ProlixoTech Documentation

CPCSC Readiness Documentation

New to ProlixoTech? Solymus is the name of the ProlixoTech SDK and evidence engine—it's what you install (pip install solymus) and what powers the API. Start with the Quick Start guide below to log your first evidence event in under 5 minutes.

Why ProlixoTech?

Not all evidence is created equal. Here's what makes ProlixoTech different from regular logging — and why enterprises choose it for defensibility.

1

"Time Machine" Defence

If audited in 2028 for a 2026 procurement decision, assessors will judge you by 2028 standards. ProlixoTech captures a cryptographic snapshot of your exact compliance policies at the millisecond of each decision. Uses PolicyContext with policy_hash (SHA-256 fingerprint) designed to support defensibility.

2

"Digital Wax Seal" (Non-Repudiation)

Regular database logs can be edited. We use AWS KMS Hardware Security Modules to sign every log with ECDSA P-256 asymmetric keys. Private keys stay in the HSM boundary — they never leave Amazon's physical hardware. Combined with RFC 8785 JSON Canonicalization to prevent ambiguity attacks.

3

Assessment-Ready Evidence (ITSP.10.171)

CPCSC requires traceable evidence for all 97 ITSP.10.171 controls. Schema includes control mapping, evidence tagging, and assessor-ready exports. Compliance becomes a background API call, not a spreadsheet project.

4

Board-Ready Oversight Artifacts (Attestation Engine)

Generate documentation to support assessor and auditor oversight. We use Asynchronous Merkle Aggregation — every 5 minutes, Lambda fuses all shard hashes into a Global Merkle Root. Monthly GET /certificate/{day} generates a signed attestation with inclusion proofs. Note: This is documentation tooling, not legal advice.

5

Zero "Security Tax" (Thread-Based Producer-Consumer)

If logging adds 200ms latency, developers will delete your SDK. We use a thread-safe in-memory queue — your compliance logic "throws" logs into the queue and continues immediately. A background daemon thread handles batching and network transmission. Result: <1ms typical overhead on the calling thread (P50 <0.3ms, P99 <2ms; measured on a c5.xlarge, Python 3.11, 1,000 events/sec). Network latency is absorbed by the background thread.

6

Enterprise-Grade Scaling (Probabilistic Write Sharding)

Linear hash chains create bottlenecks. We implement Probabilistic Write Sharding — logs are randomly assigned to 20+ parallel shards (e.g., LOG_CHAIN#model-1#shard-5). Removes "Head Item" lock contention. Tested at sustained write throughput on DynamoDB on-demand, scaling with provisioned capacity.

7

Enterprise Storage at Startup Prices (Firehose Batching)

Small objects incur per-object overhead in S3 lifecycle transitions (Glacier adds ~40KB metadata per archived object). We use Amazon Kinesis Data Firehose as a managed buffer, compressing logs into columnar Parquet blocks before archiving to S3. This significantly reduces storage costs compared to per-event object storage.

Installation

Requires Python 3.9 or higher. Choose your operating system:

🍎 Mac

Step 1: Open Terminal

Press Cmd + Space, type Terminal, press Enter.

Step 2: Install ProlixoTech

pip3 install solymus

Step 3: Verify Installation

python3 -c "import solymus; print('Success!')"

✓ You should see: Success!

Having issues? Click here

Error: pip3 not found

Install Python from python.org/downloads/macos

Error: Permission denied

Try: pip3 install --user solymus

🪟 Windows

Step 1: Open Command Prompt

Press Windows key, type cmd, press Enter.

Step 2: Install ProlixoTech

py -m pip install solymus

Step 3: Verify Installation

py -c "import solymus; print('Success!')"

✓ You should see: Success!

⚠️ Python not installed?

  1. Go to python.org/downloads
  2. Click the yellow "Download Python" button
  3. ⚠️ IMPORTANT: Check "Add Python to PATH" at the bottom of the installer
  4. Click "Install Now"
  5. Close Command Prompt and open a new one
Having issues? Click here

Error: 'py' is not recognized

Python isn't installed or not in PATH. Reinstall Python and check "Add Python to PATH".

