including the enterprise demo request form — and is issued in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act").

2. What personal data we collect

When you submit a demo request, we collect the following personal data that you voluntarily provide:

  • Full name
  • Work email address
  • Phone number
  • Company / organisation name
  • Your role or designation
  • Company size
  • Primary regulation of interest

We do not collect biometric data, financial data, health data, or any sensitive personal data as defined under the DPDP Act through this website.

3. Purpose and legal basis for processing

We process your personal data solely for the following purposes:

  • Scheduling and conducting product demonstrations of the Legalo platform
  • Evaluating enterprise fit for your organisation's compliance requirements
  • Follow-up communications related to the demonstration request
  • Improving our product and communication based on your interest profile

The legal basis for processing is your explicit consent, which you provide by submitting the demo request form and checking the consent box. You may withdraw your consent at any time (see Section 6).

4. Data retention

We retain your personal data for 24 months from the date of submission, or until you withdraw your consent, whichever is earlier. After the retention period, your data will be permanently deleted from our systems within 30 days.

5. Data storage and residency

All personal data collected through this website is stored on infrastructure located within India. We do not transfer your personal data outside India without your separate and explicit consent.

6. Your rights under the DPDP Act

As a Data Principal under the DPDP Act, you have the following rights:

  • Right to access: Request a summary of the personal data we hold about you
  • Right to correction and erasure: Request correction of inaccurate data or erasure of your data
  • Right to grievance redressal: File a complaint with our Grievance Officer
  • Right to withdraw consent: Withdraw your consent at any time — withdrawal does not affect the lawfulness of processing prior to withdrawal
  • Right to nominate: Nominate another individual to exercise your rights on your behalf in the event of your death or incapacity

To exercise any of these rights, write to our Grievance Officer at privacy@legalo.in. We will respond within 7 business days.

7. Grievance Officer

In accordance with Section 13 of the DPDP Act, our Grievance Officer's contact details are:

Grievance Officer — Legalo Technologies Pvt. Ltd.
Email: privacy@legalo.in
Address: Mumbai, Maharashtra, India

If your grievance is not resolved to your satisfaction, you may escalate to the Data Protection Board of India once it is constituted under the DPDP Act.

8. Third-party processors

We may use the following categories of third-party processors to operate this website and manage demo requests:

  • Cloud infrastructure providers (for website hosting — operating under data processing agreements)
  • Email service providers (for sending confirmation emails — bound by data processing agreements)

We do not sell your personal data. We do not share your personal data with advertising platforms, data brokers, or any third party outside the scope of the stated purpose.

9. Cookies and tracking

This website does not use cookies for tracking, analytics, or advertising. We do not deploy any third-party analytics scripts. The website does not collect any data beyond what you voluntarily submit through the demo request form.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via a notice on this website at least 7 days before they take effect. The current version and effective date are always shown at the top of this document.

11. Contact

For any questions about this Privacy Policy or our data practices, contact us at privacy@legalo.in.

© 2026 Legalo Technologies Pvt. Ltd.  ·  Issued in compliance with the Digital Personal Data Protection Act, 2023

Terms of Service

Terms of Service

EFFECTIVE DATE: 1 JUNE 2026  ·  VERSION 1.0

1. Acceptance of terms

By accessing or using the legalo.in website ("Website"), you agree to be bound by these Terms of Service ("Terms"). If you do not agree to these Terms, you must not access or use the Website. These Terms constitute a legally binding agreement between you and Legalo Technologies Pvt. Ltd. ("Legalo," "we," "us," or "our"), a company incorporated under the Companies Act, 2013.

2. Website purpose and information only

This Website is provided for informational purposes only and to facilitate enterprise demonstration requests. Nothing on this Website constitutes legal, compliance, financial, or regulatory advice. Legalo provides a technology platform — not legal or professional services. You should consult qualified legal or compliance professionals for advice specific to your regulatory obligations.

3. Intellectual property

All content on this Website — including but not limited to text, design, graphics, architecture descriptions, product names, and methodology — is the proprietary intellectual property of Legalo Technologies Pvt. Ltd. and is protected under the Copyright Act, 1957 (India) and applicable international conventions.

Legalo™, Refusal Engine™, Obligation Knowledge Graph™, and Compliance Operating System™ are trademarks of Legalo Technologies Pvt. Ltd. Unauthorised use of these marks is prohibited.

You may not reproduce, copy, adapt, redistribute, or create derivative works based on any content from this Website without prior written permission from Legalo.

4. Permitted use

You may access and use this Website solely for the purpose of evaluating Legalo's products and services for your own internal business purposes. You may not:

  • Use the Website to reverse-engineer, copy, or replicate Legalo's product architecture, methodology, or proprietary processes
  • Systematically scrape, download, or reproduce Website content
  • Use the Website for any unlawful purpose or in violation of applicable law
  • Misrepresent your identity or affiliation when submitting a demo request

5. Demo requests and communications

By submitting a demo request, you acknowledge that Legalo may contact you using the details provided to schedule and conduct the requested demonstration. All demo communications are governed by our Privacy Policy.

6. Disclaimer of warranties

This Website is provided on an "as is" and "as available" basis. Legalo makes no representations or warranties of any kind, express or implied, regarding the Website's availability, accuracy, completeness, or fitness for a particular purpose. Legalo does not warrant that the Website will be error-free or uninterrupted.

7. Limitation of liability

To the maximum extent permitted by applicable law, Legalo Technologies Pvt. Ltd., its directors, officers, employees, and agents shall not be liable for any direct, indirect, incidental, special, or consequential damages arising from your use of, or inability to use, this Website — even if Legalo has been advised of the possibility of such damages.

8. Third-party links and trademarks

This Website may reference third-party products and services (including ServiceNow, Jira, Google Drive, SharePoint, Slack, and OneTrust) for illustrative purposes only. These are trademarks of their respective owners. Legalo is not affiliated with, endorsed by, or in partnership with any of these companies unless separately and explicitly stated.

9. Governing law and jurisdiction

These Terms shall be governed by and construed in accordance with the laws of India. Any disputes arising under or in connection with these Terms shall be subject to the exclusive jurisdiction of the courts of Mumbai, Maharashtra, India.

10. Changes to these terms

Legalo reserves the right to modify these Terms at any time. Material changes will be notified on the Website at least 7 days before they take effect. Your continued use of the Website after the effective date of any changes constitutes your acceptance of the revised Terms.

11. Contact

For questions about these Terms, contact us at legal@legalo.in.

© 2026 Legalo Technologies Pvt. Ltd.  ·  Governing law: India  ·  Jurisdiction: Mumbai, Maharashtra