Products · GRC

Run internal compliance on one data model.

Multi-framework support, continuous control monitoring, immutable evidence vault, and an AI-assisted policy lifecycle — all on the same platform that runs your vendor program.

Request a demoSee pricing
What you get

Everything an internal GRC program needs.

Multi-framework, pre-seeded

Ten frameworks ship out of the box — SOC 2, ISO 27001:2022, HIPAA, NIST 800-53 Rev 5, NYDFS Part 500, and more. Add custom frameworks for sector-specific requirements.

  • 10 frameworks pre-seeded
  • Cross-framework control mapping
  • Custom framework support

Continuous control monitoring

The GRC Monitor Agent runs nightly health checks across control implementation, assessment SLAs, risk SLAs, policy currency, and evidence freshness — flagging drift before it shows up on a board report.

  • 5-dimension nightly health score
  • Anomaly detection on internal posture
  • Delta notifications on degradation

AI-assisted policy lifecycle

Effy drafts policies aligned to your controls, flags coverage gaps, and routes through approval. PolicyVersion records become immutable on publish — your auditor sees what was published, when, and by whom.

  • AI policy drafting + gap detection
  • Approval workflow built in
  • Immutable PolicyVersion on publish
How it works

Three steps from setup to value.

1

Pick your frameworks

Activate any of the 10 pre-seeded frameworks (SOC 2, ISO, HIPAA, NIST, NYDFS, etc.) or upload your own controls. Mappings auto-populate where overlaps exist.

2

Connect your evidence

Drop in your existing evidence — pen tests, certifications, screenshots. The vault indexes everything for AI retrieval and links artifacts to controls automatically.

3

Let Effy draft + monitor

Effy drafts policy gaps, runs nightly health checks, and surfaces anomalies. Your team reviews and approves — never AI on its own.

"We replaced two separate compliance tools and a spreadsheet. The fact that everything runs on one data model meant our SOC 2 audit prep took half the time."
Director of Compliance · Healthcare SaaS · 600 employees
Integrity stack
Enforced top-to-bottom in the data layer
  • 01AUDITOR role
    Read-only enforced in the database — not a UI permission toggle
  • 02Immutable PolicyVersion
    Locked at publish — drafts and approved-but-unpublished stay separate
  • 03Tenant isolation
    getGrcOrgFilter enforced server-side — query-level, not config
  • 04AuditLog + soft-delete
    Every mutation logged; audit-significant records never hard-deleted
Defensible to your examiner — not just your auditor
Defensible edge · Auditor-grade by architecture

Integrity is a property of the data layer, not a config setting.

Most platforms enforce auditor-grade behavior through RBAC configuration that admins can change. We enforce it architecturally — at the database query layer, in the schema, in the code path. An admin cannot accidentally weaken the guarantees, and an examiner can verify them in the codebase.

Most competitors implement this via RBAC settings that admins can mutate. Ours is structural — verified in the codebase, enforced server-side, immutable at the data layer.

See the architecture
Frameworks

Every framework your auditor asks for, pre-seeded.

Ten frameworks shipped out of the box, plus your own. Cross-framework control mapping reduces evidence collection across overlapping audits.

SOC
SOC 2
Trust Services Criteria
ISO
ISO 27001
Information Security 2022
NIST
NIST CSF
Cybersecurity Framework 2.0
NIST
NIST 800-53
Rev 5 · 298 controls
CIS
CIS v8.1
Critical Security Controls
PCI
PCI DSS
v4.0.1 · Card data protection
HIPAA
HIPAA
Security Rule · PHI
GDPR
GDPR
EU personal data protection
NYDFS
NYDFS 500
23 NYCRR · NY financial
NYSDOH
NYSDOH 405.46
10 NYCRR · NY hospital
Custom frameworks
Bring your own controls and evidence requirements.
Browse all frameworks

See it run on your data.

30-minute walkthrough. No credit card.

Request a demoSee pricing