Error: 'pip' is not recognized

Use py -m pip install instead of pip install

Error: solymus=3.0.0 (single equals)

Use double equals: solymus==3.0.0 or just pip install solymus

Common Errors & Solutions

ModuleNotFoundError: No module named 'solymus' Run the install command again. Make sure you see "Successfully installed".
IndentationError: unexpected indent Delete the file and type the code manually (don't copy/paste).
SyntaxError when pasting code Save code to a .py file first. Don't paste directly into Command Prompt.
HTTP Error 403: Forbidden Invalid API key. Copy your key from the dashboard again.

Get Your API Credentials

  1. Sign up at prolixotech.com/signup.html
  2. Verify your email address
  3. Log in to the dashboard
  4. Copy your Tenant ID and API Key from the dashboard

Quick Start

Get started with ProlixoTech in three steps:

1. Initialize the Client

from solymus import Solymus

# Initialize with endpoint, tenant_id, and API key
client = Solymus(
    endpoint="https://api.prolixotech.com",
    tenant_id="my-company",
    api_key="YOUR_API_KEY"
)

2. Fire-and-Forget (Non-blocking)

# Non-blocking - events queued and sent in background
event_id = client.record("model_inference", {
    "model": "gpt-4",
    "prompt": "What is AI?",
    "response": "AI is...",
    "tokens": 150
})
# Returns immediately with event_id
print(f"Queued: {event_id}")

3. Synchronous (Blocking, Returns Receipt)

# Synchronous - waits for server confirmation
receipt = client.record_sync("critical_decision", {
    "decision_type": "loan_approval",
    "outcome": "approved",
    "confidence": 0.95
})

# Receipt is a dataclass with these attributes:
print(f"Event ID: {receipt.event_id}")      # Unique identifier
print(f"OK: {receipt.ok}")                  # True if successful
print(f"Trace ID: {receipt.trace_id}")      # Correlation ID
print(f"Digest: {receipt.digest_b64url}")   # SHA-256 digest
print(f"Algorithm: {receipt.signing_alg}") # ECDSA_SHA_256

How Your Data Flows

When you call record() from the SDK or POST /ingest via REST, here is exactly what happens inside ProlixoTech's infrastructure:

Your App
SDK or REST API
API Gateway
api.prolixotech.com
Lambda
Hash + KMS sign
DynamoDB
Evidence ledger
S3 Archive
Parquet cold storage

Step-by-Step

1. Your app sends evidence

The SDK queues events in a background thread and batches them (default: 10 events or 5 seconds). Your code continues immediately with <1ms overhead. Events are sent as POST /ingest with your X-Api-Key header. For CPCSC evidence artifacts, use the three-step upload → finalize flow.

2. Lambda processes and signs the event

API Gateway authenticates the request and routes it to our ingestion Lambda. The Lambda:
  • Canonicalizes the JSON payload using RFC 8785 (sorted keys, deterministic serialization)
  • Computes a SHA-256 hash of the canonical bytes (32-byte digest)
  • Signs the digest with AWS KMS using ECDSA P-256 (private key never leaves the HSM)
  • Maps to controls automatically based on evidence type (ITSP.10.171 for CPCSC readiness)

3. Stored in DynamoDB with Merkle linking

The signed event is written to the prolixo_evidence_ledger_v1 DynamoDB table. Each event is linked into a shard chain (20 parallel shards) using chained SHA-256 hashes. This creates an append-only, tamper-evident ledger — if any record were modified after the fact, the chain would break. A daily attestation job computes a Merkle root across all shards.

4. Streamed to S3 for long-term archival

A DynamoDB Stream triggers a Lambda that pipes every new event to Amazon Kinesis Firehose. Firehose batches and compresses events into columnar Parquet files (SNAPPY compression) and writes them to S3. Lifecycle rules automatically tier storage: Standard → Standard-IA (90 days) → Glacier (1 year) → Deep Archive (2+ years).

