Capabilities

Everything a GRC programme needs, none of the spreadsheet glue.

Atitic ships as one product – every module talks to every other module. No exports, no reconciliation. Pick a framework and start.

Frameworks out of the box

Pre-loaded catalogues. Adopt in a single click; requirements become trackable rows you can own and link.

GDPR

RoPA, DPIA, breach notifications, DSAR register, controller/processor model, retention schedules.

NIS2

Cybersecurity risk management, incident reporting timelines, supply-chain due diligence, governance attestations.

DORA

ICT third-party register (Art. 28), operational resilience, threat-led testing, ICT incident classification.

ISO 27001

Annex A controls mapped to evidence and policies. Use alongside GDPR/NIS2 to avoid double work.

EU AI Act

Risk classification (unacceptable / high-risk / limited / minimal), high-risk system obligations, GPAI documentation, transparency notices, post-market monitoring.

SOC 2

Trust services criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) mapped to your controls, evidence, and continuous monitoring cadence.

Custom frameworks

Import your sector-specific framework as a YAML catalogue and treat it the same as ours.

Cross-framework reuse

One policy or piece of evidence can satisfy GDPR, NIS2 and ISO 27001 at once. You write it once.

Core modules

The day-to-day of a compliance programme – built in, not bolted on.

Policy lifecycle

Draft, review, publish, version. Acknowledgement tracking per employee with reminders. Each policy can be attached to any number of framework requirements.

Evidence library

Object-storage backed. Upload once, link to any requirement, risk or task. Versioned with audit chain so an auditor can answer 'what did this evidence look like in March?'.

Risk register

Inherent / residual scoring, treatment plans, owners, review cadence. Risks link to the requirements they affect and the controls that mitigate them.

RoPA + DPIA

Records of processing and impact assessments are first-class objects, not Word docs. Reusable processor catalogue, transfer mechanisms, DSR-impact tracking.

Breach + DSAR registers

Clock-aware: a breach record starts a 72-hour timer; a DSAR starts a 30-day timer. Visible at a glance with audit log behind every state change.

ICT third-party register

DORA Art. 28 register with criticality classification, exit strategy, sub-contractor chain, contractual safeguards.

AI + automation

Used where it's safe and useful – never where a human signature is needed.

AI-suggested evidence

Point at a document source you already use. The ingestor reads the documents, proposes which framework requirements they satisfy, and a human approves before anything is linked.

Cloud posture ingest

AWS / Azure / GCP control checks pulled in as evidence rows, refreshed on a schedule, attached to the right requirements automatically.

Status suggestions

When a requirement has published policy + evidence, the system suggests marking it Implemented. The suggestion is never auto-applied – you decide.

Connects to what you already run

Point Atitic at your existing tools. Native adapters, no custom middleware.

Document sources for AI evidence ingest

  • Amazon S3
  • Azure Blob Storage
  • Google Cloud Storage
  • Microsoft SharePoint
  • Atlassian Confluence Cloud
  • Azure DevOps Wiki

Cloud posture

  • Amazon Web Services
  • Microsoft Azure
  • Google Cloud Platform

Tickets and workflow

  • Atlassian Jira (bidirectional)
  • ServiceNow (bidirectional)

Identity

  • OIDC – Microsoft Entra ID
  • OIDC – Google Workspace
  • SAML 2.0

Don't see your source? Custom adapters typically ship within a sprint – tell us what you use.

Reporting + audit trail

The output side of compliance: defensible reports + a tamper-evident chain.

Programme roll-up

A live dashboard showing what's Implemented, what's In progress, what has no linked artifacts, and what's overdue. Filter by framework, owner, deadline.

Scheduled compliance reports

Recurring board / regulator reports rendered as PDF and emailed automatically. Configurable cadence, recipient list, framework scope.

Audit-evidence chain

Every change – to a requirement status, a policy version, a risk score, an evidence file – is recorded with actor, timestamp, before/after. Survives staff turnover.

Training + acknowledgements

Assign training, track signoff per employee. Generates evidence rows that link to the awareness/training requirements automatically.

Want to see it on your own data?

Spin up a trial workspace in two minutes.

Start a free trial