Create your workspace
Sign up at app.axiomcodex.io. You’ll need an admin email on your company domain.
Pick your starting framework
On the welcome screen, select one or more:
- SOC 2 Type I or II — see the SOC 2 guide
- ISO 27001:2022 — see the ISO 27001 guide
- HIPAA — Security Rule, Privacy Rule, or both
Connect evidence sources
Open Integrations and connect:
- Identity — Google Workspace, Microsoft 365, Okta (auto-fills access reviews, MFA enforcement, deactivation logs)
- MDM — Jamf, Kandji, Intune (auto-fills disk encryption, OS patching, screen lock)
- Code host — GitHub, GitLab (auto-fills code review, branch protection, vulnerability scanning)
- Ticketing — Jira, Linear (auto-fills change management, incident response)
- Cloud — AWS, GCP, Azure (auto-fills logging, backup, network segmentation)
Review the auto-evidence
Open Controls and filter by framework. Each control shows:
- Status: Met, partial, missing, or N/A
- Evidence: live snapshots from connected sources, with source + timestamp
- Last verified: when Codex last re-pulled evidence
Assign controls that need a human
Some controls (training records, vendor due diligence, BCP testing) can’t be auto-evidenced. Assign owners and set due dates from the Controls page. Codex sends reminders at 7d / 3d / 1d / overdue.
What Codex doesn’t do
Codex is evidence collection and gap-finding, not policy authoring. We don’t ship boilerplate policies — too many of them are wrong for your business, and auditors are wise to copy-paste templates anyway. We integrate with Notion, Confluence, and Google Docs so you write policies where you already write everything else.What auditors say
Auditors who’ve reviewed Codex evidence packages flag two things consistently:- Timestamps are real — every evidence snapshot includes the API call time, not “we generated this last Tuesday”
- Source pointers — every claim has a “see exact API response here” link, which is what they actually need to validate