GDPR
RoPA, DPIA, breach notifications, DSAR register, controller/processor model, retention schedules.
Capabilities
Atitic ships as one product – every module talks to every other module. No exports, no reconciliation. Pick a framework and start.
Pre-loaded catalogues. Adopt in a single click; requirements become trackable rows you can own and link.
RoPA, DPIA, breach notifications, DSAR register, controller/processor model, retention schedules.
Cybersecurity risk management, incident reporting timelines, supply-chain due diligence, governance attestations.
ICT third-party register (Art. 28), operational resilience, threat-led testing, ICT incident classification.
Annex A controls mapped to evidence and policies. Use alongside GDPR/NIS2 to avoid double work.
Risk classification (unacceptable / high-risk / limited / minimal), high-risk system obligations, GPAI documentation, transparency notices, post-market monitoring.
Trust services criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) mapped to your controls, evidence, and continuous monitoring cadence.
Import your sector-specific framework as a YAML catalogue and treat it the same as ours.
One policy or piece of evidence can satisfy GDPR, NIS2 and ISO 27001 at once. You write it once.
The day-to-day of a compliance programme – built in, not bolted on.
Draft, review, publish, version. Acknowledgement tracking per employee with reminders. Each policy can be attached to any number of framework requirements.
Object-storage backed. Upload once, link to any requirement, risk or task. Versioned with audit chain so an auditor can answer 'what did this evidence look like in March?'.
Inherent / residual scoring, treatment plans, owners, review cadence. Risks link to the requirements they affect and the controls that mitigate them.
Records of processing and impact assessments are first-class objects, not Word docs. Reusable processor catalogue, transfer mechanisms, DSR-impact tracking.
Clock-aware: a breach record starts a 72-hour timer; a DSAR starts a 30-day timer. Visible at a glance with audit log behind every state change.
DORA Art. 28 register with criticality classification, exit strategy, sub-contractor chain, contractual safeguards.
Used where it's safe and useful – never where a human signature is needed.
Point at a document source you already use. The ingestor reads the documents, proposes which framework requirements they satisfy, and a human approves before anything is linked.
AWS / Azure / GCP control checks pulled in as evidence rows, refreshed on a schedule, attached to the right requirements automatically.
When a requirement has published policy + evidence, the system suggests marking it Implemented. The suggestion is never auto-applied – you decide.
Point Atitic at your existing tools. Native adapters, no custom middleware.
Don't see your source? Custom adapters typically ship within a sprint – tell us what you use.
The output side of compliance: defensible reports + a tamper-evident chain.
A live dashboard showing what's Implemented, what's In progress, what has no linked artifacts, and what's overdue. Filter by framework, owner, deadline.
Recurring board / regulator reports rendered as PDF and emailed automatically. Configurable cadence, recipient list, framework scope.
Every change – to a requirement status, a policy version, a risk score, an evidence file – is recorded with actor, timestamp, before/after. Survives staff turnover.
Assign training, track signoff per employee. Generates evidence rows that link to the awareness/training requirements automatically.
Spin up a trial workspace in two minutes.
Start a free trial