Cross-domain correlation across controls, vendors, risks, and policies.
Internal posture and vendor posture share one graph. When a vendor has an incident, you see immediately which controls depend on them, which risks update, which policies cite them, and which evidence needs refreshing — without writing a query.
One graph. End-to-end traversal. No copy-paste between systems.
One unified data model
Controls, policies, vendors, risks, evidence, and assessments all reference each other on a single MongoDB data model. Add a control once and every record that depends on it knows.
- Controls ↔ policies ↔ evidence ↔ vendors ↔ risks
- Updated in one place, reflected everywhere
- No syncing, no duplicate records
Visualize the relationships
Cytoscape-powered graph view shows how a single record connects to the rest of your program. Filter by relationship type, expand neighbors, export to your audit package.
- Interactive relationship graph
- Filter by type and depth
- Export to PDF for examiner walkthrough
Effy uses it to explain answers
When Effy drafts a questionnaire response or scores a risk, it traverses the graph to find supporting evidence and shows you the reasoning trail. You don't have to trust the AI — you can verify the path.
- Explainable AI grounded in real relationships
- Citation trail follows graph edges
- Reviewer verifies, not just trusts
Three steps from setup to value.
Connect via one data model
Import controls, policies, vendors, risks, and evidence — they reference each other through the platform's shared data model. Cross-framework mappings populate automatically.
The graph builds itself
Every relationship between records becomes an edge in the graph. No manual linking, no maintenance — the graph is the data, not a separate view.
Query, visualize, or let Effy traverse
Use the visual graph for examiner walkthroughs. Query directly via the API. Or just ask Effy a question and it'll traverse the graph to answer with citations.
"When AWS had a regional outage, we knew within minutes which 23 vendors were affected, which 11 of our controls depended on those vendors, and which 4 risks needed status updates. We answered our regulator's inquiry the same day instead of taking a week."