Question 1

How do I create an account on GRCEye?

Accepted Answer

Click 'Get started free' and fill in your name, email, organization name, and a unique slug. You'll get instant access to the full platform for 14 days — no credit card required.

Question 2

Can I import my existing data?

Accepted Answer

Yes. GRCEye supports CSV import for risks, vendors, and assets. Each import provides a detailed error report so you can fix mismatches before re-uploading.

Question 3

What roles are available for my team?

Accepted Answer

GRCEye has 9 built-in roles: Tenant Admin, CISO, Risk Manager, Compliance Manager, Policy Manager, Vendor Manager, Control Owner, Auditor, and Viewer. Each role has tailored access to the relevant modules.

Question 4

How does the multi-tenant setup work?

Accepted Answer

Each organization gets its own isolated tenant. Your data, users, frameworks, and configurations are completely separate from other tenants on the platform.

Question 5

What does the Risk Register include?

Accepted Answer

The risk register supports full CRUD operations with likelihood × impact scoring on a configurable 5×5 matrix. Each risk has a severity classification, owner, next-review date, treatment plan, and full activity history.

Question 6

What is Risk Quantification?

Accepted Answer

GRCEye includes a Monte Carlo simulation engine (10,000 iterations) that produces ALE (Annual Loss Expectancy), SLE (Single Loss Expectancy), P90, and P95 values — turning qualitative risk scores into financial figures for executive reporting.

Question 7

Can I build custom risk matrices?

Accepted Answer

Yes. You can create custom probability/impact scales (3×3, 5×5, or any custom size) with your own labels, colors, and score mappings. Custom matrices apply to your risk register and heatmap.

Question 8

What are Risk Scenarios?

Accepted Answer

Risk Scenarios let you model Threat → Vulnerability → Asset → Control chains. Each scenario tracks current and target probability/impact, linking directly to your asset inventory and applied controls.

Question 9

How many frameworks does GRCEye support?

Accepted Answer

GRCEye includes 76 built-in frameworks: ISO 27001:2022, SOC 2, GDPR, NIS2, DORA, AI Act, NIST CSF 2.0, NIST 800-53 Rev5, PCI DSS 4.0, HIPAA, CIS Controls v8, MITRE ATT&CK, and many more.

Question 10

Can I customize a built-in framework?

Accepted Answer

Yes. Use the 'Customize' button on any built-in framework to fork it into a fully editable tenant copy. You can rename the framework, add, edit, or delete controls, and manage parent/child control relationships. Built-in frameworks remain read-only.

Question 11

Can I build a completely custom framework?

Accepted Answer

Yes. The Custom Framework Builder lets you create a framework from scratch by combining controls from any existing frameworks and adding your own. The AI can suggest relevant controls based on your industry and region.

Question 12

How does evidence upload work?

Accepted Answer

Each control in an assessment has a dedicated evidence section. You can upload files, add justification text, and mark visibility for auditors. Evidence is versioned and linked to specific controls across assessments.

Question 13

What is the Cross-Framework Coverage view?

Accepted Answer

The coverage view shows how your compliance effort maps across multiple frameworks simultaneously — identifying which controls satisfy requirements in more than one framework, so you avoid duplicating work.

Question 14

What does the Audit module cover?

Accepted Answer

Audit Management covers the full audit lifecycle: planning, control assignment, checklist execution, finding creation, remediation tracking, and final report generation. Supports internal and external audit types.

Question 15

How do auditor accounts work?

Accepted Answer

Auditors have a dedicated portal scoped to their assigned assessments only. They can view evidence, upload documents, and record findings — without access to the rest of the platform. Tenant admins create and manage auditor accounts.

Question 16

Can I assign auditors to specific assessments?

Accepted Answer

Yes. From the Company Admin panel, you can assign any auditor account to one or more compliance assessments. Auditors only see the assessments they are assigned to.

Question 17

What is the Audit Checklist?

Accepted Answer

Each assigned audit has a control checklist where the auditor can mark controls as compliant, non-compliant, or not applicable, attach evidence, and create findings with severity ratings (critical, high, medium, low, informational).

Question 18

How does the AI Document Generator work?

Accepted Answer

The Document Generator uses your local AI to produce complete, ready-to-adopt GRC documents (29 types across 4 categories) tailored to your organization's name, industry, size, country, and selected compliance frameworks. Generated documents auto-save as drafts.

Question 19

What document types are available?

Accepted Answer

29 document types across 4 categories: Foundation (Information Security Policy, ISMS Scope, SoA, etc.), Security Policies (Access Control, BYOD, Cryptography, etc.), Procedures (Incident Response, Change Management, etc.), and Plans (BCP, DRP, IRP, etc.).

Question 20

Does GRCEye support policy versioning?

Accepted Answer

Yes. Every policy has a full version history. You can create new versions, mark them as current, and track who authored and approved each version. Employees can be sent attestation requests to formally acknowledge policies.

Question 21

What are Policy Attestations?

Accepted Answer

Attestations allow you to send formal acknowledgement requests to employees for any policy. Recipients can acknowledge or reject. The platform tracks response status and sends reminders for overdue attestations.

Question 22

What does the TPRM module include?

Accepted Answer

Vendor Risk Management covers vendor onboarding with risk tiers (critical/high/medium/low), contract upload and AI review, a 6-dimension risk cartography heatmap, AI-powered prescreening questionnaires, and contract versioning with CISO approval workflows.

