The compliance operating system

Your whole client book. One seat.

Your tools collect evidence. Sovy makes it mean something. ISO 27001, SOC 2, GDPR, NIS2, EU AI Act, CMMC — managed from one platform, for every client you serve.

0+
Platform modules
0
ISO controls → every framework
0
Intel connectors
0+
Frameworks, one library
app.sovy.io / portfolio
Client book
One seat
Client A
1 overdue
Client B
On track
Client C
Review due
Client D
On track
Needs you today
7items

Across 4 clients, prioritised

Evidence current
100%

Mapped & timestamped

Trusted by compliance practitioners across Ireland and the UK

ISO 27001SOC 2GDPRNIS2EU AI ActCMMCCyber Essentials+
The problem

Every compliance tool is built for the company. None are built for you.

You manage three, five, eight clients. Each one needs ISO 27001, SOC 2, GDPR — sometimes all three. Today that's separate spreadsheets, separate tools, separate evidence packs. Per client. Per framework.

Same control, four documents

Encryption at rest maps to ISO A.8.24, GDPR Art. 32, SOC 2 CC6.1, and NIS2 Art. 21. Documented four separate ways, per client.

No portfolio view

You can't see across your clients. Which one has an overdue DPA? Which risk register hasn't been reviewed? You're flying blind.

Checkbox compliance

“Do you have MFA?” Every tool accepts a tick. Nobody queries the tenant to verify. That's “trust me”, not “prove it”.

Data dumps, not results

Your tools collect evidence. They don't produce the management review, the board report, or the compliance statement the auditor reads.

They ask. We verify.

What every other tool does. What Sovy does differently.

Every other platform accepts an answer. Sovy queries the source — the tenant, the register, the vault — and proves it.

Every other tool
Sovy Hub
“Do you have MFA?” → Checkbox
OAuth queries Entra ID → 2 accounts without MFA found
“Are vendors compliant?” → Self-attestation
DPA tracker → 3 of 14 vendors missing agreements
“Is data encrypted?” → Policy document
Evidence Vault → encryption policy v3, signed and timestamped
“Do you monitor threats?” → Toggle switch
Intelligence Hub → 12 signals captured, 8 reviewed, SLA met
Single tenant. One client per login.
Multi-tenant. Your whole client book from one seat.
Evidence collected. Output: data dump.
AI drafts the board report. You review, approve, send.

Your tools collect evidence. Sovy makes it mean something.

The ISMS Planner

One view across every client. This is your day.

The Planner is where you start every morning. Overdue items, upcoming reviews, open CARs, expiring DPAs — across every client, prioritised by what matters today. Not a dashboard of numbers. A working surface.

app.sovy.io / planner
Overdue
2

Risk register review — 4 days overdue

Client AISO 27001

MFA enforcement follow-up

Client CSOC 2
Due this week
3

Vendor DPA expiry — Microsoft

Client BGDPR

CAR-023 root cause analysis

Client AISO 27001

Q2 training assignments

Client DNIS2
Completed today
2

Evidence Vault upload — 3 docs

Client BGDPR

Intel signal reviewed (HIGH)

Client AISO 27001
Platform

Everything a compliance practitioner needs. Nothing they don't.

Every module generates evidence mapped to the controls it satisfies. Human oversight on every output — no fully automated decisions.

Live

TPRM & Vendor Management

DPA tracking, risk scoring, sub-processor mapping, external attack-surface monitoring. DPA status computed by database triggers — not manual entry.

ISO A.5.19–5.22 · GDPR Art. 28 · SOC 2 CC9.2

Live

Intelligence Hub

37 connectors monitoring ICO, EDPB, DPC, CISA, NVD and more. Every signal matched to client profile by jurisdiction and sector tags.

ISO A.5.7 · NIS2 Art. 21

Live

CVE Watch

Continuous vulnerability intelligence. Weekly NVD scan, daily CISA KEV alerts, daily CMS plugin advisories. Findings mapped to your asset inventory with a triage workflow.

ISO A.8.8 · SOC 2 CC7.1

Live

Evidence Vault

Every document mapped to controls. Every approval timestamped with who approved and when. The auditor walks the SoA and finds the evidence here.

