How GRCEye works — powered by AI
From vendor negotiations to board reports, AI is embedded in every step of your GRC programme. Here is exactly what it does, how it works, and what you get at each stage.
Six AI capabilities — all running on your own servers
Vendor AI Chat
Communicate with vendors and exchange contract drafts inside the platform — no email, no attachments.
Contract Review
Upload any contract and the AI returns a structured 6-section analysis with risk flags in minutes.
Document Generator
Generate any of 29 GRC document types — policies, procedures, plans — fully tailored to your org.
Gap Analysis
The AI reads your existing policies and maps every clause to the relevant framework controls automatically.
Vendor Prescreen
Before onboarding any vendor, the AI runs a 15-question risk questionnaire and scores the response.
GRC Assistant
Ask anything about your compliance programme in plain language and get instant, contextual answers.
Chat with your vendors — inside GRCEye
Vendor negotiations, contract exchanges, and approval workflows happen entirely inside the platform. No email threads. No lost attachments. Every message and version is logged automatically.
Invite vendor to a collaboration session
Vendor portalFrom any vendor record, click Share and GRCEye generates a secure, expiring link. The vendor gets access to a scoped portal — no platform account needed.
Negotiate contracts inside the platform
Live collaborationBoth sides can annotate clauses, leave comments, and upload revised versions. Every exchange is timestamped and logged. No email threads, no version confusion.
AI flags risky clauses in real time
AI risk detectionAs the contract evolves, the AI continuously flags liability gaps, missing SLA definitions, ambiguous data-handling clauses, and GDPR conflicts — before you sign.
CISO approves. Status updates automatically.
Approval workflowWhen the final version is agreed, the vendor submission triggers the CISO approval workflow. One click to approve. The contract status updates everywhere in GRCEye.
Vendor Collaboration Portal
Acme Cloud Services · Contract v3
Section 8.1: Liability cap of €50K is below threshold for a Critical-tier vendor. Suggest €250K minimum.
AI contract review — from upload to approval in minutes
Upload any vendor contract and the AI produces a structured, 6-section risk analysis — flagging every problematic clause with its risk level and a plain-English explanation. No legal team required for initial screening.
Upload
Drag any PDF or DOCX contract into GRCEye. The AI parses the full document instantly — no character limits, no manual copy-paste.
AI analyses
The AI reads every clause and produces a structured report across 6 categories: Liability, Data Protection, SLA, Termination, IP & Confidentiality, and Regulatory Compliance.
Review flags
Each flagged clause is explained in plain English with the risk level (Critical / High / Medium) and a recommended action — not just a highlight.
CISO approves
The structured review is sent to the CISO for a single approve/reject decision. No back-and-forth. No interpreting raw legal text.
Sent to vendor
Once approved, the contract is shared back to the vendor directly through their collaboration portal. Full chain of custody — no email attachments.
Acme_Cloud_MSA_v4.pdf
AI review complete · 47 pages analysed
Section 4.2: No DPA reference. GDPR Art. 28 requires a Data Processing Agreement for all processors handling EU personal data.
→ Request DPA addendum before signing.
Section 8.1: Liability cap of €50K is disproportionate to contract value (€420K/year). Recommended minimum: €420K (1× annual value).
→ Negotiate cap to at least 1× annual contract value.
Section 6: 99.9% uptime SLA with 4-hour RTO and defined credit mechanism. Meets your DORA ICT continuity requirements.
→ No action required.
Generate any GRC document in seconds
Stop writing policies from scratch. The AI generates complete, audit-ready documents tailored to your organisation's industry, size, country, and active compliance frameworks — not a generic template.
Choose your document type
29 types across four categories: Foundation (security policies, risk policy), Security (incident response, access control, patch management), Procedures (GDPR, vendor risk), and Plans (BCP, DR, DORA ICT).
Set your organisation context
Four inputs: industry, company size, country, and active frameworks. That is all. The AI reads this context and writes a document specific to your regulatory environment — not a US startup template if you are a European FinTech.
AI streams output in real time
Watch the document write itself — character by character — so you can stop generation early if you want to redirect. A full 3,000-word policy typically takes under 30 seconds.
Save as Draft or Approve & Publish
One click to save as a versioned Policy record. The approval workflow routes it to the right reviewer. Once approved, send attestation requests to every employee — and track who has acknowledged it.
AI Document Generator
29 types availableLive output preview
1. Purpose and Scope
This Information Security Policy establishes the security requirements for all information assets owned or managed by [Company]. It applies to all employees, contractors, and third-party vendors with access to company systems…
AI gap analysis — 6 weeks of manual review in a few hours
Upload your existing policies and procedures. The AI reads every document, maps each clause to the relevant framework controls, and produces a prioritised gap report — with plain-language explanations and draft remediation steps.
Upload once, cover all frameworks
Evidence uploaded against one control automatically satisfies all mapped controls across every active framework. Upload your Access Control Policy once and GRCEye marks it against ISO 27001, SOC 2, and GDPR simultaneously.
AI reads and classifies
Each document is processed by the AI against the full control set. It reads clause-by-clause, identifies relevant controls, and assigns a confidence score to each mapping — so you know which mappings to review first.
