Features

Multi-framework lifecycle: activate any of 13 frameworks, manage controls, track obligations, run assessments, collect evidence, generate attestations.

• →13 frameworks (EU AI Act, ISO 42001, ISO 27001, ISO 27701, GDPR, HIPAA, SOC 2, SOC 1, PCI DSS, NIST AI RMF, NIST CSF, DORA, CCPA)
• →Per-tenant framework instances with control catalogs
• →Control state machine: not_started → in_progress → implemented → effective
• →Auto-generated assessments with risk scoring

Cross-framework crosswalks: see how a single control satisfies multiple frameworks. Map evidence once, reuse everywhere.

• →Typed relations: satisfies, contributes_to, conflicts_with, requires
• →Blast-radius analysis: change one control, see what else is affected
• →Onboarding savings calculator: how much time you save by reusing evidence
• →Conflict detection between frameworks

Upload any artifact — policy, log, screenshot, attestation, training record. AI matches it to controls across every active framework.

• →12 evidence types (policy, procedure, log, screenshot, report, attestation, configuration, training_record, incident_record, fria, dpia, contract)
• →AI-driven matching with confidence scores
• →Stale-evidence detection with auto-refresh prompts
• →Object-storage-backed with WORM retention by SKU

Fundamental-rights and data-protection impact assessments — auto-filled from system metadata, escalated for sign-off.

• →EU AI Act Article 27 FRIA template (auto-detect when required)
• →GDPR Article 35 DPIA bridge for personal-data + high-risk AI
• →Approval chains with multi-party sign-off
• →Versioned with audit-trail

Run customer-side compliance audits — internal, Type I, Type II, or regulator-driven.

• →Audit lifecycle: scheduled → in_progress → findings → remediation → sign-off
• →Configurable scopes (per-framework, per-system, per-tenant)
• →Remediation tracker with due dates
• →Audit-ready PDF/JSON exports for notified bodies

Public posture page for vendor-due-diligence. Reduces the questionnaire round-trip from weeks to hours.

• →Live posture: certifications, sub-processors, security incidents, SLA
• →Pre-filled answers for SIG, CAIQ, ISO 27001 SoA, custom questionnaires
• →NDA-vault integration for confidential responses
• →Status page with real-time uptime

Append-only log of every customer action — streams through an async pipeline into the analytics warehouse.

• →Cryptographically immutable (hash-chain)
• →Retention by SKU: 90d Sandbox · 1y Starter · 3y Growth · 7y Enterprise
• →Sub-second query at any scale via the OLAP store
• →Forensic replay for incident response

AI agents with zero hallucination — input + dictionary + rules in, output + evidence trail out.

• →Classifier (Annex III + GPAI scoping)
• →Framework-mapper (cross-walk navigator)
• →Evidence-compiler (matches artifacts to controls)
• →FRIA assistant · Incident reporter · Training curator · Conformity guide · GPAI docs

Independent consultants, auditors, and CISOs onboarding their own clients. Multi-tenant by design.

• →Firm registration + consultant invitations
• →Per-client engagements with isolated workspaces
• →Revenue-share billing (30% standard)
• →White-label trust pages