About

One practitioner who runs real audits — and built the systems that produced the evidence.

Exceptao is built by one person who has stood on both sides of the audit table — presenting evidence to auditors, and engineering the systems that produced that evidence. The platform treats compliance as architecture: tenant isolation enforced in the database, tamper-evident audit chains, and a single, minimal ingress path. The aim is straightforward — to make it easier to demonstrate what you actually do, day to day.

What we believe

Three principles the platform is built on.

Security is not a pricing tier

MFA, a tamper-evident audit log, Postgres row-level tenant isolation, encrypted backups, at least one OIDC IdP — every plan, day one. Security is the cost of entry, not a premium upsell.

Workflow over checklist

An exception is a time-boxed decision with named approvers, an expiry, and an audit trail. Renewals fire themselves. Auditors get a deterministic chain, not a spreadsheet someone forgot to update.

Boring, durable, pen-test-grade

Postgres RLS, Cloudflare Tunnel, hardware-backed admin auth, a hash-chained append-only audit log. The platform is the kind of thing the buyer's own pen-testers can poke at — that's the bar.

Founder

Who builds Exceptao.

A solo founder, pairing hands-on compliance engineering — finance, industrial automation, maritime, healthcare — with two decades of operational cybersecurity experience. Translated into product, not consulting hours.

Founder and solution architect for Exceptao. Designs the platform's security backbone — tenant isolation enforced in Postgres at the row-policy level (not in application code), an append-only hash-chained audit log, envelope-encrypted secrets, and a single ingress path through Cloudflare Tunnel with no public inbound on the VPS.

Compliance background: ISO/IEC 27001 and ISO/IEC 42001 Lead Auditor. Hands-on with environments where compliance has teeth — financial services under DORA, industrial automation and logistics under NIS2, and a global maritime fleet where vulnerability management, endpoint protection and security monitoring had to work across a thoroughly distributed estate.

Earlier, ran IT in a hospital — strategy, business continuity, and security ownership for an environment where downtime has a different cost than it does in a SaaS. Graduate of the Jagiellonian University in Kraków (applied psychology, HR management, negotiation), which is more relevant to running an audit conversation than people expect.

ISO 27001 / 42001 LA NIS2 · DORA Postgres RLS Tamper-evident audit Healthcare · Maritime · Finance

Talk

The fastest way to evaluate Exceptao is to hand the demo to your auditors.

If you want a walkthrough that goes deeper than the home page — architecture, the audit-verify endpoint, how an exception goes from filed to expired — write in. The reply is from the person who built it, not a BDR.

Open the demo → Email the founder →