Trust, compliance & risk — kept in order · Est. audit calm
Status:All controls monitoredPublic site index
A human-readable index of the public GRC Oversight website. Product app routes, API routes, private share tokens, and individual scan result URLs are excluded.
Governance, risk, and compliance automation from one workspace.
Ask questions about your compliance program with tenant-scoped context.
Try a free public ChatGRC and questionnaire-drafter demo grounded in general framework and glossary content — no account needed.
Try the risk heat map, control toggles, and ChatGRC on a mock sample organization — no login, no real data.
Per-tool reference, token setup, and copy-paste MCP client config for Claude and Cursor.
Connect AI clients to tenant-scoped controls, evidence, risks, and questionnaires.
Evidence graph, cross-mapping, monitoring, and audit-ready workflows.
A guided look at the GRC Oversight product surfaces.
How GRC Oversight approaches evidence, pricing, scanners, and AI access.
Run documented user access reviews with owners and evidence history.
Map controls to evidence and reuse work across frameworks.
Compliance automation, risk, trust center, questionnaires, vendor risk, and access reviews.
Draft security questionnaire answers from approved evidence and policies.
Track risks, owners, mitigations, and compliance alignment.
Publish a public security profile and manage sensitive trust documents.
Assess vendors, collect documents, and track third-party risk.
Prepare CMMC and defense supplier evidence without inventing claims.
Coordinate controls, evidence, risk, and trust workflows across larger teams.
Scale compliance coverage as frameworks and integrations expand.
GRC workflows for startups, growing teams, enterprise, and defense contractors.
Get audit-ready without adding per-seat compliance costs.
Guided gap assessment and hands-on evidence prep for your first audit.
Find an independent audit firm and share scoped, revocable evidence access.
We draft and research every answer; you review and approve before it's sent.
Find a pentest firm and turn the report into tracked, mapped remediation.
Audit readiness, auditor matching, managed questionnaires, and pentest referrals.
Cybersecurity Maturity Model Certification for the U.S. defense base
See which controls and tests are genuinely shared across frameworks in the live evidence graph.
EU regulation on digital operational resilience for finance
EU regulation establishing risk-based rules for AI systems
U.S. program for cloud services used by federal agencies
Security, privacy, AI, resilience, and audit frameworks supported by the evidence model.
EU regulation governing personal data protection
U.S. rules for protecting health information
International standard for information security management
Privacy information management extension to ISO 27001
International standard for AI management systems
EU directive on cybersecurity for essential and important entities
NIST framework for managing AI risk
Security standard for handling payment card data
Trust Services Criteria for service organizations
U.S. law requiring internal control over financial reporting
Collect IP address reputation, blacklist, and block check evidence from AbuseIPDB API v2.
Collect AlienVault USM Anywhere alarms and events, as well as OTX threat intelligence pulse evidence through read-only API endpoints.
Audit Asana workspace members and projects as read-only work-management access-review and inventory evidence.
Audit Ashby ATS/recruiting accounts and job posting inventory as read-only access-review and hiring-pipeline evidence.
Audit MFA factors, breached-password & brute-force protection, and tenant settings.
Audit S3 public-access/encryption and IAM user MFA.
Collect Azure DevOps project, repository, and pipeline evidence through organization-scoped APIs.
Collect BambooHR employee roster, status, and onboarding/offboarding date evidence through company-scoped API endpoints.
Collect workspace and repository evidence from Bitbucket Cloud APIs.
Audit BreezyHR recruiting-team user accounts and open position inventory as read-only ATS access-review and hiring-pipeline evidence.
Collect CircleCI account, context, and project environment-variable evidence through API v2.
Collect Meraki organization, network, and device inventory plus admin 2FA status through the read-only Meraki Dashboard API.
Collect Cisco Umbrella DNS security policy, destination-list/blocklist, and roaming-client deployment evidence through the read-only Umbrella API.
Audit ClickUp workspace members and spaces as read-only project-management access-review and inventory evidence.
Audit Apache CouchDB cluster membership, admin configuration, anonymous-access settings, and per-database security docs through read-only REST calls.
Audit CrateDB user inventory, privilege grants, and cluster node health through read-only SQL system queries.
Audit sensor coverage, reduced-functionality and stale hosts, and detections.
Upload a CSV export (users, devices, access grants). Each row becomes evidence; an optional column drives the pass/fail verdict.
Audit monitor coverage, log retention, audit-trail readability, and users.
Audit Deel global payroll/EOR worker roster as read-only HR access-review and offboarding evidence.
Collect DocuSign envelope, template, user, and account evidence through read-only REST API endpoints.
Audit a DuckDB instance exposed via an HTTP query endpoint (e.g. a MotherDuck-compatible or self-hosted SQL-over-HTTP proxy) — not a local file. Checks attached-database read-only posture, external access / unsigned extension settings, and loaded extension inventory through read-only SQL introspection.
Collect F5 BIG-IP system readiness, licensing, provision status, and LTM virtual server configurations via the iControl REST API.
Collect firewall configuration, policies, system status, and system logs from Fortinet FortiGate devices via the FortiOS REST API.