Gaps prioritised by severity
Missing controls are rated Critical, High, or Medium with AI-generated remediation steps. The report is ready in hours — not the 6–8 weeks a manual assessment would take.
ISO 27001:2022 — Gap Analysis Report
A.8.8
CriticalManagement of technical vulnerabilities
No formal vulnerability management programme documented. CVE tracking is informal.
→ AI suggestion: Implement a vulnerability management policy and register all CVEs in the platform.
A.5.23
HighInformation security for cloud services
Cloud provider SLAs are not reviewed against security requirements annually.
→ AI suggestion: Add annual cloud provider review to vendor management programme.
A.6.3
MediumInformation security awareness and training
Training records exist but are not formally tracked against the full employee population.
→ AI suggestion: Use the Policy Attestation module to record and track annual training completion.
AI vendor prescreening — before you sign anything
Before onboarding any third-party vendor, the AI runs a 15-question security questionnaire, analyses the responses, calculates a risk score and tier, and flags specific concerns — so your security team reviews risk-ranked vendors, not raw questionnaire answers.
15 targeted questions
Covering data handling, access controls, incident response capability, certifications held (ISO/SOC 2), sub-processor disclosure, and GDPR/DORA alignment.
AI-scored response
Each answer is assessed for completeness, consistency, and red flags. The AI assigns a 0–100 risk score and maps the vendor to a tier: Critical, High, Medium, or Low.
Specific risk flags surfaced
Rather than a single score, the AI identifies which specific areas are concerning — e.g., 'No documented incident response plan' — so reviewers know exactly where to dig.
Ask the GRC AI assistant anything
The built-in GRC assistant answers questions about your compliance programme, frameworks, and risk posture in plain language — instantly. No Googling regulation text, no waiting for a consultant.
What's the difference between ISO 27001 and NIS2 for my FinTech?
ISO 27001 is a voluntary certification you pursue to demonstrate ISMS maturity to customers and partners. NIS2 is an EU legal obligation enforced by national authorities — non-compliance carries fines up to €10M or 2% of global turnover. For a FinTech, you likely need both: ISO 27001 to win enterprise deals, NIS2 to operate legally within the EU.
How many ISO 27001 controls do we currently have evidence for?
Based on your active assessment, you have evidence uploaded for 67 of 93 Annex A controls (72%). 8 controls are marked Critical-gap with no evidence. Would you like me to list the open critical controls?
What does DORA require for third-party ICT risk?
Under DORA Article 28, you must: (1) maintain a register of all ICT third-party providers, (2) classify them by criticality, (3) include mandatory contractual clauses on audit rights and exit strategies, and (4) conduct at minimum annual risk assessments of critical providers. GRCEye's vendor module covers all four requirements.
GRC AI Assistant
ISO 27001: 72% · SOC 2: 84% · GDPR: 61%
Your lowest area is GDPR — 8 critical gaps remain open. The most pressing is Article 30 (Records of Processing Activities). Assign it?
Common question types
AI embedded across every part of GRCEye
This is not a chatbot bolted on as an afterthought. AI is the execution layer of the entire platform.
Risk Management
Monte Carlo simulation runs 10,000 iterations in seconds. AI quantifies risk in euros (ALE, SLE, P90, P95) so the board sees financial exposure, not just a red square on a heatmap.
Compliance Assessments
Batch AI assessment maps all your uploaded documents to every control in a framework simultaneously. A full ISO 27001 gap analysis that used to take 6–8 weeks now takes hours.
Vendor Prescreening
Before any vendor is onboarded, the AI asks 15 targeted security questions, scores the answers, calculates a risk tier, and flags specific concerns for the security team to review.
Regulatory Monitoring
When a new regulation or framework update is published, the AI analyses its requirements, maps them to your existing controls, and surfaces the delta so your team knows exactly what changed.
Policy Generation
29 document types generated from a 4-field context form — industry, company size, country, active frameworks. The AI tailors every sentence. Output is audit-ready, not a generic template.
Your Infrastructure
Every AI feature — chat, document gen, contract review, gap analysis — runs on Ollama inside your own servers. Zero data egress. Suitable for air-gapped and EU-only environments.
Your data never leaves your infrastructure
Every AI feature in GRCEye runs on Ollama — an open-source local LLM runtime — deployed inside your own servers or private cloud. No API calls to OpenAI, Anthropic, or any third party. Your contracts, policies, vendor responses, and compliance data stay where they belong: with you.
0 bytes
Sent to external AI providers
100%
Runs on your infrastructure
EU AI Act
Article 9–12 aligned governance
"The AI contract review caught a missing DPA clause that our legal team had missed in three rounds of manual review. That one flag alone justified the platform cost for the year."
Thomas R.
CISO, Series C FinTech — Frankfurt
"We generated all 29 GRC documents in an afternoon. Tailored to our industry, our frameworks, our country. That would have been weeks of consulting fees with our previous approach."
Amira K.
Head of Compliance, SaaS Scaleup — Paris
See the AI in action — in your browser, in 2 minutes
Start a free 14-day trial. No credit card. No setup. Full AI access from day one — document generation, contract review, gap analysis, and vendor chat all included.