Release Notes

What's been done?

Revision 33

Technical debt

It’s all about technical debt this time around! Internal fixes and UX optimization.

Revision 32

Cloud Sovereignty & Digital Independence

Help European organizations assess sovereignty risks and plan cloud migrations away from US hyperscalers. Eight new features deliver AI-powered assessment, actionable migration planning, and compliance mapping for European sovereignty frameworks.

What’s new:

  • Sovereignty Assessment Agent - A new specialized AI agent evaluates your cloud workloads for sovereignty risks. Scores each workload against EUCS, BSI C5, and SecNumCloud frameworks and classifies them as Sovereign-Ready, Partially Sovereign, At-Risk, or Non-Sovereign. Includes data residency analysis, vendor dependency mapping, and CLOUD Act exposure assessment
  • Sovereignty Readiness Questionnaire - Structured intake capturing your sovereignty drivers (regulatory, political, strategic), data classifications, acceptable sovereignty levels, and migration constraints. Covers three sovereignty dimensions: data sovereignty, operational sovereignty, and software sovereignty
  • Cloud Exit Strategy Planner - Generates comprehensive exit strategies with workload portability scoring (Portable/Adaptable/Locked-in), lock-in point identification, migration complexity matrices, cost comparison against European providers, dependency graphs, and phased migration timelines
  • European Provider Knowledge Base - Curated reference database mapping Azure and AWS services to European equivalents including OVHcloud, Hetzner, IONOS, Scaleway, Exoscale, Open Telekom Cloud, STACKIT, and more. Includes certification status, pricing tiers, SLA data, and region coverage
  • Sovereignty Compliance Dashboard - Visual sovereignty posture with overall score (0-100), data residency breakdown (EU/EEA vs non-EU percentages), service portability analysis, vendor diversity scoring, jurisdiction risk indicators, and trend tracking over time
  • Migration Playbook Generator - Step-by-step migration playbooks for VMs, Kubernetes, databases, storage, identity (Entra ID to Keycloak), and monitoring (Azure Monitor to Prometheus/Grafana). Each playbook includes prerequisites, commands, risk assessment, rollback procedures, and estimated downtime. Target any European provider
  • Data Flow & Jurisdiction Mapping - Automated discovery of cross-border data transfers from Azure Resource Graph data. Maps storage replication, CDN endpoints, backup regions, and log analytics locations. Classifies jurisdictions by risk level (EU/EEA adequate, Schrems II risk, restricted). Flags transfers lacking adequate legal basis
  • European Compliance Framework Controls - Adds EUCS (Basic/Substantial/High), BSI C5 (Basic/High), SecNumCloud, Gaia-X Trust Framework, TISAX, and ENS framework controls to the policy-to-framework mapping database. Enables compliance gap analysis: “What do I need to achieve BSI C5 High?”

Where to find it:

  • Sovereignty Dashboard available from the main navigation (Enterprise tier)
  • Tabbed layout: Overview, Data Flows, Workloads, Exit Strategy, Playbooks
  • European alternatives and provider information available to all subscription tiers
  • Sovereignty assessment can be triggered from the dashboard or via AI chat
  • Migration playbooks generated on-demand with provider-specific customization

Revision 31

Advanced Azure Governance & Scanning

Eight new scanning capabilities complete the full Azure governance suite on the Advanced Scans tab, covering management group visualization, identity auditing, network security, governance change tracking, policy analysis, Landing Zone validation, and drift detection.

What’s new:

  • Management Group Hierarchy - Visualize your entire Azure Management Group tree with governance overlays. See policy assignments, RBAC roles, and subscription counts at every level of your hierarchy. Navigate complex governance structures at a glance
  • Diagnostic Settings Audit - Find resources that aren’t sending logs or metrics to any destination. See coverage percentages by resource type, identify operational blind spots, and prioritize logging gaps across your subscriptions
  • Identity & RBAC Audit - 18 security checks for your identity posture. Detects over-privileged identities, orphaned role assignments, service principal credential expiry, guest user risks, PIM eligibility gaps, and owner-equivalent custom roles
  • Network Security & Topology - Analyze NSG rules for open management and database ports, monitor subnet IP capacity and exhaustion risk, and identify resources missing private endpoint connectivity
  • Azure Governance Change Tracking - See who changed which policies and RBAC assignments, with identity resolution and configurable audit windows (default 7 days). Required for NIS2 compliance
  • Policy Governance Deep Dive - Find orphaned policies and PolicySets, detect deprecated policies, track DeployIfNotExists effect policies, and monitor exemptions approaching expiry
  • Azure Landing Zone Validation - Compare your deployed policies against 25 expected ALZ archetype policies. Detect version drift and missing assignments to ensure your landing zone governance stays complete
  • Configuration Drift Detection - Compare deployed resource configurations against IaC source definitions (Bicep, Terraform, ARM, Pulumi). See expected vs actual values with severity classification for each deviation

Extended Azure Health Check Scans

Five additional scanning capabilities for ARM limits, storage security, resource locks, naming conventions, and service health.