5. View, export, and verify from the dashboard

Events appear in your dashboard immediately. From there you can: browse your evidence timeline, export compliance packages (SSP, POA&M, Evidence Index, CPCSC Readiness Report) as JSON or PDF, and verify any artifact's cryptographic proof. Each export includes per-artifact public verification URLs that your assessors and auditors can check independently — no login required.

Your data never leaves AWS us-east-1. All processing (hashing, signing, storage) happens within our AWS infrastructure. KMS private keys never leave the hardware security module. The SDK hashes sensitive content locally with SHA-256 before transmission — the actual text never reaches our servers.

What the receipt proves

When you call record_sync(), the receipt you get back contains:

Field Meaning
event_id Unique identifier for this evidence entry
digest_b64url SHA-256 hash of the canonical event payload (base64url encoded)
signing_alg Always ECDSA_SHA_256 — the KMS signing algorithm used
chain_linked true if the event was linked into the Merkle shard chain
trace_id Correlation ID for grouping related events

This receipt is your cryptographic proof that the evidence existed in this exact form at the recorded timestamp. Assessors and auditors can verify it independently via GET /verify/{event_id} or the public verification URL in your exports.

5-Minute Demo

Test ProlixoTech with or without an AI provider. Choose an option below.

Important (Windows users): You must save code to a .py file and run it. Do NOT paste code directly into Command Prompt.

Option 1: Quick Test (No AI Required)

Test ProlixoTech without any AI provider. Only needs your ProlixoTech credentials.

Step 1: Get ProlixoTech Credentials

  1. Go to your Dashboard
  2. Copy your Tenant ID (shown on dashboard)
  3. Click "Generate API Key" and copy the key

Step 2: Create test.py

Open Notepad, paste this code, replace your credentials, and save as test.py on Desktop:

from solymus import Solymus
TENANT_ID = "your-tenant-id"
API_KEY = "ak_live_your_key_here"
log = Solymus(endpoint="https://api.prolixotech.com", tenant_id=TENANT_ID, api_key=API_KEY)
receipt = log.record_sync("test_event", {"message": "Hello from Solymus!", "demo": True})
print(f"Event ID: {receipt.event_id}")
result = log.verify(receipt.event_id)
print(f"KMS Signature Valid: {result.kms_signature_valid}")

Step 3: Run

Windows:

cd Desktop
py test.py

Mac / Linux:

cd ~/Desktop
python3 test.py

Expected Output:

Event ID: 3832bcb3-daea-4a9c-a198-96a249107f51
KMS Signature Valid: True

Your event is now cryptographically signed and tamper-evident. View it in your Events Dashboard.

Option 2: Full Demo with AI

Test with a real AI provider. Choose one below.

Step 1: Install AI Package

Windows:

py -m pip install google-genai

Mac / Linux:

pip3 install google-genai

Step 2: Get API Keys

Step 3: Create demo.py

Open Notepad, paste this code, replace your 3 credentials, save as demo.py on Desktop:

from google import genai
from solymus import Solymus
GEMINI_KEY = "AIza..."
TENANT_ID = "your-tenant-id"
API_KEY = "ak_live_..."
client = genai.Client(api_key=GEMINI_KEY)
log = Solymus(endpoint="https://api.prolixotech.com", tenant_id=TENANT_ID, api_key=API_KEY)
response = client.models.generate_content(model="gemini-2.0-flash", contents="What is AI?")
print(f"Gemini: {response.text}")
receipt = log.record_sync("gemini_inference", {"model": "gemini-2.0-flash", "output": response.text})
print(f"Event ID: {receipt.event_id}")
result = log.verify(receipt.event_id)
print(f"KMS Signature Valid: {result.kms_signature_valid}")

Step 4: Run

Windows:

cd Desktop
py demo.py

Mac / Linux:

cd ~/Desktop
python3 demo.py

Expected Output:

Gemini: Artificial intelligence (AI) refers to...
Event ID: 4a719f94-27eb-4a24-a36b-bfec34977a1d
KMS Signature Valid: True

Your AI inference is now logged with cryptographic proof. View it in your Events Dashboard.

