VaultFuzionVaultFuzionBY KAPARDYN
Compliance07 May 2026 · 6 min read

Why every VaultFuzion tenant now sees an A-F POPIA grade on their dashboard

Compliance scores have a problem: a number on its own does not tell you whether you are above or below the line. A letter does.

— VaultFuzion Engineering

For two years our compliance dashboard surfaced a 0–100 score across the thirteen platform checks that VaultFuzion runs continuously against every tenant — retention policy, encryption posture, audit-trail coverage, data residency, consent basis, deletion proof, breach-notification readiness, and the rest.

A score on its own has a problem. 73 sounds good in a context where 65 is the median and bad in a context where the audit threshold is 80. The number does not tell you which side of the line you are on. It also does not tell the Information Officer whether the conversation should be "we are fine" or "we have work to do."

What changed

Every tenant dashboard now carries an A-F band derived from the same 0-100 score. A is 90 and above, B is 80, C is 70, D is 60, E is 50, F is below 50. The colour ramp moves with it — green to amber to red.

The Partner Portal now surfaces the distribution. An MSP with thirty tenants no longer scrolls a list of scores; they see how many of their tenants are A, how many are F, and which ones to call first. The internal Platform Health view rolls up the same distribution across every tenant on the platform so VaultFuzion staff can flag at-risk MSPs for proactive outreach before the tenant is the one to raise it.

What the grade is, and what it is not

The grade reflects VaultFuzion's internal 13-check operational scoring. It is not a regulatory POPIA verdict — that decision sits with each tenant's Information Officer and the Information Regulator if it ever comes to that. The grade is the conversation-starter, not the conclusion.

Why this is unusual

Most M365 backup vendors talk about compliance in marketing copy. Some publish a maturity model. We could not find a single competitor that puts a live, per-tenant compliance band on the customer's primary dashboard, refreshed nightly, derived from the same evidence the audit chain carries.

The reason most vendors do not do this is that surfacing a low grade on a customer dashboard is uncomfortable. The Information Officer asks why their score is a D, and the support call lands on the vendor. The reason we do it is that the support call is the point. A D-grade tenant is a conversation we want to be having early, not the day before a Section 19 breach notification is due.

How the grade is computed

The thirteen checks live in the platform code, not a separate spreadsheet that drifts out of sync with the product. Each check evaluates a specific aspect of the tenant's operational state — does the retention policy match the documented purpose; is encryption material rotated; is the audit chain continuous; is data residency confirmed against the contract; and so on. Each check resolves to PASS, WARNING, or FAIL.

The composite score weights the checks evenly today; we may surface a configurable weighting in a future release if a customer's industry-specific risk model demands it. The grade letter mapping is fixed and public so the band has a stable meaning across releases.

What ships next

The thirteen-check matrix is built around POPIA-aligned controls. The same operational evidence maps reasonably onto ISO 27001's Annex A, NIST CSF v2, and SOC 2 Type II — but we have not built the adapters yet. Q3 2026 we plan to ship pluggable framework adapters so a tenant can pick which framework the grade is computed against (default POPIA, optional ISO 27001 / SOC 2 / NIST). The thirteen checks stay the same; the weighting and thresholds shift per framework.

If your industry needs a specific framework adapter sooner than Q3, we want to hear about it. The order we ship adapters in will be driven by which industries are loudest about needing them.

See what's shipping

Each article is paired with a release. For what's currently live, release notes. For what's in the pipeline, coming next.