Skip to content

Sovereign GRC

Security-first governance, risk, and compliance platform.

Sovereign GRC helps organizations manage compliance assessments, track risks, respond to incidents, and maintain continuous compliance across multiple frameworks.

Supported Frameworks

Control counts below come from the live /api/v1/frameworks endpoint.

Framework Controls Standard
SOC 2 Type II 61 Trust Services Criteria
ISO/IEC 27001:2022 93 Information Security Management
CMMC Level 2 110 Cybersecurity Maturity Model
NIST Cybersecurity Framework 2.0 83 CSF subcategories
HIPAA Security Rule 25 Healthcare PHI safeguards (§ 164.308–316)
PCI DSS v4.0.1 63 Payment-card industry data security
GDPR 30 EU data-protection obligations

NIST 800-53 Rev 5

The baseline ships as a content pack (src/backend/content/builtin/nist-800-53-r5.yaml) and is usable for evidence mapping, but it is not yet exposed through the /api/v1/frameworks endpoint or the Frameworks UI. Targeted for v2.1.

Key Capabilities

  • Compliance Assessments

    Run automated and manual assessments against SOC 2, ISO 27001, and CMMC. AI-powered control evaluation with evidence collection.

    Assessments

  • Risk Management

    FAIR methodology risk quantification, Key Risk Indicators with threshold monitoring, and bow-tie analysis for control mapping.

    Risk Monitoring

  • Incident Response

    NIST 800-61 compliant incident management with SLA tracking, automated playbooks, and regulatory breach notification.

    Incidents

  • Policy Management

    Track administrative policies with review cycles, approval workflows, and OPA Rego policy linking for automated enforcement.

    Policies

  • Vendor Risk

    Third-party risk management with Agent-to-Agent attestation protocol for automated compliance data exchange.

    Vendors

  • Analytics & Reporting

    Compliance trend analytics, cross-framework mapping, and exportable reports in PDF, Excel, and HTML formats.

    Reports

Quick Start

  1. Deploy — One command pulls pre-built images, generates secrets, starts the stack, and runs migrations:

    curl -sSL https://get.defendflow.xyz | bash

  2. Activate — Paste your license key in the setup wizard at http://localhost:3000. Request a 30-day trial key at defendflow.xyz.

  3. Configure — Create your administrator, organization, and first compliance framework directly in the wizard.
  4. Connect — Plug in cloud providers in Data Sources, then run your first Assessment.
  5. Monitor — Set up Risk Monitoring KRIs and Calendar schedules for continuous compliance.

Architecture

A fresh install runs a four-service Docker Compose stack:

  • Frontend — Nginx serving the React 18 + TypeScript SPA
  • Backend — Python FastAPI + SQLAlchemy 2.0 (async) with LangGraph agent orchestration
  • Database — PostgreSQL 16 + pgvector for semantic search
  • Cache — Redis 7 for sessions, rate limiting, and background jobs

Full-feature deployments add:

  • Policy Engine — Open Policy Agent (Rego) for deterministic control evaluation and RBAC
  • Cloud Queries — Turbot Steampipe for evidence collection across AWS, Azure, GCP
  • Ingress — Cloudflare Tunnel + Cloudflare Access for zero-trust authentication (outbound-only)
  • Evidence Store — Cloudflare R2 with WORM object lock for audit-defensible immutability

Deployment Options

Mode Use case
Managed SaaS We host it for you — fastest onboarding.
Self-hosted Docker / Kubernetes in your VPC behind Cloudflare Tunnel. Your keys, your database.
Air-gapped Ships as an OCI bundle. Zero outbound egress. vLLM on-prem. FedRAMP / IL5 / SCIF eligible.

Bring Your Own Model

The AI assessment engine accepts any OpenAI-compatible endpoint:

  • NVIDIA NIM (Llama, Mixtral, DeepSeek)
  • vLLM on-prem (your fine-tuned weights)
  • Cloudflare Workers AI
  • OpenAI, Azure OpenAI, Anthropic, AWS Bedrock, GCP Vertex
  • LLM_PROVIDER=none — run 100% Rego-deterministic for controls that don't need judgment

Version

v2.0.4 — ships all 8 frameworks above, agentic assessment via LangGraph, A2A vendor attestation, WORM evidence storage, and a fully-automated setup wizard.

Upgrades since v2.0.0:

  • v2.0.4 — Setup wizard creates local admin + org in one step (fixes Failed to create admin user).
  • v2.0.3 — Installer bundles the license-mint public key so Activate License works out of the box.
  • v2.0.2 — Five install-path fixes (A2A signing key, DATABASE_URL/REDIS_URL in compose, Alembic migrations on boot, release image preserves migration .py, optional workers default-off) plus CVE-driven bumps of cryptography, langgraph, langgraph-checkpoint, langchain-text-splitters.
  • v2.0.1 — Security hardening: CSRF, refresh-token JTI blacklist, expanded weak-password dictionary, Trivy in CI.

See the full changelog for details.