Troubleshooting:

  • IndentationError - Delete the file and retype the code (don't copy/paste)
  • 429 quota exceeded - Create a new Gemini API key at aistudio.google.com
  • Module not found - Run the install command again

Other AI Providers

Groq (Free, Recommended)

Install: py -m pip install groq (Windows) or pip3 install groq (Mac/Linux)

Get key: console.groq.com/keys (free, no credit card)

from groq import Groq
from solymus import Solymus
GROQ_KEY = "gsk_..."
TENANT_ID = "your-tenant-id"
API_KEY = "ak_live_..."
client = Groq(api_key=GROQ_KEY)
log = Solymus(endpoint="https://api.prolixotech.com", tenant_id=TENANT_ID, api_key=API_KEY)
response = client.chat.completions.create(model="llama-3.1-8b-instant", messages=[{"role": "user", "content": "What is AI?"}])
print(f"Groq: {response.choices[0].message.content}")
receipt = log.record_sync("groq_inference", {"model": "llama-3.1-8b-instant", "output": response.choices[0].message.content})
print(f"Event ID: {receipt.event_id}")
print(f"KMS Signature Valid: {log.verify(receipt.event_id).kms_signature_valid}")

Tested Output:

Groq: Artificial Intelligence (AI) refers to the development of computer systems...
Event ID: 202c2e2a-e224-4740-9efb-0ab433f0441b
KMS Signature Valid: True

OpenAI (GPT-4, GPT-3.5)

Install: py -m pip install openai (Windows) or pip3 install openai (Mac/Linux)

Get key: platform.openai.com/api-keys

from openai import OpenAI
from solymus import Solymus
OPENAI_KEY = "sk-..."
TENANT_ID = "your-tenant-id"
API_KEY = "ak_live_..."
client = OpenAI(api_key=OPENAI_KEY)
log = Solymus(endpoint="https://api.prolixotech.com", tenant_id=TENANT_ID, api_key=API_KEY)
response = client.chat.completions.create(model="gpt-3.5-turbo", messages=[{"role": "user", "content": "What is AI?"}])
print(f"GPT: {response.choices[0].message.content}")
receipt = log.record_sync("openai_inference", {"model": "gpt-3.5-turbo", "output": response.choices[0].message.content})
print(f"Event ID: {receipt.event_id}")
print(f"KMS Signature Valid: {log.verify(receipt.event_id).kms_signature_valid}")

Anthropic Claude

Install: py -m pip install anthropic (Windows) or pip3 install anthropic (Mac/Linux)

Get key: console.anthropic.com/settings/keys

from anthropic import Anthropic
from solymus import Solymus
ANTHROPIC_KEY = "sk-ant-..."
TENANT_ID = "your-tenant-id"
API_KEY = "ak_live_..."
client = Anthropic(api_key=ANTHROPIC_KEY)
log = Solymus(endpoint="https://api.prolixotech.com", tenant_id=TENANT_ID, api_key=API_KEY)
response = client.messages.create(model="claude-3-haiku-20240307", max_tokens=1024, messages=[{"role": "user", "content": "What is AI?"}])
print(f"Claude: {response.content[0].text}")
receipt = log.record_sync("claude_inference", {"model": "claude-3-haiku", "output": response.content[0].text})
print(f"Event ID: {receipt.event_id}")
print(f"KMS Signature Valid: {log.verify(receipt.event_id).kms_signature_valid}")

Configuration

API Endpoint: Get your endpoint URL from the Dashboard under Settings.

