Local-first GRC intelligence
Compliance answers you can cite, on infrastructure you control.
RunCompliance maps regulations to controls, finds your gaps, and grounds every answer in verbatim legal text — across ISO, NIST, DORA, NIS2, GDPR and 130+ frameworks. Your client data never leaves your environment.
No client data in the cloud. Ever.
Platform
A GRC engine, not just another chatbot
Built for the work consultants actually do: reading the law precisely, connecting frameworks, and producing evidence that holds up.
Grounded RAG over 130+ regulations
Ask in plain language and get answers cited to the exact article and paragraph — ISO 27001, ISO 27701, NIST 800-53, DORA, NIS2, GDPR, HIPAA, CSA CCM and more. Every claim traces back to verbatim legal text, not a paraphrase.
Cross-framework control mapping
See how a requirement in one framework maps to controls in another. A knowledge graph links articles, requirements and controls — with NIST SP 800-53 as the canonical control spine — so you can reason across standards instead of one PDF at a time.
Compliance Control Mesh
One normalized control model — the Compliance Control Mesh — that every standard maps into, so a single control can satisfy ISO 27001, NIST 800-53, DORA and CSA CCM at once. Implement a control once, prove it everywhere, and never answer the same question twice across frameworks.
Gap analysis against your posture
Point the engine at a framework and surface where coverage is thin. Baseline-aware analysis (NIST 800-53 LOW/MOD/HIGH and the Privacy baseline, service models IaaS/PaaS/SaaS) tells you what's missing for your specific scope.
Audit & assurance engine
Verification runs against the same Compliance Control Mesh — controls, implementation guidance and applicability share one normalized model. Add a new standard with data, not a schema rewrite.
How it works
From question to defensible evidence
Connect your scope
Choose the frameworks and a client profile. Profiles keep every workspace isolated — no cross-contamination between clients.
Ask or analyse
Chat with grounded RAG, run a cross-framework mapping, or kick off a gap analysis. Answers come back with verbatim citations and source links.
Export the evidence
Turn findings into gap reports and Statements of Applicability. Defensible output your auditors and clients can trust.
Coverage
The frameworks you're held to
Indexed verbatim, mapped to controls, and growing. Adding a standard is a data load — not a rebuild.
Who it's for
Built for people who answer to regulators
GRC & compliance consultants
Run multiple clients from one platform with hard data isolation. Cut the hours spent cross-referencing standards by hand.
Privacy & security teams
Answer regulator and customer questions with citations, not guesses. Map your controls to every framework that applies to you.
Regulated SMBs
Get enterprise-grade GRC reasoning without an enterprise budget — or shipping your sensitive documents to a third party.
Security & data residency
Your clients' data stays yours
RunCompliance is local-first by design. The public regulatory corpus lives in the cloud; everything that touches a client document runs in an isolated workspace on infrastructure you control.
- ✓ Client documents never sent to third-party LLMs or the cloud
- ✓ Per-client workspace isolation — no cross-contamination
- ✓ Verbatim grounding: answers cite source text, reducing hallucination risk
- ✓ Self-hostable engine alongside your existing stack
FAQ
Questions, answered
Where does my client data live?
Anything that touches a client document runs in an isolated workspace on infrastructure you control. The public regulatory corpus is the only part hosted in the cloud — your sensitive data never leaves your environment.
How is this different from asking a general AI chatbot?
Every answer is grounded in the verbatim text of the regulation and cited to the exact article and paragraph. There is no paraphrasing layer that can drift — you can click through to the source for each claim.
Which frameworks are supported?
130+ and growing — ISO 27001, NIST 800-53, NIST CSF 2.0, CIS v8.1, DORA, NIS2, GDPR, HIPAA, CSA CCM, PCI DSS v4 and more. Adding a standard is a data load, not a rebuild.
Can I map controls across frameworks?
Yes. A knowledge graph links requirements to controls across standards, so you can see how a DORA obligation maps to NIST controls, or where ISO 27001 overlaps with CSA CCM.
What is the Compliance Control Mesh?
It's a single normalized set of controls that every supported standard maps into. Instead of maintaining ISO, NIST, DORA and CSA controls as separate silos, you work against one mesh — implement a control once and see every framework requirement it satisfies. Adding a standard means mapping it into the mesh, not rebuilding your control library.
Why NIST SP 800-53 as the control spine?
NIST 800-53 is the most granular, widely-mapped control catalogue, with established baselines (LOW / MOD / HIGH) and a Privacy overlay. Using it as the canonical spine lets every other framework — ISO 27001, DORA, NIS2, CSA CCM — map onto a common, baseline-aware reference, so cross-framework analysis stays consistent rather than ad hoc.
Is it self-hostable?
The engine runs alongside your existing stack. The app is built to be deployed on infrastructure you control, keeping the data boundary intact.
Request early access
We're onboarding a small group of GRC consultants and compliance teams. Leave your email and we'll be in touch.
We'll only use your email to contact you about access. No spam.