Also includes:

  • ARM Limits & Capacity Planning - Get proactive alerts before you hit Azure subscription limits. Monitors role assignment counts (limit 4,000), resource group counts (limit 980), and tag usage per subscription. Configurable warning threshold (default 80%) with severity classification (Warning/Critical)
  • Storage Security Analysis - Go beyond encryption checks to audit storage account security configurations. Detects anonymous blob access, shared key access enabled, public network exposure, outdated TLS versions, missing infrastructure encryption, and OAuth not set as default
  • Resource Locks Coverage - Find critical resources that aren’t protected by deletion locks. Checks 11 high-value resource types (SQL servers, Key Vaults, storage accounts, VMs, and more) and reports lock coverage percentage with inherited lock resolution
  • CAF Naming Convention Validation - Validate your resource names against Cloud Adoption Framework naming conventions. Checks 12 resource type prefixes (rg-, st, kv-, vnet-, nsg-, vm-, app-, sql-, cr, pip-, lbi-/lbe-, id-) with suggested corrected names for non-compliant resources
  • Azure Service Health Integration - See active Azure platform incidents, planned maintenance windows, health advisories, and security advisories affecting your subscriptions. Impact level classification helps you prioritize response

Where to find it:

  • Compliance Dashboard > Advanced Scans tab
  • All 13 scans are available to AI agents during assessments
  • Each scan supports optional subscription ID filtering
  • Available on all plans with Compliance Reporting enabled (Enterprise tier)

Revision 30

Microsoft 365 Assessments

PAA now assesses your Microsoft 365 environment alongside your Azure infrastructure. A new M365 Architect agent evaluates your identity, security, collaboration, and compliance configurations against Microsoft best practices.

What’s new:

  • M365 Architect Agent - A specialized AI agent that assesses your Microsoft 365 tenant across four areas: security configuration, compliance posture, identity management, and collaboration governance. Available on Team plans and above
  • M365 Security Baseline Questionnaire - 26 structured questions covering Identity & Access Management, Email Security (DKIM/DMARC/SPF, Defender for Office 365), Collaboration Security (Teams, SharePoint, OneDrive), Endpoint Management (Intune), Information Protection (sensitivity labels, DLP), and Security Monitoring (Defender 365, audit logging)
  • M365 Governance Questionnaire - 15 questions evaluating Groups/Teams lifecycle management, SharePoint governance, Exchange governance, Compliance & Data Governance, Operational Governance, and Training & Adoption maturity
  • 4-Agent Assessment Pipeline - M365 assessments run a dedicated pipeline: M365 Architect → Security & Compliance → Identity Governance → Remediation, generating findings with severity classification and compliance framework mapping
  • No Azure Subscription Required - M365 assessments work independently of Azure subscriptions, so you can assess your productivity platform even without connected Azure environments

Where to find it:

  • Start a new assessment and select “M365” as the review type
  • Skip the Azure subscription selection step for M365-only assessments
  • View findings mapped to M365 security baselines and compliance frameworks

Revision 29

Export, Integrations, Collaboration & Multi-Language

The biggest feature release yet. PAA now delivers professional reports, integrates with your ITSM tools, enables team collaboration, and supports multiple languages — everything you need to turn findings into action.

Export & Deliverables:

  • PDF Export - Generate professionally formatted PDF assessment reports with cover pages, executive summaries, WAF pillar scores, findings by severity, compliance mapping, and remediation guidance. Includes your tenant branding
  • PowerPoint Export - Create presentation-ready slide decks for leadership and board meetings with executive summary slides, WAF radar charts, top findings, and actionable recommendations
  • AI Executive Summaries - One-click AI-generated executive summaries tailored for C-level stakeholders. Covers architecture health, key risk areas, critical findings with business impact, priority actions, and compliance implications

Workflow Integrations:

  • Jira Integration - Create Jira issues directly from findings with automatic severity-to-priority mapping. Configure your Jira project, issue types, and custom fields. Test your connection from Settings
  • ServiceNow Integration - Generate ServiceNow incidents and change requests from findings with custom table and field mapping. Supports bidirectional status synchronization
  • Webhook Events - Receive HTTP notifications when assessments complete, findings are created or resolved, or documents are generated. Includes delivery logging, automatic retry with exponential backoff, and event type filtering

Collaboration:

  • Assessment Sharing - Share assessment results with external stakeholders via secure, time-limited links. Set expiration (up to 30 days), view active shares, and revoke access at any time. Shared views are read-only with no PII exposed
  • Comments & Annotations - Discuss findings with your team directly in PAA. Add threaded comments on findings and assessments, @mention team members for notifications, and track discussions alongside remediation
  • Assignment & Ownership - Assign findings to team members with due dates. Bulk-assign from the findings list. Filter by “My Assignments” to see your personal queue

Multi-Language:

  • Multi-Language Documents - Generate documents and executive summaries in English, German, French, or Dutch. Set a default language per tenant or choose per document. AI-powered generation ensures professional-quality output in each language

Where to find it:

  • Export buttons on the Assessment Results page
  • Integration settings under Settings > Integrations (Business+ plans)
  • Webhook configuration under Settings > Webhooks (Team+ plans)
  • Language preference under Settings > Organization
  • Comment threads on Finding Detail and Assessment Results pages
  • Share button on Assessment Results page

Revision 28

Azure Policy-to-Compliance Framework Mapping Database

Your compliance reports just got a major upgrade. PAA now maps Azure Policy definitions to real compliance framework controls, replacing AI-inferred mappings with deterministic, auditor-friendly relationships.

