Getting Started
Quick Start (5 minutes)
1Create Your Account
Sign up at nebulaproof.com and choose your plan. The Starter tier is free and includes 100 evidence items.
2Install the Browser Extension
Install the NebulaProof extension from the Chrome Web Store. It works on Chrome and Edge.
Dashboard → Settings → Browser Extension → Install
3Capture Your First Evidence
Navigate to any compliance-relevant page (e.g., your cloud console, HR system, or security dashboard), then click the NebulaProof extension icon and select "Capture Evidence."
4Map to Controls
In your dashboard, map captured evidence to compliance framework controls (e.g., SOC 2 CC6.1, HIPAA 164.312). NebulaProof auto-suggests mappings based on the evidence content.
API Access
Get your API key from the Dashboard Settings page. All API requests use Bearer token authentication.
Capture Evidence
Browser Extension
The NebulaProof browser extension is the primary evidence capture tool. It captures screenshots with cryptographic signatures, URL metadata, and timestamps — all in one click.
What Gets Captured
Each evidence capture creates a court-ready proof bundle containing:
- Screenshot — Full-page or visible area capture
- URL & Domain — Verified source location
- Timestamp — ISO 8601 capture time with timezone
- Ed25519 Signature — Tamper-evident digital signature
- Content Hash — SHA-256 fingerprint of the evidence
- Chain Entry — Hash-linked to previous evidence (Merkle tree)
Evidence Collection Methods
Manual Capture
Click the extension icon on any page. Best for ad-hoc evidence and one-time compliance checks.
Scheduled Collection
Set up recurring captures (daily, weekly, monthly) for controls that require continuous monitoring. Configure in Dashboard → Collections → Schedules.
API-Based Collection
Use the REST API to programmatically submit evidence from CI/CD pipelines, monitoring tools, or custom integrations.
URL Auto-Recognition
The extension recognizes compliance-relevant URLs (AWS Console, Azure Portal, Google Workspace Admin) and suggests captures automatically.
Prove Compliance
How Proof Chains Work
Every piece of evidence is cryptographically linked into an immutable proof chain. Unlike traditional compliance tools that ask you to "trust us," NebulaProof provides mathematical proof that your evidence is authentic and untampered.
7-Stage Chain of Custody
NebulaProof tracks evidence through seven verified stages, each producing its own attestation:
Proof Types
Capture Attestation
Proves when, where, and how evidence was captured. Includes Ed25519 signature, URL, timestamp, and content hash.
Integrity Proof (Merkle)
Merkle tree root hash proving the complete evidence set has not been tampered with. Auditors can independently verify any leaf.
Compliance Mapping Proof
Cryptographic binding between evidence items and framework controls. Proves which evidence satisfies which requirements.
Deletion Certificate
Cryptographic proof that evidence was permanently destroyed (GDPR Article 17). Recovery is mathematically impossible after deletion.
Pass Audits
Auditor Portal
Share evidence with external auditors through a secure, read-only verification portal. Auditors can independently verify proof chains without accessing your internal systems.
- 1Create a Sharing PackageSelect evidence items and controls, then generate a shareable link or export bundle.
- 2Invite Your AuditorSend the secure link to your auditor. They can view evidence without creating an account.
- 3Auditor Verifies IndependentlyAuditors verify cryptographic signatures, check timestamps, and validate proof chains using open-source tools.
- 4Track Audit ProgressSee which evidence items your auditor has reviewed, with real-time status in your dashboard.
Framework Mapping
Map evidence to specific framework controls. NebulaProof auto-suggests mappings and tracks coverage gaps.
AI-powered suggestions based on evidence content, URL patterns, and historical mappings from your organization.
Real-time view of which controls have evidence, which are stale, and which have gaps — across all frameworks.
Evidence Sharing Options
Manage Teams
Organization Setup
Create your organization, invite team members, and assign roles. Each organization gets its own isolated workspace with separate evidence, controls, and audit history.
Roles & Permissions
| Role | Capabilities |
|---|---|
| Owner | Full access, billing, team management, delete org |
| Admin | Manage members, configure frameworks, approve evidence |
| Compliance Lead | Map evidence to controls, manage audit packages, share with auditors |
| Contributor | Capture evidence, view controls, comment on items |
| Viewer | Read-only access to evidence and compliance dashboards |
API Reference
Interactive API Documentation
Full Swagger/OpenAPI docs available at api.nebulaguard.net/docs
Authentication
All API requests require a Bearer token or API key in the Authorization header:
Evidence Endpoints
Proof Endpoints
Controls & Frameworks
Webhooks
Subscribe to events for real-time notifications when evidence is captured, controls are updated, or audits complete.
