Skip to content

Sovereign GRC

Security-first governance, risk, and compliance platform.

Sovereign GRC helps organizations manage compliance assessments, track risks, respond to incidents, and maintain continuous compliance across multiple frameworks.

Supported Frameworks

Framework Controls Standard
SOC 2 Type II 33 Trust Services Criteria
ISO/IEC 27001:2022 54 Information Security Management
CMMC Level 2 110 Cybersecurity Maturity Model

Key Capabilities

  • Compliance Assessments

    Run automated and manual assessments against SOC 2, ISO 27001, and CMMC. AI-powered control evaluation with evidence collection.

    Assessments

  • Risk Management

    FAIR methodology risk quantification, Key Risk Indicators with threshold monitoring, and bow-tie analysis for control mapping.

    Risk Monitoring

  • Incident Response

    NIST 800-61 compliant incident management with SLA tracking, automated playbooks, and regulatory breach notification.

    Incidents

  • Policy Management

    Track administrative policies with review cycles, approval workflows, and OPA Rego policy linking for automated enforcement.

    Policies

  • Vendor Risk

    Third-party risk management with Agent-to-Agent attestation protocol for automated compliance data exchange.

    Vendors

  • Analytics & Reporting

    Compliance trend analytics, cross-framework mapping, and exportable reports in PDF, Excel, and HTML formats.

    Reports

Quick Start

  1. Deploy — Follow the Deployment Guide to spin up the Docker stack.
  2. Configure — Connect cloud providers in Data Sources and set up your organization in Settings.
  3. Assess — Create your first Assessment against a compliance framework.
  4. Monitor — Set up Risk Monitoring KRIs and Calendar schedules for continuous compliance.

Architecture

Sovereign GRC runs as a Docker Compose stack with six services:

  • Frontend — React 18 + TypeScript + Vite
  • Backend — Python FastAPI + SQLAlchemy 2.0 (async)
  • Database — PostgreSQL 16 + pgvector
  • Cache — Redis 7
  • Policy Engine — Open Policy Agent (OPA)
  • Cloud Queries — Turbot Steampipe

All traffic flows through Cloudflare Tunnel with Cloudflare Access for zero-trust authentication.

Architecture Details

Version

v2.0.0 — SOC 2 Type II, ISO/IEC 27001:2022, CMMC Level 2