Skip to content

Sovereign GRC

Security-first governance, risk, and compliance platform.

Sovereign GRC helps organizations manage compliance assessments, track risks, respond to incidents, and maintain continuous compliance across multiple frameworks.


Supported Frameworks

Control counts below come from the live /api/v1/frameworks endpoint.

Framework Controls Standard
SOC 2 Type II 61 Trust Services Criteria
ISO/IEC 27001:2022 93 Information Security Management
CMMC Level 2 110 Cybersecurity Maturity Model
NIST Cybersecurity Framework 2.0 83 CSF subcategories
HIPAA Security Rule 25 Healthcare PHI safeguards (§ 164.308–316)
PCI DSS v4.0.1 63 Payment-card industry data security
GDPR 30 EU data-protection obligations

NIST 800-53 Rev 5

The baseline ships as a content pack (src/backend/content/builtin/nist-800-53-r5.yaml) and is usable for evidence mapping, but it is not yet exposed through the /api/v1/frameworks endpoint or the Frameworks UI. Targeted for v2.1.

Key Capabilities

  • Compliance Assessments


    Run automated and manual assessments against SOC 2, ISO 27001, and CMMC. AI-powered control evaluation with evidence collection. (AI evaluation needs an LLM key; evidence needs object storage.)

    Assessments

  • Risk Management


    FAIR methodology risk quantification, Key Risk Indicators with threshold monitoring, and bow-tie analysis for control mapping.

    Risk Monitoring

  • Incident Response


    NIST 800-61 compliant incident management with SLA tracking, automated playbooks, and regulatory breach notification.

    Incidents

  • Policy Management


    Track administrative policies with review cycles, approval workflows, and OPA Rego policy linking for automated enforcement. (Automated OPA evaluation needs the policy-engine sidecar.)

    Policies

  • Vendor Risk


    Third-party risk management with Agent-to-Agent attestation protocol for automated compliance data exchange.

    Vendors

  • Analytics & Reporting


    Compliance trend analytics, cross-framework mapping, and exportable reports in PDF, Excel, and HTML formats.

    Reports

Quick Start

  1. Deploy — One command pulls pre-built images, generates secrets, starts the stack, and runs migrations:

    curl -sSL https://get.defendflow.xyz | bash
    
  2. Activate — Paste your license key in the setup wizard at http://localhost:3000. Request a 30-day trial key at defendflow.xyz.

  3. Configure — Create your administrator, organization, and first compliance framework directly in the wizard.
  4. Wire up integrations — A stock install starts core-only. Flagship features need buyer-supplied dependencies: an LLM key for AI Audit (NVIDIA_API_KEY or another provider), S3-compatible object storage for Evidence (R2/S3 or the MinIO sidecar), and a provider for Ticket Sync. Optional sidecars enable Data Sources (Steampipe) and the Policy Engine (OPA). The Setup readiness checklist on the Dashboard shows exactly what is ready and what still needs a key, so check there first.
  5. Connect — Plug in cloud providers in Data Sources, then run your first Assessment.
  6. Monitor — Set up Risk Monitoring KRIs and Calendar schedules for continuous compliance.

The demo is pre-wired; a fresh install is not

The public demo shows every feature all-green because its LLM key, object storage, and ticket provider are already configured. A stock Community Edition install ships without those buyer-supplied dependencies, so AI generation falls back to templates/empty output and Evidence/Ticket Sync return HTTP 503 until you configure them. Each feature's guide page has a "Prerequisites" callout, and the in-app readiness checklist tracks them.

Architecture

A fresh install runs a four-service Docker Compose stack:

  • Frontend — Nginx serving the React 18 + TypeScript SPA
  • Backend — Python FastAPI + SQLAlchemy 2.0 (async) with LangGraph agent orchestration
  • Database — PostgreSQL 16 + pgvector for semantic search
  • Cache — Redis 7 for sessions, rate limiting, and background jobs

Full-feature deployments add:

  • Policy Engine — Open Policy Agent (Rego) for deterministic control evaluation and RBAC
  • Cloud Queries — Turbot Steampipe for evidence collection across AWS, Azure, GCP
  • Ingress — Cloudflare Tunnel + Cloudflare Access for zero-trust authentication (outbound-only)
  • Evidence Store — Cloudflare R2 with WORM object lock for audit-defensible immutability

Deployment Options

Mode Use case
Managed SaaS We host it for you — fastest onboarding.
Self-hosted Docker / Kubernetes in your VPC behind Cloudflare Tunnel. Your keys, your database.
Air-gapped Ships as an OCI bundle. Zero outbound egress. vLLM on-prem. FedRAMP / IL5 / SCIF eligible.

Bring Your Own Model

The AI assessment engine supports the following provider modes (LLM_PROVIDER):

  • NVIDIA NIM (nvidia) — hosted models via integrate.api.nvidia.com (default)
  • Cloudflare Workers AI (workers_ai) — serverless inference at the edge
  • Any OpenAI-compatible endpoint (vllm) — point VLLM_BASE_URL at vLLM, Ollama, or any other OpenAI-compatible server; bring your own fine-tuned weights on-prem
  • Hybrid (hybrid) — Workers AI with automatic vLLM fallback
  • LLM_PROVIDER=none — run 100% Rego-deterministic for controls that don't need judgment

Version

v2.0.5 — ships all 7 frameworks above, agentic assessment via LangGraph, A2A vendor attestation, WORM evidence storage, and a fully-automated setup wizard.

Upgrades since v2.0.0:

  • v2.0.5curl | bash install path actually starts clean now: the installer generates a persistent A2A_SIGNING_KEY (the missing key made the production backend exit on boot), the compose template forwards it to the container, and admin bootstrap creates the org + admin via /api/v1/setup/initialize instead of the create_local_admin script that failed on a fresh database. The /system/logs endpoints now require system-admin auth.
  • v2.0.4 — Browser setup wizard creates local admin + org in one step (fixes Failed to create admin user). The curl | bash installer admin path was fixed separately in v2.0.5.
  • v2.0.3 — Installer bundles the license-mint public key so Activate License works out of the box.
  • v2.0.2 — Install-path fixes (DATABASE_URL/REDIS_URL in compose, release image preserves migration .py, optional workers default-off) plus CVE-driven bumps of cryptography, langgraph, langgraph-checkpoint, langchain-text-splitters. (The A2A signing key generation listed in early drafts did not ship until v2.0.5; the installer creates schema on backend startup via SQLAlchemy, not a separate Alembic step.)
  • v2.0.1 — Security hardening: CSRF, refresh-token JTI blacklist, expanded weak-password dictionary, Trivy in CI.

See the full changelog for details.