What we shipped.

Continuous control testing for AWS IAM access reviews and S3 encryption posture. Failed tests open Jira/Linear tickets directly to the owning team with control + asset context.

Wiz integration GA. Cloud-posture findings flow into the unified vuln queue with EPSS + KEV-weighted prioritization.

Custom framework authoring. Bring your own internal control catalog, map it to standard frameworks, run it the same way.

Vendor questionnaire export to PDF was clipping multi-page tables. Fixed.

Audit evidence search now hits a dedicated index. Previous P95 was 1.4s on tenants with >100k evidence records; now 130ms.

Pen test engagement workspace. Scoping, findings library, retest workflow, branded report generation. HackerOne and Bugcrowd live; Cobalt in beta.

Findings from pen test engagements automatically reference affected controls in the GRC graph and surface as exceptions during the next audit.

Tightened tenant isolation on file uploads. No customer data was affected; this was a defense-in-depth improvement caught in our own quarterly threat-model review.

CSV import for vendor list was failing on tenants with custom field schemas. Now respects schema overrides.

Contract lifecycle module GA. Authoring, redlines (track changes from Word), DocuSign + Adobe Sign signing, executed contract storage.

Obligation extraction. Notice periods, audit rights, data residency, breach notification windows extracted from executed contracts and surfaced into the risk register.

Salesforce + HubSpot two-way sync. Close-won opportunities trigger contract creation; signed contracts close back to the CRM.

Trust page was caching control state for 24h on free tier. Now updates within 15 minutes for all tiers.

Cross-framework mapping engine. Map a control once, satisfy the equivalent control in SOC 2, ISO 27001, HIPAA, HITRUST, NIST CSF, and 21 CFR Part 11.

Gap analysis when adding a new framework. Automatic, not manual.

Risk register heat map was double-counting risks tagged to multiple control families. Fixed.

Trust page render cut from 2.1s to 380ms on the worst-offending tenant.

Vendor risk module GA. Onboarding workflow, security questionnaires (CAIQ + SIG + custom), DPA tracking, continuous public-signal monitoring.

Concentration risk views. Vendors ranked by transaction-flow exposure, fourth-party dependencies surfaced as nodes in the graph.

Okta SCIM integration for vendor employee terminations.