Collect signature agreement, template, user, and transaction log evidence from standard e-signature REST endpoints.
Audit repository branch protection, visibility, and member 2FA.
Audit group 2FA enforcement, protected branches, MR approvals, and CI/CD secrets.
Audit project IAM, service-account keys, Cloud Storage, and log sinks.
Audit users, 2-step verification, super admins, and OAuth app grants.
Audit Greenhouse recruiter/hiring-manager accounts and live job postings as read-only HR/ATS access-review and hiring-pipeline evidence.
Collect Gusto HR roster and termination evidence through documented read-only API endpoints.
Audit HiBob HR roster (active/terminated workers, hire and termination dates) as read-only access-review and offboarding evidence.
Point at any evidence-producing JSON API: base URL + auth header + read-only endpoints with JSON-path assertions. Each endpoint becomes evidence.
Push normalized compliance evidence to us from approved n8n, Zapier, Make, or CI workflows. We mint a secret URL; POST normalized JSON and it lands as evidence.
Connect cloud, identity, code, HR, observability, and security systems for evidence.
Collect Jamf device inventory and compliance evidence through read-only Jamf Pro API endpoints.
Collect Jenkins job, node, controller, and plugin evidence through read-only JSON API endpoints.
Collect Jira project and change-ticket evidence through read-only Jira REST endpoints.
Collect user, group, and managed-system evidence from JumpCloud read APIs.
Audit Justworks PEO/HR employee roster as read-only access-review and offboarding evidence: active worker hire dates and terminated worker termination dates.
Collect Kandji device and blueprint evidence through read-only Kandji API endpoints.
Collect security awareness training and phishing simulation evidence from KnowBe4 read APIs.
Audit Lever recruiting/hiring team accounts and published job postings as read-only access-review and offboarding evidence.
Collect Linear team and issue evidence through the Linear GraphQL API.
Collect Azure subscription and posture evidence through read-only Azure Resource Manager endpoints.
Collect Microsoft Defender alert, incident, secure score, and device evidence through Microsoft Graph security endpoints.
Collect directory, role, and policy evidence through Microsoft Graph read-only endpoints.
Collect managed-device, enrollment-summary, and compliance-policy evidence through Microsoft Graph Intune endpoints.
Connect an evidence-producing OAuth2 SaaS via authorization-code flow; read a userinfo/resource endpoint as evidence. Env-gated per provider.
Audit active users for MFA enrollment and offboarding gaps.
Audit OmniHR (APAC HRIS) employee roster as read-only HR access-review and offboarding evidence.
Collect user, role, and application-assignment evidence from OneLogin APIs.
Collect indicator, report, malware, and attack pattern evidence from OpenCTI via read-only GraphQL API queries.
Audit Oracle Database account status, audit/login parameters, and DBA role grants through ORDS read-only SQL metadata queries.
Audit escalation policies, on-call coverage, and incident-response readiness.
Audit Personio HR roster (active/inactive employees, hire and termination dates) as read-only access-review and offboarding evidence.
Audit Postgres security settings, role inventory, and database inventory through read-only SQL metadata queries.
Collect Qualys asset, detection, and vulnerability scan evidence through read-only Qualys API endpoints.
Audit QuestDB table durability (WAL), partitioning hygiene, and server configuration through read-only HTTP query endpoints.
Collect Rapid7 InsightVM asset and vulnerability evidence through read-only API endpoints.
Collect threat intelligence alerts, IP, domain, and hash risk lists from Recorded Future API.
Audit Redis authentication, TLS, persistence, and ACL posture through read-only RESP commands.
Audit HR roster, employment status, and offboarding dates.
Collect SentinelOne agent and threat evidence through management-console API endpoints.
Collect change-request and incident evidence through ServiceNow Table API endpoints.
Audit Shortcut member accounts and projects as read-only project/issue-tracking access-review and workspace inventory evidence.
Collect SignNow document, template, user, and folder evidence through read-only REST API endpoints.
Collect Slack workspace, user, and channel evidence through read-only Slack Web API endpoints.
Collect Snowflake access, role, and configuration evidence through the documented Snowflake SQL API.
Audit open vulnerabilities by severity, license issues, and scan recency.
Collect Splunk index, data-input, and saved-search evidence through management API endpoints.
Audit SurrealDB namespace/database configuration and table permissions through read-only SurrealQL introspection queries.
Audit TimescaleDB security settings, hypertable compression, and retention policies through read-only SQL metadata queries.
Audit Trello workspace membership and board inventory as read-only Kanban/task-management access-review and change-management evidence.
Collect Workday worker, organization, role, and termination-feed evidence through customer-configured read-only API endpoints.
Audit JetBrains YouTrack user accounts and project inventory as read-only issue-tracker access-review and workspace evidence.
Audit Zoho Desk agent roster and department inventory as read-only helpdesk access-review evidence.
How to run a documented access review that stands up as evidence.
Evidence and approvals to prepare before an audit kickoff.
Scanner benchmarks and how to interpret public trust signals.
SPF, DKIM, DMARC, CAA, and related domain hygiene guidance.
