EU GRC platform

Cyber governance, made operational.

Cerynix brings NIS2, ISO 27001 and GDPR readiness — controls, risk, evidence, incidents and your security tools — into one multi-tenant workspace, with the audit-ready proof to back it.

Invite-only during onboarding. Readiness support — not legal advice or a guarantee of compliance.

NIS2 readiness
ISO/IEC 27001:2022 93 Annex A controls
GDPR Art. 32-centric

Illustrative sample — not a real tenant.

Pick what you need

One workspace, the frameworks that apply to you

Enable one or more frameworks at onboarding. Controls map across them, so evidence you gather once counts everywhere it applies.

🛡️

NIS2 readiness

Scope your entity, work the security-measure and incident-reporting obligations, and keep a defensible record of where you stand.

📘

ISO/IEC 27001:2022

All 93 Annex A controls, per-organization enablement, assessments and a generated Statement of Applicability (PDF/CSV).

🔐

GDPR

A GDPR control library centred on Article 32 (security of processing), mapped to your NIS2 and ISO work to avoid duplicate effort.

The platform

Everything a small security team needs to run the programme

Controls & assessments

A cross-framework control library with assessment workflow and gap tracking.

📄

Statement of Applicability

Generate the ISO 27001 SoA on demand as PDF or CSV from your assessments.

📚

ISMS policy register

Author policies with an approval workflow and automatic review reminders.

⚠️

Risk register

Track risks with treatment plans, linked to the controls that mitigate them.

🗂️

Assets & findings

An inventory with findings and an explainable exposure score you can defend.

📎

Evidence management

Attach and organise evidence so every claim traces back to a document.

🚨

Incident management

Record incidents and support the NIS2 notification timeline.

🤝

Supplier register

Keep a third-party/supplier register for supply-chain obligations.

🔌

Integrations

Pull assets and findings from Microsoft Entra ID, Intune and Defender, Tenable, Jira, Zabbix, Splunk, Trend Vision One, VMware, Action1, the Fortinet family (FortiGate / FortiAnalyzer / FortiClient EMS) and any HTTP/JSON source. Credentials are encrypted at rest.

Security is the product

Built to keep tenants isolated and secrets safe

A GRC tool holds your most sensitive posture data. Cerynix is engineered so that isolation and least privilege are enforced, not assumed.

  • Multi-tenant isolation with PostgreSQL Row-Level Security, forced on tenant tables.
  • RBAC on every route and audit events for sensitive actions.
  • Encrypted connector secrets — write-only, never returned by the API.
  • Hardened edge: security headers, rate limiting, internal endpoints closed off.
  • Self-hostable with Docker Compose — your data stays in your environment.
  • EU data-residency option for evidence storage.

How it works

From onboarding to audit-ready in four steps

Onboard

Create your organisation and pick the frameworks that apply.

Connect

Link your identity, endpoint and security tools to import assets and findings.

Assess

Work through controls, log evidence and close gaps with tasks.

Prove

Generate the SoA and reports whenever an auditor or regulator asks.

Get early access to Cerynix

We're onboarding pilot organisations now. Tell us about your NIS2, ISO 27001 or GDPR programme and we'll be in touch.