What Is Kliper?
Kliper is a compliance assessment platform purpose-built for QSA firms and internal security teams conducting PCI DSS 4.0.1 assessments. It replaces spreadsheets, shared drives, and disconnected tooling with a single, auditable workspace that covers every phase of the ROC lifecycle — from engagement scoping through evidence collection to final report generation. Every action taken inside Kliper is logged, every uploaded file is integrity-hashed and malware-scanned, and every requirement answer is traceable to the assessor who authored it.Core Data Hierarchy
Kliper organizes work in a strict four-level hierarchy. Understanding this hierarchy is essential for navigating the platform.Organization
An Organization represents your QSA firm or compliance team. It is the top-level tenant boundary.- All users, clients, assessments, files, and billing are scoped to an organization.
- Each organization has its own storage quota (default 1 GB, configurable per subscription plan).
- Role-Based Access Control (RBAC) governs what each member can do: Admin, Manager, Contributor, or Viewer.
- Organization administrators manage team invitations, integrations, and subscription billing.
Client
A Client represents the merchant or entity being assessed. Client profiles capture the PCI-relevant context that carries through every engagement:- Company details — legal name, DBA, address, website.
- PCI context — merchant level (1–4), estimated annual transaction volume, payment brands, last compliance date.
- Primary contact — name, phone, email for the client’s point of contact.
Letter of Engagement (LOE)
An LOE defines the contractual and logistical scope of an engagement. It is the project container that sits between a client and one or more assessments.| Field Group | What It Captures |
|---|---|
| Scope | Inclusions, exclusions, assessment locations, assessment type |
| Financial | Contract value, payment schedule, billing milestones |
| Timeline | Kickoff date, onsite dates, draft report date, remediation window, final report date |
| QSA Signer | Lead assessor name, credentials, certificate number |
| Legal | Liability cap, confidentiality terms, data handling provisions |
| Status | Draft, Active, Completed, Archived |
Assessment
An Assessment is the core working unit of Kliper. It represents a single PCI DSS 4.0.1 evaluation conducted against the ROC framework. When an assessment is created, the platform automatically loads the full set of PCI DSS testing procedures (200+ requirements across 12 principal sections). Assessors then work through each requirement using the Assessment Workbench — a structured interface for recording findings, uploading evidence, and collaborating with the team. Each assessment tracks:- Answers — one structured response per testing procedure, with status progression:
Pending→Reviewed→Approved. - Evidence files — uploaded documents, screenshots, configuration exports, and logs. Each file is SHA-256 hashed and malware-scanned on upload.
- Collaborators — team members assigned with specific roles (Editor, Reviewer, Viewer).
- Comments — threaded, requirement-scoped discussions with @mentions and resolution tracking.
- Tasks — actionable work items (To Do, In Progress, Done) with assignees and due dates.
- Audit trail — every change recorded with timestamp, user identity, IP address, and old/new value snapshots.
Scheduled, In Progress, Review, Completed.
Platform Capabilities at a Glance
| Capability | Description |
|---|---|
| Assessment Workbench | Section-tree navigation, structured answer forms, inline evidence, collapsible side panels for AI, comments, and attachments. |
| Cortex AI | In-context AI assistant that interprets PCI DSS requirements, validates uploaded evidence against requirement-specific criteria, and auto-generates ROC findings text. |
| Scoping Engine | Rules engine that conditionally hides or shows requirements based on the merchant’s environment (e.g., no wireless technology → wireless requirements hidden). |
| Evidence Management | File uploads with SHA-256 integrity hashing, dual-engine malware scanning (ClamAV + VirusTotal), AI-powered document validation, and automatic metadata extraction. |
| DOCX ROC Export | One-click generation of a formatted Report on Compliance document from a Word template, with all assessment data populated into the correct sections. |
| Real-time Collaboration | Threaded comments with @mentions, live presence indicators, push notifications, and per-requirement audit logging. |
| Engagement Phases | Ordered workflow stages (kickoff, onsite, remediation, QA review) with task dependencies, hour estimates, and calendar integration. |
| Gap & Risk Analysis | Automated gap assessment to identify incomplete evidence, per-requirement risk scoring, and AI-generated remediation recommendations. |
| Calendar | Scheduling for meetings, milestones, and interviews with recurrence support and task linking. |
| Admin Dashboard | Activity logs, analytics, server health monitoring, audit trail, and 2FA management. |
| Billing | Stripe-integrated subscription management with Basic, Professional, and Enterprise plans. Usage tracking for assessments, AI summaries, DOCX exports, and storage. |
Authentication and Access
Kliper uses cookie-based session authentication with support for:- Email/password sign-up and sign-in.
- OAuth providers — Google, GitHub, and Microsoft.
- Two-factor authentication (2FA) — TOTP-based, with trusted device exemption.
- Passkeys — WebAuthn-based passwordless authentication.
x-organization header. Switching between organizations (for users who belong to multiple) is handled transparently in the UI.
Next Steps
Security & AI Trust
Learn how Kliper protects evidence integrity and how Cortex AI handles your data.
Scoping & Workbench
Understand the PCI DSS scoping engine and the assessment workbench interface.
Cortex AI
See how Cortex validates evidence and auto-generates ROC findings.
ROC Report Export
Generate your final DOCX Report on Compliance.