For two years our compliance dashboard surfaced a 0–100 score across the thirteen platform checks that VaultFuzion runs continuously against every tenant — retention policy, encryption posture, audit-trail coverage, data residency, consent basis, deletion proof, breach-notification readiness, and the rest.
A score on its own has a problem. 73 sounds good in a context where 65 is the median and bad in a context where the audit threshold is 80. The number does not tell you which side of the line you are on. It also does not tell the Information Officer whether the conversation should be "we are fine" or "we have work to do."
What changed
Every tenant dashboard now carries an A-F band derived from the same 0-100 score. A is 90 and above, B is 80, C is 70, D is 60, E is 50, F is below 50. The colour ramp moves with it — green to amber to red.
The Partner Portal now surfaces the distribution. An MSP with thirty tenants no longer scrolls a list of scores; they see how many of their tenants are A, how many are F, and which ones to call first. The internal Platform Health view rolls up the same distribution across every tenant on the platform so VaultFuzion staff can flag at-risk MSPs for proactive outreach before the tenant is the one to raise it.
The grade reflects VaultFuzion's internal 13-check operational scoring. It is not a regulatory POPIA verdict — that decision sits with each tenant's Information Officer and the Information Regulator if it ever comes to that. The grade is the conversation-starter, not the conclusion.
Why this is unusual
Most M365 backup vendors talk about compliance in marketing copy. Some publish a maturity model. We could not find a single competitor that puts a live, per-tenant compliance band on the customer's primary dashboard, refreshed nightly, derived from the same evidence the audit chain carries.
The reason most vendors do not do this is that surfacing a low grade on a customer dashboard is uncomfortable. The Information Officer asks why their score is a D, and the support call lands on the vendor. The reason we do it is that the support call is the point. A D-grade tenant is a conversation we want to be having early, not the day before a Section 19 breach notification is due.
How the grade is computed
The thirteen checks live in the platform code, not a separate spreadsheet that drifts out of sync with the product. Each check evaluates a specific aspect of the tenant's operational state — does the retention policy match the documented purpose; is encryption material rotated; is the audit chain continuous; is data residency confirmed against the contract; and so on. Each check resolves to PASS, WARNING, or FAIL.
The composite score weights the checks evenly today; we may surface a configurable weighting in a future release if a customer's industry-specific risk model demands it. The grade letter mapping is fixed and public so the band has a stable meaning across releases.
What ships next
The thirteen-check matrix is built around POPIA-aligned controls. The same operational evidence maps reasonably onto ISO 27001's Annex A, NIST CSF v2, and SOC 2 Type II — but we have not built the adapters yet. Q3 2026 we plan to ship pluggable framework adapters so a tenant can pick which framework the grade is computed against (default POPIA, optional ISO 27001 / SOC 2 / NIST). The thirteen checks stay the same; the weighting and thresholds shift per framework.
If your industry needs a specific framework adapter sooner than Q3, we want to hear about it. The order we ship adapters in will be driven by which industries are loudest about needing them.