Case Study
ComplianceMachine.ai
GRC SaaS PlatformA production-ready, 7-module Governance, Risk, and Compliance (GRC) SaaS platform delivered in 90 days - with ISO 27001 support, risk heat maps, automated status workflows, and a full audit trail from day one.
The challenge
Enterprise compliance teams were managing ISO 27001 and other regulatory requirements across spreadsheets, email chains, and disconnected tools. Risk registers were maintained manually, audit evidence lived in shared drives, and policy acknowledgements were tracked in email. There was no unified view of compliance posture, no automated escalation when controls slipped, and no way to generate audit-ready reports on demand.
The client needed a production SaaS platform that could systematize every layer of the GRC process - from risk identification to control mapping, policy lifecycle management to audit execution - and deliver it within a 90-day window with a fixed budget.
What we built
A complete multi-tenant GRC platform with 7 integrated modules, role-based access control, 15+ automated email workflows, and charts and dashboards for every module. Deployed to production on AWS with Docker, Gunicorn, and Nginx.
Compliance Management
Track requirements against authority documents (ISO 27001, custom frameworks). Status tracking: Fully Met, Partially Met, Not Met, No Controls Mapped. Requirement-to-control mapping with compliance scoring.
Risk Management
Full risk register with probability x impact matrix (1-5 scale), inherent vs residual risk ratings, heat map visualization, and risk response tracking (Accept, Mitigate, Avoid, Transfer). Mapped to assets, controls, policies, audits, and issues.
Control Management
Three control types: Management, Operational, Technical. Readiness tracking (Ready, In Progress, Not Ready). Controls linked to compliance requirements, risks, assets, policies, audits, and evidence. ISO 27001 default controls seeded from official authority document.
Asset Management
Physical and virtual asset inventory with CIA+Privacy ratings (Confidentiality, Integrity, Availability, Privacy) on a 1-5 scale. Asset risk scoring, category-based classification, owner and control owner assignment.
Audit Management
4-stage audit workflow: Created, Planned, In Progress, Completed. Audit teams, scope, and employee assignment. Mapped to controls, assets, policies, risks, and compliance requirements. Evidence attachment, audit completion report, and non-compliance flagging.
Event Management
6-stage event lifecycle: Created, Planned, In Progress, Completed, Incomplete, Verified and Closed. Priority scoring, response plans, root cause analysis, and planned completion tracking. Automated escalation when completion dates elapse.
Policy Management
Versioned policy lifecycle with approval workflow (draft, sent for approval, approved, rejected). Policy acknowledgement tracking with reminders. Policies linked to controls, assets, risks, and audits. PDF export and evidence mapping.
Technical architecture
Built for enterprise reliability - multi-tenant, role-scoped, audit-logged, and zero-downtime deployable from day one.
Multi-tenant Django with custom permission engine
Company-scoped data isolation across all 7 modules. Custom Django permission set per module (e.g. "custom_risk_heat_map", "custom_compliance_score") with group-based role assignment. Single-session enforcement middleware to prevent concurrent logins.
Automated email workflows via AWS SES
15+ templated email notifications covering every workflow transition - control owner assigned, policy sent for approval, policy acknowledged, risk accepted by CEO, audit plan created, event completion overdue, and more. All templates managed via SES and version-controlled in code.
Automated cron-based status engine
A Django Cron job runs every minute to auto-transition events and audits from Planned to In Progress when their start dates arrive. Controls and compliance requirement statuses cascade automatically when linked items change state - no manual updates required.
Full entity linking graph
Every entity (risk, control, asset, audit, policy, issue, compliance requirement) is linkable to every other entity via through-table many-to-many relationships. A single risk can surface in the audit, show up in the compliance score, and trigger an event - all tracked and reportable.
Charts, exports, and audit trail
Dedicated chart modules per domain: risk heat maps, compliance score trends, control readiness breakdowns, audit team reports, event priority distributions, and policy acknowledgement rates. PDF and Excel exports per module. Soft-delete preserves full history with deletion timestamps.
Production deployment on AWS
Dockerized with Gunicorn + Nginx on EC2, PostgreSQL on RDS (db.t4g.micro), static assets on S3, SSL via Let's Encrypt. Zero-downtime deploy script: collectstatic, S3 upload, migrate, reload. Separate staging and production environments from week one.
Results
Days from idea to production
GRC modules shipped
Automated email workflows
27001 controls seeded on launch
Audit trail from day one
Spreadsheets needed post-launch
Related services
Want results like this?
Book a free 30-minute strategy call. We will scope your product, define success metrics, and give you a clear 90-day plan. No obligation.