Answer a few questions to get a recommended starting framework, an honest readiness estimate, and a real step-by-step roadmap.
Generate a starter security policy draft in seconds — Information Security, Access Control, Acceptable Use, Incident Response, Data Retention, or Vendor Management.
Prepare approved sources for faster security questionnaire answers.
Practical guides for audit readiness, security reviews, access reviews, and scanner fixes.
How to fix common findings from the free website trust scan.
Estimate a rough engineering-hours range and see the real readiness journey for SOC 2 or ISO 27001.
What to extract from vendor security documents and how to rate risk.
A neutral buyer guide for comparing GRC platforms and their capabilities.
How to evaluate compliance platforms before choosing one.
Public-source comparison of GRC Oversight and Anecdotes.
Public-source comparison of GRC Oversight and AuditBoard.
Public-source comparison of GRC Oversight and Bastion.
Public-source comparison of GRC Oversight and Comp AI.
Public-source comparison of GRC Oversight and Conveyor.
Public-source comparison of GRC Oversight and Cypago.
Public-source comparison of GRC Oversight and Drata.
Public-source comparison of GRC Oversight and Hyperproof.
Public-source comparison of GRC Oversight and OneTrust.
Public-source comparison of GRC Oversight and SafeBase.
Public-source comparison of GRC Oversight and Scytale.
Public-source comparison of GRC Oversight and Secureframe.
Public-source comparison of GRC Oversight and Sprinto.
Public-source comparison of GRC Oversight and Strike Graph.
Public-source comparison of GRC Oversight and Thoropass.
Public-source comparison of GRC Oversight and TrustCloud.
Public-source comparison of GRC Oversight and UpGuard.
Public-source comparison of GRC Oversight and Vanta.
Public-source comparison of GRC Oversight and VComply.
Public-source comparison of GRC Oversight and Whistic.
A periodic, documented check that every user's access to a system is still appropriate for their current role — also called a user access review (UAR).
Business Associate Agreement — a contract required under HIPAA between a covered entity and any vendor that handles protected health information on its behalf.
Consensus Assessments Initiative Questionnaire — a standardized cloud security questionnaire published by the Cloud Security Alliance, paired with the CSA STAR registry.
Running tests on a schedule so configuration drift surfaces between audits, not at audit time.
An objective within a framework (e.g. SOC 2 CC6.1) that you must satisfy and prove.
The named individual accountable for a control's operation and evidence — who an auditor or reviewer would ask if something looks wrong.
Reusing one passing test across the multiple frameworks whose requirements it satisfies.
Data Processing Agreement — a contract required under GDPR (and similar laws) between a data controller and a processor, governing how personal data is handled.
The artifact backing a test result, carrying a timestamp, source system, and content hash.
A U.S. government program standardizing security assessment, authorization, and monitoring for cloud services used by federal agencies.
Definitions for compliance, risk, trust, and security review terms.
A certifiable framework (the HITRUST CSF) widely used in healthcare that harmonizes controls from HIPAA, ISO 27001, NIST, and other sources.
Information Security Management System — the overall management structure (policies, risk process, roles, continual improvement) that ISO 27001 certifies.
An international standard specifying requirements for an Information Security Management System (ISMS), with certification issued by accredited bodies.
Model Context Protocol — the open standard that lets AI clients like Claude and Cursor call your tenant's tools.
Plan of Action and Milestones — a formal, tracked remediation plan for a known control gap or weakness, with owners and target dates.
The finest-grain obligation inside a control — the level at which mapping happens so one test can serve many frameworks.
The risk that remains after controls and mitigations have been applied — as opposed to inherent risk, which is the risk before any mitigation.
A form a prospective or existing customer sends asking about your security and compliance practices, often as a gate before signing or renewing a contract.
Standardized Information Gathering questionnaire — a widely used, standardized third-party risk assessment questionnaire published by Shared Assessments.
An AICPA audit report on a service organization's controls over security, availability, processing integrity, confidentiality, and privacy.
System Security Plan — a document describing a system's boundaries, the controls it implements, and how each control is satisfied.
An automated or manual check that produces a pass/fail result against a requirement.
A public page sharing your security posture and NDA-gated documents to shorten customer reviews.
Trust Services Criteria — the AICPA criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) that a SOC 2 report is evaluated against.
The process of evaluating a third-party vendor's security posture (often via their SOC 2 report or a questionnaire) before and during the relationship.
Product and site updates for GRC Oversight.
Contact GRC Oversight.
Customer-facing information without invented logos or claims.
Request a GRC Oversight demo.
Run a passive security, privacy, and accessibility scan for any public website.
Current status for the web app, API, scanner, trust center, assistant, and connector surfaces.
Build your own plan by frameworks activated and integrations connected, with unlimited seats.
Current and planned product direction.
A human-readable index of public GRC Oversight pages.
Public trust and security profile for GRC Oversight.
Privacy policy for GRC Oversight.
Methodology, scope, and limits for the public website trust scanner.
How GRC Oversight handles security and trust.
Terms of service for GRC Oversight.