Configure ProlixoTech via constructor arguments or environment variables:

Parameter Environment Variable Default Description
api_key SOLYMUS_API_KEY - Your API key (required)
tenant_id SOLYMUS_TENANT_ID "default" Your tenant identifier
batch_size - 10 Events per batch before sending
flush_interval - 5.0 Seconds between automatic flushes
max_queue_size - 1000 Max queue size before blocking
timeout - 10 HTTP timeout in seconds

ProlixoTech Client

Constructor

Solymus(
    endpoint: str,                         # Required: API endpoint URL
    tenant_id: str = "default",           # Your tenant identifier
    api_key: str = None,                  # API key for authentication
    batch_size: int = 10,                 # Events per batch
    flush_interval: float = 5.0,         # Seconds between flushes
    max_queue_size: int = 1000,          # Max queue before blocking
    timeout: int = 10                     # HTTP timeout in seconds
)

Methods

record(event_type, payload, ...) - Fire-and-forget. Returns event_id immediately.

record_sync(event_type, payload, ...) - Synchronous. Returns Receipt object.

verify(event_id) - Verify evidence. Returns VerificationResult.

flush() - Force flush all queued events.

close() - Gracefully shutdown, flushing remaining events.

Receipt Object

Returned by record_sync():

AttributeTypeDescription
okboolTrue if event was recorded
event_idstrUnique event identifier (UUID)
trace_idstrTrace ID for correlation
tenant_idstrYour tenant identifier
digest_b64urlstrSHA-256 digest (base64url)
signing_algstrSigning algorithm (ECDSA_SHA_256)

VerificationResult Object

Returned by verify():

AttributeTypeDescription
statusstr"verified", "not_found", or "unknown"
event_idstrThe verified event ID
kms_signature_validboolTrue if KMS signature is valid
merkle_linkedboolTrue if part of Merkle chain
merkle_inclusion_prooflistSHA-256 hashes for proof verification
timestampstrISO 8601 timestamp of event

Compliance Schema

The SDK uses structured dataclasses to represent compliance evidence. Built-in field validation ensures your data is correct before it reaches our servers.

Core Objects

ContextRegistry

Bundles all evidence-related metadata (system ID, audit trails, lineage, etc.):

FieldTypePurpose
ModelContextobjITSP.10.171 — System Identification (IA-2, SC-1)
SessionContextobjITSP.10.171 — Audit Trail (AU-2, AU-3)
PerformanceMetricsobjPerformance and reliability logs
PolicyContextobjPolicy enforcement records
DataProvenanceobjITSP.10.171 — Evidence Lineage (SI-4)
HumanInterventionobjITSP.10.171 — Authorization Records (AC-2, AC-3)

Evidence Types (Auto-Mapping)

Evidence TypeMaps to ControlsExample
access_control_eventAC-2, AC-3, AC-5User login, role change
audit_logAU-2, AU-3, AU-4System event logged
encryption_statusSC-7, SC-13TLS handshake, key rotation
patch_managementCM-3, SI-2Patch deployed, verified
vulnerability_scanRA-3, SI-2Vuln scan results
authentication_eventIA-2, IA-3MFA success, password change
policy_documentPL-1, PL-2, AC-1Security policy signed

Complete Evidence Example

Here's a full compliance event demonstrating all supported fields:

from solymus import (
    Solymus, ContextRegistry, ModelContext, SessionContext,
    PerformanceMetrics, PolicyContext, DataProvenance, HumanIntervention
)

client = Solymus(
    endpoint="https://api.prolixotech.com",
    tenant_id="defence-supplier-123",
    api_key="ak_live_your_key"
)

# ITSP.10.171 — System Identification
model_ctx = ModelContext(
    system_id="classified-system-alpha",
    deployment_env="production",
    version="2.4.1"
)

# Audit Trail
session_ctx = SessionContext(
    user_id="user@defence-supplier.ca",
    session_id="sess_xyz123",
    action="approved_procurement",
    timestamp="2026-03-14T14:22:35Z"
)

# Evidence Lineage
provenance = DataProvenance(
    source_system="ServiceNow",
    data_classification="PROTECTED B",
    lineage_hash="sha256:abc123..."
)

# Authorization Records
oversight = HumanIntervention(
    approver_id="supervisor@defence-supplier.ca",
    approval_timestamp="2026-03-14T14:30:00Z",
    approval_method="multi_factor_auth"
)