Rate Limits
Guides
Getting Started with NebulaProof
Account setup, first evidence capture, and dashboard walkthrough
Browser Extension Installation
Install, configure, and start capturing evidence in Chrome or Edge
Mapping Evidence to Controls
Link captured evidence to specific framework controls for audit readiness
Setting Up Framework Compliance
Configure SOC 2, HIPAA, GDPR, ISO 27001, and other frameworks
Sharing Evidence with Auditors
Generate audit packages, secure links, and manage auditor access
Evidence Chain of Custody
Understand the 7-stage proof chain and how to verify evidence integrity
Automating Evidence Collection
Set up scheduled captures, API integrations, and webhook triggers
Custom Frameworks
Create custom compliance frameworks with your own controls and evidence requirements
Framework Coverage
SOC 2 Type II
61 controlsTrust Services Criteria: Security, Availability, Confidentiality, Processing Integrity, Privacy
- Continuous monitoring
- Control evidence mapping
- Auditor-ready packages
HIPAA
75 controlsHealth Insurance Portability and Accountability Act safeguards
- PHI access tracking
- BAA support
- Secure disposal proofs
GDPR
99 controlsGeneral Data Protection Regulation requirements
- Article 17 deletion proofs
- Data residency attestation
- Consent evidence
ISO 27001
114 controlsInformation Security Management System standard
- Annex A control mapping
- Risk assessment evidence
- ISMS documentation
PCI DSS
78 controlsPayment Card Industry Data Security Standard
- Network security evidence
- Access control proofs
- Encryption validation
NIST CSF
108 controlsNational Institute of Standards and Technology Cybersecurity Framework
- Identify/Protect/Detect/Respond/Recover
- Maturity scoring
- Gap analysis
SOX
44 controlsSarbanes-Oxley Act financial controls
- IT general controls
- Financial reporting evidence
- Change management
CCPA
34 controlsCalifornia Consumer Privacy Act compliance
- Consumer request tracking
- Data inventory proofs
- Opt-out evidence
SDKs & Tools
Browser Extension
AvailableOne-click evidence capture with cryptographic signing. Works on Chrome and Edge.
- Screenshot capture with Ed25519 signatures
- URL auto-recognition for compliance pages
- Offline queue with automatic sync
REST API
AvailableFull-featured REST API for programmatic evidence submission, proof verification, and compliance management.
- OpenAPI/Swagger documentation
- Bearer token & API key auth
- 272+ endpoints
Webhooks
AvailableReal-time event notifications for evidence captures, control updates, and audit milestones.
- HMAC-signed payloads
- Retry with exponential backoff
- Event filtering
CLI
Coming SoonCommand-line interface for bulk evidence operations, CI/CD integration, and automated compliance checks.
- Bulk evidence upload
- CI/CD pipeline integration
- Proof verification offline
Frequently Asked Questions
How does NebulaProof differ from traditional GRC tools?
Traditional GRC tools rely on manual uploads and self-reported compliance. NebulaProof captures evidence with cryptographic signatures at the moment of observation, creating proof chains that auditors can independently verify. Evidence is mathematically tamper-evident, not just 'trusted.'
Can auditors verify proofs without our help?
Yes. Download the proof bundle from the dashboard and share with auditors. They can independently verify Ed25519 signatures, validate Merkle tree roots, and check hash chains using open-source cryptographic tools. No NebulaProof account needed.
What makes captured evidence court-ready?
Each evidence item includes a cryptographic signature (Ed25519), content hash (SHA-256), verified timestamp, URL and domain metadata, and a position in an immutable hash chain. This creates a verifiable chain of custody from capture to presentation.
How do I map evidence to multiple frameworks?
A single evidence item can be mapped to controls in multiple frameworks simultaneously. For example, one screenshot proving encryption-at-rest can satisfy SOC 2 CC6.1, HIPAA 164.312(a)(2)(iv), and ISO 27001 A.10.1.1.
What happens if evidence becomes stale?
NebulaProof tracks evidence freshness. When evidence ages past its framework-specific threshold (e.g., 90 days for SOC 2 continuous controls), it's flagged as stale in the coverage dashboard with a prompt to recapture.
How do I rotate my API key?
Go to Dashboard > Settings > API Keys > Generate New Key. Update your applications with the new key, then revoke the old one. We recommend rotating every 90 days.
Does the browser extension work offline?
Yes. Evidence captures are queued locally and synced automatically when the connection is restored. Signatures are applied at capture time, so the timestamp reflects when the evidence was actually observed.
Can I use NebulaProof with custom or internal frameworks?
Yes. Create custom frameworks with your own controls, evidence requirements, and mapping rules. Custom frameworks support the same proof chain and auditor sharing features as built-in frameworks.