MADE BY GRADS FROM TUM & HEC PARIS

Continuous Compliance Intelligence.

Automate regulatory certainty across your organization. From policy ingestion to real-world control mapping in minutes.

Step 1

Policy & Regulation

Upload your internal policies and connect regulatory feeds. Ratio supports GDPR, ISO 27001, SOC2, and custom internal controls—ensuring nothing is overlooked.

Regulatory Frameworks
Active Sync
EU
ISO
SOC
HIP
+
Policy AnalysisCONTROL-MAPPED
Data_Retention_Policy_v4.pdf100%
ISO COMPLIANT
ENCRYPTED
ISO 27001 Statement of ApplicabilityFramework
GDPR Data Processing AgreementLegal
SOC2 Type II Report 2023Audit
Internal InfoSec PolicyPolicy
Employee Training Logs - Q4Evidence
Network Penetration Test ResultTechnical
Incident Response Plan v2.1Policy
Data Privacy Impact AssessmentRisk
Vendor Security AssessmentThird-Party
Access Control Review - Oct 23Evidence
Disaster Recovery Test LogEvidence
Business Continuity PlanPolicy
HIPAA Compliance MappingFramework
Encryption Key Management PolicyPolicy
AWS Security Group AuditTechnical
CCPA Compliance ManualLegal
Step 2

Control Mapping

React Flow
4.2k CONTROLS MAPPED85 REGULATIONS LINKED

Node Properties

Entity Details
GDPR Article 5(1)(e)
RegulationEU GDPR
Control RequirementStorage Limitation
Compliance StatusPolicy Breach
Linked Evidence
RETENTION_LOG_Q3DATA_ARCHIVE_S3

* Ratio automatically maps regulations to internal policies and real-world evidence.

Step 3

Continuous Interview

Ratio interviews your team to verify control implementations and actual workflows that documents might miss.

Awaiting Team Input
MFA Exception: [Admin_User_X] → [Legacy_Service_Y]
Data Access: [Team_A] → [Personal_Data_Store_B]
Offboarding: [Leaver_Z] → [System_Access_Check]
R
I've detected a gap in your Access Control evidence:
Admin_Portal
mfa_status
disabled

However, your InfoSec Policy requires MFA for all admin accounts. Does this portal use an alternative compensating control?
U
Yes. This is a legacy system behind a VPN. We use IP-whitelisting as a compensating control.
R
Understood. Documenting IP-whitelisting as a compensating control for the legacy admin portal:
Admin_Portal
compensating_control
IP-Whitelisting

I am now re-evaluating the SOC2 Access Control requirement.
Step 4

Regulatory Gap Analysis

Ratio runs 100+ compliance tests across policies, evidence logs, and team interviews to find regulatory gaps before they become liabilities.

142
Compliance Tests
6.4s
Scan Time
1 Failure
Privacy
45 Tests
2 Warnings
Security
52 Tests
Clean
Operations
30 Tests
1 Warning
Third-Party
15 Tests
Automated Compliance Suite
Data Retention Enforcement
MFA Implementation Check
Encryption Key Rotation
DPA Signature Tracking
Access Review Frequency
Sub-processor Risk Scan
Breach Notification Timer
SAR Response Workflow
Privacy Policy Alignment
Data Minimization Audit
Consent String Integrity
Cross-border Transfer Scan
Training Completion Log
Firewall Rule Audit
Vulnerability Patching
BCP/DR Test Verification
Physical Access Log
Asset Inventory Match
Clean Desk Compliance
Password Complexity
Session Timeout Audit
API Authentication Scan
Database Encryption
Audit Log Integrity
Third-Party Assessment
Whistleblower Policy
Anti-Bribery Controls
Sanctions List Screening
Environmental Policy
Accessibility Standard
Custom Requirement Creator
"Identify all sub-processors who have access to PII but haven't signed the 2024 DPA"
Compiled Cypher Query
MATCH (s:SubProcessor)-[:HAS_ACCESS_TO]->(d:Data {type: "PII"})WHERE NOT (s)-[:SIGNED]->(a:Agreement {version: "2024_DPA"})RETURN s.name, s.risk_level
+ 112 additional regulatory tests in full report
Audit Output

Audit-Ready Dossier

Compliance Score
92/100

High level of compliance. 1 critical gap in data retention.

Control Status
Gaps (1)Warnings (3)Effective (138)
RequirementImpactAnalysis
Data Retention Policy Enforcement
Privacy
Critical
Customer data kept beyond 2-year limit
MFA Coverage Analysis
Security
High
3 administrator accounts lack MFA
Encryption-at-Rest Validation
Security
High
Control Effective
Vendor DPA Alignment
Legal
Medium
2 sub-processors missing signed DPAs
Access Review Recency
Audit
Medium
Control Effective