Zeros and Ones
Governance · Risk · Compliance

Compliance automationand integrated risk management.

ezGRC is one platform for teams that have outgrown SOC-2-only tools but don't want a six-figure IRM suite. Internal audit, vendor & fourth-party risk, ESG, and business continuity — bundled with the compliance automation.

See what it does Talk to sales
41
Frameworks pre-loaded
6
ESG frameworks
150+
Policy, control & BCP templates
40+
Native integrations

The wedge

One platform where teams used to buy two.

The compliance-automation segment ships the cert. The enterprise-IRM segment ships the audit and risk modules. ezGRC ships both — under one contract, one user model, one set of evidence.

Compliance automation
What every SOC 2 tool sells
  • SOC 2
  • ISO 27001
  • Evidence collection
  • Control monitoring
+ Integrated risk management
The modules SOC-2-only tools don't ship
  • Internal audit
  • Audit planning
  • ESG reporting
  • Business continuity
  • 4th-party risk graph
  • Vendor risk

Why ezGRC

Five things the SOC-2-only vendors can't match.

Same packaging, more platform. Each of these ships in ezGRC and is absent — or paid-add-on — across the compliance-automation segment.

Internal audit + audit planning

Findings, workpapers, sampling plans, audit universe and calendar. Statistical sampling with confidence levels. The IRM module Vanta, Drata, and Secureframe do not sell.

ESG reporting across 6 frameworks

GRI, SASB, TCFD, CDP, UN SDGs, and EU CSRD with double-materiality support. Stakeholder mapping, ESG data points, and assurance provider workflows — out of the SOC 2 tool conversation entirely.

Fourth-party supply-chain graph

Vendor dependency mapping with external risk signals — ratings, sanctions, news, threat intel. Capability only the IRM suites carry.

Self-hosted private LLM option

Run the AI features on infrastructure you control. Evidence and prompts never leave your tenant. AI proxy setting at the org level — switch providers without touching code.

AI cost controls & usage tracking

Per-organization monthly token budgets with warning thresholds and hard stops. Estimated USD spend, model-level breakdown, and per-job token accounting — built for procurement teams that will soon require it.

Capabilities

Everything inside ezGRC.

Each module is in production — not on a roadmap slide.

Compliance automation

Multi-framework controls, continuous monitoring, and evidence on a schedule.

Continuous control monitoring
Anomaly detection on control state, evidence freshness/decay engine with SLA tracking, auto-link evidence to controls via mapping rules.
Automated evidence collection
Scheduled pulls from cloud, identity, DevOps, MDM, and HR systems with change detection and alerts. Manual upload + S3-backed storage with presigned URLs.
Policy & control library
78 policy templates, 64 control templates (with paired test procedures), and 10 BCP / DR / BIA plan templates — all mapped to SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and more.
Inbound questionnaire AI auto-answer
Upload customer security questionnaires. AI proposes answers from your maintained Answer Library plus RAG over controls, policies, and evidence with confidence scores. Bulk accept ≥85% confidence; rejected drafts never enter the library.

Integrated risk management

The IRM depth that compliance-automation vendors don't ship.

Internal audit & audit planning
Finding workflow (draft → assigned → in_remediation → verified → closed), management responses, sampling plans, test procedures, workpapers, and a full audit universe / calendar.
Vendor & 4th-party risk
Security questionnaire builder, external vendor portal, document expiry tracking, SOC 2 report parser, contract & SLA management, and a fourth-party dependency graph.
ESG reporting & disclosure
Materiality matrix (double materiality for CSRD), stakeholder mapping, ESG data points, assurance providers, and report generation for GRI, SASB, TCFD, CDP, UN SDGs, EU CSRD.
Business continuity & incident
BIA, recovery objectives, plan documents, DR testing, plus an incident management module with linking back into controls and risk.

AI & intelligence layer

Pluggable provider (OpenAI, Anthropic, OpenRouter) — or your own private LLM.

Control & evidence intelligence
Multi-factor control effectiveness scoring, evidence quality assessment (completeness, relevance, clarity, coverage), gap detection, and audit-readiness predictions.
Self-hosted private LLM
Org-level AI proxy setting. Point at an internal endpoint and evidence, prompts, and embeddings stay inside the tenant. pgvector-backed RAG over your own data.
AI cost controls
Org-level monthly token budgets with warning thresholds and hard stops. Estimated USD spend, model-level breakdown, and per-job token accounting across AI insights, policy suggestions, and legislative impact analyses.
Visual workflow builder
Drag-and-drop with 20+ node types across triggers, actions, conditions, and integration calls. Versioning, encrypted secrets, variable resolution, and a worker-backed execution engine.

