BrickGRC is modular by design. Pick the frameworks you actually need to comply with, plug into the storage and identity tooling you already run, and bring your own AI keys so prompts and data stay on your account. Below is the complete list of bricks shipped today.
Each framework is a self-contained brick, controls, evidence templates, audit-ready reports. €100/mo per brick on the Modular plan. Free during the 30-day trial, the Design Partner cohort, and on Enterprise.
All 93 Annex A controls (2022 revision), ISMS clauses 4–10, Statement of Applicability auto-generation, audit-ready exports for stage 1 and stage 2.
Type I and Type II support across the five trust services criteria. Continuous-monitoring evidence, auditor-friendly exports, framework crosswalk to ISO 27001.
Records of processing, lawful-basis tracking, data-subject-request workflow, sub-processor inventory, breach-notification timelines, DPA library.
Risk management, incident reporting, supply-chain due diligence, and the cybersecurity policy obligations under the NIS2 directive.
Risk-tier classification, conformity assessment, transparency obligations, post-market monitoring for AI systems under the EU AI Act.
The AI management system standard. Policy, risk, lifecycle controls, and evidence templates aligned to ISO/IEC 42001:2023.
The NIST AI Risk Management Framework, Govern, Map, Measure, Manage. Crosswalk to the EU AI Act and ISO 42001, with evidence templates for each function.
BrickGRC layers over the document infrastructure you already run. Evidence, policies and audit artifacts can stay in your environment, no forced migration into a proprietary silo. Always free, included on every plan.
Native SharePoint Online storage backend. Documents, evidence and policies live in your existing SharePoint sites with the access controls you've already configured.
Azure Blob Storage as the document backend. Region selection and lifecycle policies remain under your control.
S3-compatible storage backend. Bring your own AWS account, KMS keys, and lifecycle rules.
Google Workspace Drive integration for teams already standardised on Google.
Dropbox Business backend, with shared-folder permissions inherited.
Self-hosted Nextcloud as a backend, for organisations that want EU-resident, customer-owned storage.
Provision users from your existing directory or HR system. Sign in through SAML, OIDC, or social login. No separate user management just for compliance. Always free, included on every plan.
Generic SAML 2.0 support, works with any compliant identity provider (Okta, Auth0, OneLogin, Ping, Keycloak, JumpCloud, ADFS …). Org-wide enforcement and JIT provisioning.
Generic OpenID Connect support for modern identity providers. Bring any issuer URL plus client credentials.
One-click Google OAuth login for individual users. Useful for fast onboarding before the org-wide SSO rollout.
One-click Microsoft OAuth login for individual users, work or personal Microsoft accounts.
User and group sync via Microsoft Graph API. Conditional access and your existing role policies pass through.
Directory sync and SSO. Provision and de-provision compliance users alongside the rest of your stack.
Workspace directory sync with group-based role mapping.
Generic SCIM 2.0 endpoint, provision and de-provision users from any IdP that speaks SCIM. Bearer-token auth, configurable sync interval.
JumpCloud directory sync with org-ID scoping for multi-tenant API keys.
Sync employees, departments, and job titles from BambooHR, the HR system becomes the source of truth for who gets compliance access.
Workday HCM directory sync via REST API. OAuth 2.0 with tenant-scoped client credentials.
Rippling employee directory sync, keeps the compliance tenant aligned with your live employee roster.
Compliance deadlines, workflow updates, and engagement alerts land in the inbox or channel your team already watches, no separate compliance app to babysit. Always free, included on every plan.
Bring your own SMTP, Gmail, Office 365, SendGrid, Postmark, any compliant server. STARTTLS or SSL/TLS, your sender address, your deliverability story.
Push compliance alerts and workflow notifications into any Slack channel via Incoming Webhooks.
Native Microsoft Teams Incoming Webhook integration, compliance updates surface in the same channels your engineering and security teams already use.
Compliance work isn't a side-quest. Push remediation tickets into your issue tracker, sync audit milestones to the team calendar, fan out events to anything you can hit with a webhook. Always free, included on every plan.
Create remediation tickets and link evidence directly from BrickGRC controls. Atlassian Cloud or Server, scoped to your default project.
Push work items to Azure Boards from compliance findings. Personal Access Token auth, configurable default project.
Sync audit milestones, review cycles, and renewal deadlines to a Google Calendar your team already watches.
Microsoft 365 Calendar integration, compliance dates land alongside everything else on your team's schedule.
Fan out any BrickGRC event to any HTTP endpoint. Sign payloads with a shared secret, choose your HTTP method, route into your own automation.
BrickGRC's AI Coach runs against the LLM key you provide. Prompts and evidence go through your provider relationship, your data-isolation rules, and your billing, never shared between tenants, never marked up. Always free, included on every plan.
GPT-4 / GPT-4o family. Custom baseURL supported, so OpenAI-compatible gateways and Azure OpenAI deployments work too.
Claude Sonnet, Opus, Haiku families. Bring your Anthropic API key.
Gemini 2.5 Flash / Pro. Bring your Google AI Studio or Vertex AI key.
Command and Embed model families.
Mistral Large, Medium, Small. Open-weight models supported via Mistral's API.
Every change, who, what, when, before/after, is captured at field level for every entity. Immutable trail for the auditor and the regulator.
Integration credentials (storage backends, AI keys, identity providers) are encrypted before persistence. Operators cannot read them in cleartext.
Your AI prompts, evidence, and policies are scoped to your tenant. No cross-customer model training. No shared embedding indexes.
A 15-minute demo is the fastest way to see how the bricks combine for your stack, your frameworks, your storage, your identity provider, your AI keys.