Risk register
See inherent and residual risk side by side, link the controls that treat each one, and watch the score move as you act.
For GRC, InfoSec and privacy teams at multi-site organisations — one system for frameworks, risks, controls, audits, vendors and assets.
Already a customer? Sign in to your workspace
NIS2 · GDPR · ISO 27001 · DORA — answered from one set of controls.
Risks link to controls, findings become actions, and maturity updates as evidence builds. No duplicate spreadsheets per framework.
Every audit finding gets an owner, deadline and linked remediation — tracked in the same register your team already uses.
Attach evidence to a control once and satisfy NIS2, GDPR, ISO 27001 and your internal policies from the same set.
Executive summaries and PDF exports pull live data — no last-minute scramble before a committee meeting.
No more spreadsheets per framework and screenshots in folders. The registers link to each other, so a finding becomes an action, a risk shows its controls, and an audit updates your maturity — automatically.
See inherent and residual risk side by side, link the controls that treat each one, and watch the score move as you act.
Map one set of controls to every framework you answer to, and track maturity as evidence builds.
Plan audits, score controls, and turn every finding into tracked remediation with an owner and a deadline.
Tier vendors by data access and criticality, and keep their assessments on a schedule that won't slip.
Keep a live NIS2 inventory of the equipment in every site, reconciled straight from field audits.
Run DPIAs and your DP, InfoSec, legal and tiering assessments from one privacy workspace.
GRChub maps to how compliance actually runs, so the tool follows your process instead of fighting it.
Add your sites, stores or business units — the things you actually have to cover.
Attach controls once and satisfy NIS2, GDPR, ISO 27001 and more from the same set.
Audits, findings, actions, vendor and asset reviews flow through one connected system.
Board-ready summaries and linked evidence that are always current — no scramble before a meeting.
GRChub is built on the same controls it helps you manage. Your data stays governed, in your region, behind your identity provider.
Sign in through Microsoft Entra or your own identity provider, with access scoped per person.
People see only what their role needs. Every change is attributable and logged.
Hosted on Microsoft Azure, with your data kept in the region you choose.
Point to the source of record in SharePoint or your DMS — no shadow copies to keep in sync.
GRChub scales with the entities and frameworks you cover — not per seat, so your whole team can take part. Tell us your size and we'll put a number to it.
A single entity getting compliance off spreadsheets.
Multi-site teams answering to several regulators.
Group-wide programmes with SSO and residency needs.
See GRChub on your own frameworks. A 30-minute walkthrough, no slides.
Book a demoEnter your organisation name to open your apps portal. Access is verified through Microsoft Entra — your identity determines which apps you can use.
Or sign in with Microsoft directly.
GRChub is a governance, risk and compliance platform for multi-site organisations in regulated sectors. We help GRC, InfoSec and privacy teams run one connected programme across entities, frameworks and third parties — hosted on Microsoft Azure with Entra ID sign-in.
We process account and usage data to deliver the GRChub service. Customer GRC data is stored in your chosen Azure region and is not used for advertising. Contact hello@grchub.io for a full privacy notice or DPA.
GRChub is provided to customers under a subscription agreement covering service levels, support and acceptable use. Evaluation access is offered on request. Full terms are shared during onboarding and contracting.
GRChub runs on Microsoft Azure (hosting, Cosmos DB, Entra ID authentication). We maintain a sub-processor list for customers — request the current register at hello@grchub.io.