# Bundle all contexts
registry = ContextRegistry(
    model_context=model_ctx,
    session_context=session_ctx,
    data_provenance=provenance,
    human_intervention=oversight
)

# Record the evidence with full context
receipt = client.record_sync(
    event_type="procurement_decision",
    payload={
        "decision": "approved",
        "vendor_id": "v_acme_corp",
        "contract_value": 500000
    },
    context=registry
)

print(f"Receipt: {receipt.event_id}")

Async Usage

For high-throughput applications, use async/await with fire-and-forget mode:

import asyncio
from solymus import Solymus

async def log_many_events():
    client = Solymus(
        endpoint="https://api.prolixotech.com",
        tenant_id="defence-supplier-123",
        api_key="ak_live_your_key",
        batch_size=100,
        flush_interval=5.0
    )

    # Fire-and-forget: returns immediately
    for i in range(1000):
        event_id = client.record(
            "access_event",
            {"user": f"user{i}", "action": "login"}
        )
        if i % 100 == 0:
            print(f"Queued {i} events")

    # Flush remaining events before shutdown
    client.flush()
    client.close()

asyncio.run(log_many_events())

Context Manager (Recommended)

Use Python's with statement to guarantee shutdown:

from solymus import Solymus

with Solymus(
    endpoint="https://api.prolixotech.com",
    tenant_id="defence-supplier-123",
    api_key="ak_live_your_key"
) as client:

    # All logs are queued and batched
    client.record("access_granted", {"user": "alice"})
    client.record("access_granted", {"user": "bob"})

    # On context exit, automatically flushes and closes

Privacy Hashing

Hash sensitive data (PII, classification markings) before sending to ProlixoTech:

from solymus import Solymus, hash_sha256

# Hash sensitive fields locally
user_email = "alice@defence-supplier.ca"
email_hash = hash_sha256(user_email)

client = Solymus(
    endpoint="https://api.prolixotech.com",
    tenant_id="defence-supplier-123",
    api_key="ak_live_your_key"
)

receipt = client.record_sync(
    "user_action",
    {
        "user_hash": email_hash,      # Only the hash is sent
        "action": "file_access",
        "resource": "PROTECTED-B-doc.pdf"
    }
)

print(f"Hashed PII sent securely: {receipt.event_id}")

SDK Support Matrix

SDK Status Min Version Install
Python Production 3.9+ pip install solymus
JavaScript / TypeScript In Dev ES2020 npm install @solymus/sdk (soon)
Go Planned 1.20+ go get solymus.dev/sdk (soon)

JavaScript / TypeScript (In Dev)

A browser and Node.js SDK is currently in development. Expected release: Q2 2026.

API Authentication Contract

All API requests require authentication via the X-Api-Key header:

curl -X POST https://api.prolixotech.com/ingest \
  -H "X-Api-Key: ak_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "tenant_id": "defence-supplier-123",
    "event_type": "access_control_event",
    "payload": {"user": "alice", "action": "login"}
  }'

POST /ingest

Record a compliance evidence event.

POST /ingest

Authentication: X-Api-Key header

Request Body:

tenant_idYour tenant identifier
event_typeType of evidence (e.g., "access_control_event")
payloadJSON object with event data

GET /verify/{event_id}

Verify a recorded event's cryptographic signature and Merkle linkage (requires API key).

GET /verify/{event_id}

Authentication: X-Api-Key header

Response: JSON with status, kms_signature_valid, merkle_inclusion_proof

GET /public/verify/{event_id}

Public verification endpoint for auditors (no authentication required). Enables auditors to verify evidence independently:

GET /public/verify/{event_id}

Authentication: None

Response: JSON with verification proof. Share this URL with your assessor or auditor.

