Sovereign GRC¶
Security-first governance, risk, and compliance platform.
Sovereign GRC helps organizations manage compliance assessments, track risks, respond to incidents, and maintain continuous compliance across multiple frameworks.
Supported Frameworks¶
Control counts below come from the live /api/v1/frameworks endpoint.
| Framework | Controls | Standard |
|---|---|---|
| SOC 2 Type II | 61 | Trust Services Criteria |
| ISO/IEC 27001:2022 | 93 | Information Security Management |
| CMMC Level 2 | 110 | Cybersecurity Maturity Model |
| NIST Cybersecurity Framework 2.0 | 83 | CSF subcategories |
| HIPAA Security Rule | 25 | Healthcare PHI safeguards (§ 164.308–316) |
| PCI DSS v4.0.1 | 63 | Payment-card industry data security |
| GDPR | 30 | EU data-protection obligations |
NIST 800-53 Rev 5
The baseline ships as a content pack (src/backend/content/builtin/nist-800-53-r5.yaml)
and is usable for evidence mapping, but it is not yet exposed through the
/api/v1/frameworks endpoint or the Frameworks UI. Targeted for v2.1.
Key Capabilities¶
-
Compliance Assessments
Run automated and manual assessments against SOC 2, ISO 27001, and CMMC. AI-powered control evaluation with evidence collection. (AI evaluation needs an LLM key; evidence needs object storage.)
-
Risk Management
FAIR methodology risk quantification, Key Risk Indicators with threshold monitoring, and bow-tie analysis for control mapping.
-
Incident Response
NIST 800-61 compliant incident management with SLA tracking, automated playbooks, and regulatory breach notification.
-
Policy Management
Track administrative policies with review cycles, approval workflows, and OPA Rego policy linking for automated enforcement. (Automated OPA evaluation needs the policy-engine sidecar.)
-
Vendor Risk
Third-party risk management with Agent-to-Agent attestation protocol for automated compliance data exchange.
-
Analytics & Reporting
Compliance trend analytics, cross-framework mapping, and exportable reports in PDF, Excel, and HTML formats.
Quick Start¶
-
Deploy — One command pulls pre-built images, generates secrets, starts the stack, and runs migrations:
-
Activate — Paste your license key in the setup wizard at
http://localhost:3000. Request a 30-day trial key at defendflow.xyz. - Configure — Create your administrator, organization, and first compliance framework directly in the wizard.
- Wire up integrations — A stock install starts core-only. Flagship features need buyer-supplied dependencies: an LLM key for AI Audit (
NVIDIA_API_KEYor another provider), S3-compatible object storage for Evidence (R2/S3 or the MinIO sidecar), and a provider for Ticket Sync. Optional sidecars enable Data Sources (Steampipe) and the Policy Engine (OPA). The Setup readiness checklist on the Dashboard shows exactly what is ready and what still needs a key, so check there first. - Connect — Plug in cloud providers in Data Sources, then run your first Assessment.
- Monitor — Set up Risk Monitoring KRIs and Calendar schedules for continuous compliance.
The demo is pre-wired; a fresh install is not
The public demo shows every feature all-green because its LLM key, object storage, and ticket provider are already configured. A stock Community Edition install ships without those buyer-supplied dependencies, so AI generation falls back to templates/empty output and Evidence/Ticket Sync return HTTP 503 until you configure them. Each feature's guide page has a "Prerequisites" callout, and the in-app readiness checklist tracks them.
Architecture¶
A fresh install runs a four-service Docker Compose stack:
- Frontend — Nginx serving the React 18 + TypeScript SPA
- Backend — Python FastAPI + SQLAlchemy 2.0 (async) with LangGraph agent orchestration
- Database — PostgreSQL 16 + pgvector for semantic search
- Cache — Redis 7 for sessions, rate limiting, and background jobs
Full-feature deployments add:
- Policy Engine — Open Policy Agent (Rego) for deterministic control evaluation and RBAC
- Cloud Queries — Turbot Steampipe for evidence collection across AWS, Azure, GCP
- Ingress — Cloudflare Tunnel + Cloudflare Access for zero-trust authentication (outbound-only)
- Evidence Store — Cloudflare R2 with WORM object lock for audit-defensible immutability
Deployment Options¶
| Mode | Use case |
|---|---|
| Managed SaaS | We host it for you — fastest onboarding. |
| Self-hosted | Docker / Kubernetes in your VPC behind Cloudflare Tunnel. Your keys, your database. |
| Air-gapped | Ships as an OCI bundle. Zero outbound egress. vLLM on-prem. FedRAMP / IL5 / SCIF eligible. |
Bring Your Own Model¶
The AI assessment engine supports the following provider modes (LLM_PROVIDER):
- NVIDIA NIM (
nvidia) — hosted models via integrate.api.nvidia.com (default) - Cloudflare Workers AI (
workers_ai) — serverless inference at the edge - Any OpenAI-compatible endpoint (
vllm) — pointVLLM_BASE_URLat vLLM, Ollama, or any other OpenAI-compatible server; bring your own fine-tuned weights on-prem - Hybrid (
hybrid) — Workers AI with automatic vLLM fallback LLM_PROVIDER=none— run 100% Rego-deterministic for controls that don't need judgment
Version¶
v2.0.5 — ships all 7 frameworks above, agentic assessment via LangGraph, A2A vendor attestation, WORM evidence storage, and a fully-automated setup wizard.
Upgrades since v2.0.0:
- v2.0.5 —
curl | bashinstall path actually starts clean now: the installer generates a persistentA2A_SIGNING_KEY(the missing key made the production backend exit on boot), the compose template forwards it to the container, and admin bootstrap creates the org + admin via/api/v1/setup/initializeinstead of thecreate_local_adminscript that failed on a fresh database. The/system/logsendpoints now require system-admin auth. - v2.0.4 — Browser setup wizard creates local admin + org in one step (fixes
Failed to create admin user). Thecurl | bashinstaller admin path was fixed separately in v2.0.5. - v2.0.3 — Installer bundles the license-mint public key so Activate License works out of the box.
- v2.0.2 — Install-path fixes (
DATABASE_URL/REDIS_URLin compose, release image preserves migration.py, optional workers default-off) plus CVE-driven bumps ofcryptography,langgraph,langgraph-checkpoint,langchain-text-splitters. (The A2A signing key generation listed in early drafts did not ship until v2.0.5; the installer creates schema on backend startup via SQLAlchemy, not a separate Alembic step.) - v2.0.1 — Security hardening: CSRF, refresh-token JTI blacklist, expanded weak-password dictionary, Trivy in CI.
See the full changelog for details.