ISO Clause 7.5 · SOC 2 evidence requirements

Building

AI-Assisted Reports

Claude reads every module — risks, vendors, gaps, signals, evidence — and drafts a board report. You review, edit, approve. Draft → Review → Approved.

ISO Clause 9.3 · Board reporting obligations

Live

AI Governance

AI system registry, risk classification, Fundamental Rights Impact Assessments, bias audit module. Mapped to ISO 42001, NIST AI RMF and the EU AI Act.

EU AI Act Art. 9–15 · ISO 42001

Security monitoring

Don't just document monitoring. Do it.

Most GRC tools write a policy that says you monitor. Sovy runs the sensors. Endpoint, network and identity telemetry flows through managed detection rules and produces audit evidence the moment something fires — no fully automated decisions, a human signs off every consequential step.

Detect

Endpoint · network · identity telemetry, live

Correlate

ATT&CK-mapped rules, AI triage, human sign-off

Evidence

Generated automatically when a rule fires

Endpoint & Log Monitor

Real-time hardening against CIS benchmarks. Every failed check is a finding mapped to a control, with a remediation path.

DC-01CIS pass
WEB-033 failed
LAP-117CIS pass

Network Intrusion Sensor

Packet-level threat detection with automatic C2 pattern recognition, top-talkers correlated to your asset inventory.

ET MALWARE C292%
ET SCAN61%
ET POLICY38%

Identity Posture

MFA enforcement visibility across the tenant — the gap between available and enforced, stale accounts, sign-in anomalies.

MFA available
96%
MFA enforced
71%
4 privileged users without MFA

Network Discovery

Automatic asset inventory from live scanning. Device classification, rogue detection, topology — without a spreadsheet.

1 rogue device
Managed detection packs

Detection rules, not just policies about them

Versioned collections of Suricata IDS and Wazuh SIEM rules, each mapped to MITRE ATT&CK. We author, review and deploy them for you — threat intelligence becomes a live control, then becomes evidence.

Versioned packsATT&CK mappedFully managed
0

detection rules / pack

0

ATT&CK techniques

The output

The compliance statement any auditor can verify.

Not a PDF export. A real-time, framework-specific compliance statement generated from live data — every control linked to evidence, every gap visible, every metric current. This is what the auditor reads.

Registers

Risks, CARs, objectives, vendors — all live, all with SLA clocks.

AI drafts

Claude reads every module and generates the narrative.

Human reviews

You review, edit and approve. The chain is auditable.

Auditor reads

Timestamped, signed and linked to the Evidence Vault.

Every output carries the audit chain — who drafted it, who approved it, when, and the evidence behind each claim. No fully automated decisions.

Frameworks

New framework = new data, not new code.

The universal control library maps one control to every framework it satisfies. Add CMMC and the controls already in your SoA light up — no rebuild required.

One control, mapped once

Encryption at rest

Documented once in the Evidence Vault. Satisfies every framework that asks for it.

ISO 27001A.8.24
GDPRArt. 32
SOC 2CC6.1
NIS2Art. 21

0

Annex A controls in the SoA

0+

Frameworks, one library

Coverage

Live today in solid. The rest are data away — switch them on per client without a rebuild.

ISO 27001:2022SOC 2GDPRNIS2EU AI ActCMMC L2Cyber Essentials+DORAISO 42001ISO 27701PCI DSSHIPAA
Sovy Academy

Training your clients' staff will actually complete.

Cinematic security-awareness modules. Professional AI narration. Branded per client — their logo, their industry, their threats. And every completion is audit evidence.

Phishing recognition

Module 04 · 6 min · AI narrated

0

modules live

0%

completion rate

Cinematic production

Not slideshows with voiceovers. Professional AI narration, real scenarios, content people actually watch.

Client-branded portal

Each tenant gets their logo, colour scheme and industry-specific scenarios. Their programme, your platform.

Completion as evidence

Assignment tracking, completion records, overdue alerts — direct audit evidence for ISO A.6.3 and GDPR Art. 39.

13 modules live

Security awareness, phishing recognition, data protection, incident reporting, social engineering and more.

Ready to close your compliance gaps?

Book a 30-minute demo and see how Sovy Hub turns your security monitoring into audit-ready evidence.