Example: https://api.prolixotech.com/public/verify/3832bcb3-daea-4a9c-a198-96a249107f51

GET /events

Retrieve all recorded events for a tenant (requires API key). Supports filtering and pagination:

GET /events?limit=100&offset=0&event_type=access_control_event

Query Parameters:

  • limit - Max results per page (default: 50)
  • offset - Pagination offset (default: 0)
  • event_type - Filter by event type (optional)
  • start_date - ISO 8601 start date (optional)
  • end_date - ISO 8601 end date (optional)

GET /certificate/{day}

Generate a monthly Merkle attestation certificate signed by KMS (requires API key):

GET /certificate/2026-03-01

Authentication: X-Api-Key header

Response: JSON with Merkle root hash, inclusion proofs, and KMS signature

Solymus Installation Options

Deploy Solymus to your CPCSC readiness infrastructure:

Option 1: Local Installation (Recommended for Testing)

Install the Python SDK on your machine:

pip install solymus

Option 2: Docker Container

Run Solymus in a containerized environment:

docker run -e SOLYMUS_API_KEY=ak_live_your_key \
  -e SOLYMUS_TENANT_ID=defence-supplier-123 \
  prolixotech/solymus:latest

Option 3: AWS Lambda Integration

Deploy Solymus as a Lambda layer for serverless compliance logging:

aws lambda update-function-code \
  --function-name my-compliance-function \
  --layers arn:aws:lambda:us-east-1:123456789:layer:solymus:1

Browser Extension

Coming soon: A browser extension to automatically log web-based compliance actions (e.g., policy acknowledgements, access approvals).

Integrations

Beta Status: Integration features are currently in beta and undergoing testing with early customers.

M365 (Microsoft 365)

Collect evidence from Microsoft Entra ID (Azure AD), SharePoint, and Exchange logs automatically. Requires M365 admin credentials.

AWS

Ingest CloudTrail logs and VPC Flow Logs into the evidence ledger. Supports both commercial and GovCloud regions.

Custom Webhooks

Send compliance events from any third-party system via HTTP POST to a Solymus webhook endpoint.

CPCSC / ITSP.10.171

ProlixoTech serves as the evidence engine for CPCSC readiness. Mapped to ITSP.10.171 (Canada's adaptation of NIST SP 800-171 Rev 3) — 97 controls across 17 families.

How ProlixoTech Supports CPCSC

ITSP.10.171 Control Families (17 total, 97 controls)

Family Name Controls Evidence Types
ACAccess Control22Account creation, role changes, access reviews
ATAwareness and Training3Training completion, role-based training
AUAudit and Accountability9Log events, audit reviews, log protection
CASecurity Assessment and Monitoring4Assessment results, POA&M items
CMConfiguration Management9Baseline configs, change requests
IAIdentification and Authentication11MFA events, password changes
IRIncident Response8Incident reports, response actions
MAMaintenance6Maintenance logs, remote access
MPMedia Protection4Media handling, sanitization
PEPhysical Protection6Physical access logs, visitor records
PSPersonnel Security5Screening, terminations, transfers
PLPlanning2Security plans, rules of behaviour
RARisk Assessment3Vulnerability scans, risk assessments
SASystem and Services Acquisition5Supply chain assessments, developer security
SCSystem and Communications Protection16Boundary protection, encryption status
SISystem and Information Integrity7Malware scans, patch status, alerts
SRSupply Chain Risk Management3Supplier assessments, provenance tracking

ProlixoTech can capture evidence for all 17 control families:

CPCSC Evidence Factory API

The CPCSC Evidence Factory provides a streamlined three-step flow for uploading compliance evidence (policies, access logs, assessment reports, etc.):

Step 1: Request Presigned Upload URL

curl -X POST https://api.prolixotech.com/cmmc/artifacts/upload \
  -H "X-Api-Key: ak_live_your_key" \
  -H "Content-Type: application/json" \
  -d '{
    "tenant_id": "defence-supplier-123",
    "filename": "AC-Policy-2026.pdf",
    "content_type": "application/pdf",
    "evidence_type": "policy_document"
  }'

Step 2: Upload to S3 (Using Presigned URL)

The API returns a presigned POST URL. Use it to upload your file directly to S3 without needing AWS credentials:

curl -X POST https://s3.amazonaws.com/prolixo-artifacts-bucket \
  -F "key=uploads/artifact-uuid" \
  -F "policy=..." \
  -F "file=@AC-Policy-2026.pdf"