What’s new:

  • Real compliance control catalog - ISO 27001:2022, NIS2, GDPR, and SOC 2 controls are stored in the database with official control IDs, names, descriptions, and sections. No more placeholder text or generic descriptions
  • Azure Policy-to-control mappings - Hundreds of Azure built-in policies are linked to the framework controls they satisfy, with confidence levels (Verified, Inferred, Partial) so you know exactly how trustworthy each mapping is
  • Per-control policy lookup - See which Azure policies map to any specific compliance control (e.g., “which policies satisfy ISO 27001 A.8.24?”)
  • Cross-framework policy view - See all framework controls that a single Azure policy satisfies across ISO 27001, NIS2, GDPR, and SOC 2 simultaneously
  • Mapping statistics - Dashboard-ready statistics showing total controls and policy mappings per framework
  • Admin verification - Admins can review and promote mapping confidence from Inferred to Verified for audit-ready reports

Why this matters:

Compliance reports now show real control names like “A.8.24 - Use of cryptography” instead of generic IDs. Framework coverage comes from your actual Azure Policy enforcement, not AI guesswork. This is the foundation for SOC 2, ISO 27001, and regional compliance assessment templates coming next.

Available via new endpoints in the Compliance API for all plans with Compliance Reporting enabled.

Also includes:

  • Automatic seeding of framework controls and policy mappings on first startup
  • Distributed caching for fast control lookups (1-hour TTL)
  • 37 new backend tests covering parsers, matchers, service logic, and API endpoints

Bug fixes:

  • Fixed “Start Scan” returning silent 400 error - The assessment start button could fail with no visible feedback when Azure configuration validation failed (e.g., due to stale cache across Container Apps replicas). Added a prominent error banner on the Assessments page and diagnostic logging to identify which validation field fails
  • Fixed assessment crash on missing compliance containers - Assessments would fail entirely if the framework-controls or policy-framework-mappings Cosmos DB containers hadn’t been created yet. Both repositories now return empty results gracefully instead of crashing the assessment pipeline
  • Fixed policy-framework-mappings not seeding in deployed environments - The Azure Policy CSV file used by the compliance seeder was not included in the Docker image, so policy mappings were never populated. Added the CSV to the API Dockerfile build
  • Fixed usage tracking flooding logs with 404 errors - The UsageTrackingMiddleware threw unhandled exceptions when the usage Cosmos DB container didn’t exist, producing noisy error logs on every API request. Now logs a single clean warning

Revision 27

Azure Health Checks & Governance Scanning

Go deeper into your Azure environment with four new health check and governance audit scans.

What’s new:

  • Resource Health Monitoring - Real-time availability status for every Azure resource. Instantly see which resources are Unavailable, Degraded, or Unknown, with aggregation by subscription and resource group
  • Orphaned Resource Detection - Find unattached disks, unused public IPs, idle network interfaces, and empty network security groups that are costing you money. Includes estimated monthly cost waste per resource
  • Tag Compliance Auditing - Audit all resources against your required tags (environment, owner, costCenter, etc.). Configure required tags per tenant and see compliance percentages with breakdowns by resource type and group
  • Encryption & HTTPS Enforcement - Verify that storage accounts enforce HTTPS, managed disks are encrypted, App Services use current TLS versions, and SQL databases have Transparent Data Encryption enabled

Available on the new Advanced Scans tab in the Compliance Dashboard for all plans with Compliance Reporting enabled.

Also includes:

  • Tag compliance configuration endpoint for admins to set required tags per tenant
  • Optional subscription ID filtering on all scan endpoints
  • Full AI agent tool integration — agents can invoke all four scans during assessments

Revision 26

WAF Pillar Health Scoring

See at a glance how your architecture measures up across all five Well-Architected Framework pillars.

What’s new:

  • Per-pillar health scores - Each WAF pillar (Reliability, Security, Cost Optimization, Operational Excellence, Performance Efficiency) now has a 0-100 health score derived from your open findings
  • Overall architecture health - A single weighted score that summarizes your entire cloud posture
  • Health ratings - Scores are classified as Excellent, Good, Fair, Poor, or Critical for quick interpretation
  • Trend tracking - See whether each pillar is improving or declining compared to previous assessments
  • Findings drill-down - Click any pillar to see its contributing findings, filterable by severity with full pagination
  • Smart scoring - A logarithmic diminishing returns model ensures that large environments with many findings still produce meaningful, actionable scores rather than collapsing to zero

Available on the WAF Health tab in the Compliance Dashboard for all plans with Compliance Reporting enabled.