Question 23

How does AI contract review work?

Accepted Answer

Upload a vendor contract and the AI performs a structured 6-section analysis: identifying risky clauses, suggesting fixes, flagging data processing terms, liability gaps, and SLA issues — all streamed in real time.

Question 24

What is the Vendor Prescreen Questionnaire?

Accepted Answer

Before onboarding a vendor, you can run a 15-question AI prescreening. The AI analyzes the responses and produces a risk summary with a recommendation to proceed, review, or reject the vendor.

Question 25

What is the Risk Cartography view?

Accepted Answer

The Risk Cartography view plots each vendor on a 6-dimension heatmap covering data access, financial exposure, operational dependency, regulatory risk, geographic risk, and reputational risk — giving you a visual picture of your supply chain risk.

Question 26

Is the AI processing local or cloud-based?

Accepted Answer

All AI processing runs on your self-hosted LLM inside your own infrastructure using Ollama. No contract text, personal data, policy content, or sensitive information is ever transmitted to external AI providers — zero data egress, full privacy.

Question 27

What does the GRC AI Assistant do?

Accepted Answer

The AI Assistant is a context-aware compliance chat interface trained for GRC work. It answers questions on ISO 27001, SOC 2, GDPR, NIS2, DORA, and more — helping you draft controls, interpret requirements, prepare for audits, and get instant expert guidance without leaving the platform.

Question 28

How does AI-powered document generation work?

Accepted Answer

The Document Generator uses your private LLM to produce 29 types of GRC documents — Information Security Policy, ISMS Scope, BCP, DRP, Incident Response Plan, Access Control Policy, and more. You provide your organization name, industry, size, country, and target frameworks, and the AI writes a complete, audit-ready document tailored to your context. Documents stream in real time and auto-save as drafts.

Question 29

What is AI Contract Review and why does it matter?

Accepted Answer

When you upload a vendor contract, the AI performs a structured 6-section analysis: it identifies risky clauses, flags data processing terms, spots SLA gaps, detects liability imbalances, and suggests specific fixes — all streamed live. This replaces hours of manual legal review and surfaces issues that are easy to miss when processing many contracts.

Question 30

How does AI Vendor Prescreening work?

Accepted Answer

Before onboarding a new vendor, you can trigger a 15-question AI prescreening questionnaire. The AI analyzes the vendor's responses holistically and produces a risk recommendation: proceed, review further, or reject — saving your team from evaluating low-quality vendors manually.

Question 31

Can AI help with compliance gap analysis?

Accepted Answer

Yes. The Compliance module uses AI to analyze each framework control against your stated implementation status. It estimates an AI confidence score, identifies gaps, and generates specific remediation steps — turning a manual review that takes days into an automated analysis that runs in minutes.

Question 32

Can AI suggest controls for a custom framework?

Accepted Answer

Yes. The Custom Framework Builder includes an AI control suggestion engine. You describe your industry, region, and compliance objectives, and the AI recommends relevant controls drawn from any of the 76 built-in frameworks — saving you from building frameworks from scratch.

Question 33

Is GRCEye aligned with the EU AI Act?

Accepted Answer

GRCEye's AI features are designed with the EU AI Act in mind: AI is used only as an advisory layer (humans make all final decisions), all AI processing is on-premise (no third-party AI providers), and the AI module is fully auditable within the platform's activity log.

Question 34

Does using the AI expose our sensitive data to third parties?

Accepted Answer

No. GRCEye runs AI entirely on your own infrastructure via Ollama. Your policy content, contract clauses, vendor data, and compliance details never leave your servers. This is a core architectural decision — not a checkbox — and it makes GRCEye suitable for highly regulated industries where data sovereignty is non-negotiable.

Question 35

Is GRCEye GDPR compliant?

Accepted Answer

Yes. GRCEye supports GDPR breach notification workflows, DPA templates, and data subject request tracking. The platform itself is designed with privacy-by-design principles — including local AI processing that ensures no personal data is sent to external AI providers.

Question 36

What security features does GRCEye include?

Accepted Answer

GRCEye includes role-based access control (9 roles), JWT authentication with refresh tokens, API token management, multi-tenant data isolation, activity logging for all user actions, and configurable webhooks for outbound security events.

Question 37

What types of reports does GRCEye generate?

Accepted Answer

GRCEye generates 5 automated PDF report types: Executive Summary, Risk Report, Compliance Report, Vendor Risk Report, and Audit Report. Reports are generated weekly or on-demand.

Question 38

What is the Trust Center?

Accepted Answer

The Trust Center is a public-facing compliance page you can configure and share with customers or auditors. It shows your compliance posture, active certifications, and security overview — without requiring them to log in.

Question 39

Does GRCEye support webhooks?

Accepted Answer

Yes. GRCEye supports 20+ outbound webhook event types (risk created, compliance gap found, contract expiring, etc.). You can configure webhook endpoints, test them with a ping, and view delivery logs.

Question 40

Can I export data from GRCEye?

Accepted Answer

Yes. You can export risks, vendors, assets, audits, policies, and compliance data as CSV files at any time. All exports are tenant-scoped and include all available fields.

Frequently Asked Questions

Getting Started

Risk Management

Compliance & Frameworks

Audit Management

Policy & Document Management

Vendor Risk (TPRM)

AI Capabilities

Security & Platform

Reporting & Integrations

Still have questions?