Step 3: Finalize (Compute Hash & Map Controls)

Once uploaded, call finalize to compute the SHA-256 hash and auto-map the artifact to ITSP.10.171 controls:

curl -X POST https://api.prolixotech.com/cmmc/artifacts/uuid/finalize \
  -H "X-Api-Key: ak_live_your_key" \
  -H "Content-Type: application/json" \
  -d '{}'

CPCSC Evidence Recording Example

Here's a complete example recording a CPCSC evidence event with control mapping:

from solymus import Solymus

client = Solymus(
    endpoint="https://api.prolixotech.com",
    tenant_id="defence-supplier-123",
    api_key="ak_live_your_key"
)

# Record a CPCSC access control event
receipt = client.record_sync(
    "access_control_event",
    {
        "user_id": "alice@defence-supplier.ca",
        "action": "access_granted",
        "resource": "PROTECTED-B-procurement-docs",
        "classification": "PROTECTED B",
        "timestamp": "2026-03-14T10:15:00Z"
    }
)

# Auto-mapped to ITSP.10.171 controls: AC-2, AC-3, AC-4
print(f"Event recorded: {receipt.event_id}")
print(f"Controls mapped: AC-2, AC-3, AC-4")
print(f"Signature valid: {receipt.signing_alg == 'ECDSA_SHA_256'}")

Export Compliance Packages

Generate a complete CPCSC readiness package for assessors:

curl -X POST https://api.prolixotech.com/cmmc/exports \
  -H "X-Api-Key: ak_live_your_key" \
  -H "Content-Type: application/json" \
  -d '{
    "tenant_id": "defence-supplier-123",
    "export_type": "evidence_index",
    "include_ssp": true,
    "include_poam": true
  }'

GovCloud Note: If using AWS GovCloud, please upload only non-classified artifacts. Classified data must be handled through separate channels. Contact support for GovCloud guidance.

Plan-Based Access

Solymus offers three tiers of service, each designed for a different stage of CPCSC readiness. CPCSC Level 1 is free for a limited time. Credit card required to activate. Early bird pricing for Level 2 and Level 3 is available until December 31, 2026.

Feature Level 1 (FREE) Level 2 (C$5,000/mo early bird) Level 3 (C$5,000/mo early bird)
Evidence Ingestion
Verification
Events (365 days) ✅ (2026 promo)
Exports Evidence Index only Full suite (SSP + POA&M) Full suite + Board reports
Certificates
CloudTrail Receipts
Integrations Beta Full (GovCloud — Roadmap)
SSO/SAML
Roadmap Frameworks ISO 42001 · CGP · Law 25 · ISO 27001 · SOC 2 · ISO 27701 All Level 2 roadmap + GDPR · CRA/SBOM · NATO STANAG
Plan Price Monthly Events Retention Seats Workspaces API Keys
CPCSC Level 1 FREE 1,000 365 days (2026 promo) 3 1 1
CPCSC Level 2 C$5,000/mo (early bird, standard C$10,000/mo) 100,000 365 days 10 3 10
CPCSC Level 3 C$5,000/mo (early bird, standard C$30,000/mo) 1,000,000 Unlimited Unlimited Unlimited 100 (cap)

Pricing Note: All prices are in Canadian dollars (CAD). Early bird pricing (C$5,000/mo for Level 2 or Level 3) is available until December 31, 2026. After that, standard pricing applies (C$10,000/mo for Level 2, C$30,000/mo for Level 3). Contact sales for volume discounts and custom arrangements.

Next Steps

Support & Resources

Disclaimer: ProlixoTech is a documentation and evidence recording platform. It is not legal advice, nor does it guarantee compliance with CPCSC requirements. Always consult with a qualified security professional or accredited certification body (ACB) for official compliance assessments. ProlixoTech evidence supports audit readiness and assessor reviews, but compliance decisions rest with your organization and regulatory bodies.