Audit & trust experience

Built for the people who actually consume your compliance program.

External auditor portal
Token-based access (no full-system login), curated evidence rooms, scoped requests and findings, time-limited tokens, and full IP/user-agent activity logging.
Public trust center
Branded, shareable page at /trust showing active frameworks, control posture, subprocessors, and documents. NDA self-serve gating issues time-limited download grants — every access logged.
Device / endpoint compliance
Endpoint inventory and posture (disk encryption, screen lock, OS patch, AV, firewall). Native Kandji sync; Jamf and Intune accepted as device sources for ingest. Matched to the HR roster by email; surfaces non-compliant devices per employee.
Access reviews
Periodic certification campaigns. Pull users from Okta, Google Workspace, Azure AD, and GitHub. Bulk approve/revoke with certification reports and access removal logging.

Frameworks

41 frameworks. Pre-loaded. Cross-mapped.

Requirements, controls, and cross-framework mappings ship with the platform — including a six-framework ESG library most GRC vendors don't carry.

Security & compliance

35 frameworks
SOC 2ISO 27001ISO 27017ISO 27018ISO 27701HIPAAPCI DSSGDPRCCPASOX ITGCNIST CSFNIST 800-53NIST 800-171CIS Controls v8CMMCCSA STAR CCMFedRAMPStateRAMPCJISIRS 1075HITRUST CSFFFIECGLBANERC CIPTISAXSWIFT CSPNY DFS 500UK Cyber EssentialsIRAPMTCS (SS 584)BSI C5ENSK-ISMS-PPIPLLGPD

ESG & sustainability

6 frameworks
TCFDGRI StandardsSASBCDPUN SDGsEU CSRD / ESRS

Custom framework authoring with CSV / JSON bulk import is bundled. Bring an internal control set or a regulator-specific framework that isn't on this list — author it once, map it across your existing controls.

Integrations

Pulls evidence from the systems you already run.

OAuth or API key, cron-driven sync, freshness-tracked output. No second agent if you already have MDM.

Cloud
  • AWS
  • Azure
  • Google Cloud
  • Kubernetes
Identity
  • Okta
  • Azure AD / Entra
  • Google Workspace
Source & DevOps
  • GitHub
  • Bitbucket
  • Azure DevOps
  • Jira
  • GitHub Actions
  • Jenkins
  • CircleCI
  • ArgoCD
Endpoint / MDM
  • Kandji (native sync)
  • Jamf (ingest)
  • Intune (ingest)
EDR
  • CrowdStrike
  • SentinelOne
  • Carbon Black
SIEM
  • Splunk
  • Elastic
  • Sumo Logic
CSPM
  • Wiz
  • Orca
  • Prisma Cloud
Vulnerability
  • Qualys
  • Tenable
  • Rapid7
  • Snyk
ITSM / On-call
  • ServiceNow
  • PagerDuty
  • Opsgenie
  • Zendesk
  • Freshservice
HR
  • Workday
  • BambooHR
  • ADP
  • Greenhouse
  • SAP SuccessFactors
Collaboration
  • Confluence
  • SharePoint
  • Box
  • Dropbox
  • Google Drive
Network
  • Palo Alto Networks
  • Zscaler

Deployment

Buy through AWS. Run your own LLM. Or both.

AWS Marketplace
Subscribe from the AWS console, draw down committed spend (EDP or Private Pricing), skip procurement review. Tenant auto-provisioned, admin invited by email.
Self-hosted private LLM
Org-level AI proxy setting. Point at an internal endpoint and evidence, prompts, and embeddings never leave your tenant. Use any provider — or run an open-weights model yourself.

Built on

A boring stack on purpose.

Rust on the hot path, Postgres for the system of record, and Meilisearch in front of evidence. Nothing exotic in the deployment that an operator hasn't shipped before.

API
Rust · Axum
Worker
Rust · background jobs
UI
Next.js · App Router
Database
PostgreSQL · pgvector
Cache / Queue
Redis
Search
Meilisearch
Storage
S3-compatible · presigned
Identity
TitaniumVault SSO
Get in touch

Ready to see your first framework live?

Most tenants get one framework live the same day they provision. Tell us your forcing function and we'll reverse-engineer the timeline.

Talk to sales Send us a question