Built for startups, not enterprises
Risk management that works before the audit starts
A live risk register, linked to your controls, that keeps your auditor happy and your team informed — especially for teams running compliance for the first time without a dedicated security hire.
Know your risks
A risk register that actually stays up to date
Most startups track risks in a spreadsheet that gets updated once a year, right before the audit. ComplyJet replaces that with a live risk register — linked to your controls, scored on likelihood and impact, and always visible to your whole team.
-
Risks scored on likelihood and impact with a built-in framework
-
Each risk linked to the controls that mitigate it
-
Treatment plans tracked to closure — not just documented
Linked to your program
Risks aren't isolated — they're tied to controls and evidence
A risk isn't fully managed until you have a control in place and evidence that it's working. ComplyJet links every risk to the controls that address it, so you always know what's mitigated, what's accepted, and what's still open.
-
Every risk mapped to relevant controls
-
Control gaps surface as risks automatically
-
Auditors see a complete picture: risk, treatment, and evidence in one view
Audit-ready
Your risk register is an audit artefact, not an afterthought
Risk management is a formal requirement for SOC 2, ISO 27001, and most other frameworks. Your auditor will ask for it. ComplyJet keeps your register current and exports it in the format your auditor expects — no last-minute cleanup required.
-
Risk register formatted for auditor review
-
Annual risk assessment reminders built in
-
Accepted risks documented with rationale — as required by your framework
Key capabilities
Everything you need to manage risk properly
Built for the way compliance actually works at an early-stage startup.
Risk register
A live, structured log of every identified risk — categorised, scored, and linked to treatment plans and controls.
Likelihood and impact scoring
Score each risk on a standard matrix and track how scores change over time as controls are put in place.
Treatment plan tracking
For each risk: accept, mitigate, transfer, or avoid. Plans assigned to owners and tracked to completion.
Controls mapping
Every risk linked to the controls that mitigate it — close the loop between risk and your compliance program.
Automatic gap surfacing
Control gaps surfaced as risks automatically — so nothing identified during monitoring falls outside the risk register.
Risk owner assignment
Assign each risk to the right person, with reminders for periodic reviews and treatment updates.
Annual risk assessment workflow
Guided annual review process to reassess, update scores, and document changes — a formal audit requirement.
Audit-ready risk report
Export your full risk register in the format your auditor expects — no reformatting or manual compilation.
Framework requirements
Why your auditor requires it
Control requirements that make risk management non-negotiable.
SOC 2
Trust Services Criteria
CC3.1
Specifies objectives with sufficient clarity to enable identification and assessment of risks.
CC3.2
Identifies and analyzes risks to the achievement of objectives.
CC3.4
Identifies and assesses changes that could significantly impact the system of internal control.
ISO 27001
Information Security Management
Clause 6.1
Consider risks and opportunities to ensure the management system achieves its intended outcomes.
A.8.8
Information about technical vulnerabilities shall be obtained and evaluated in a timely fashion.
HIPAA
Security Rule
§164.308(a)(1)(ii)(A)
Risk analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to ePHI.
§164.308(a)(1)(ii)(B)
Risk management: Implement security measures sufficient to reduce risks to a reasonable and appropriate level.
Priced for startups, not enterprises
Included in your plan — not a bolt-on
Flat price per company. No per-seat fees.
Single framework
$5,000/year
SOC 2, ISO 27001, HIPAA, or any single framework. Flat price, no per-seat charges.
Two frameworks
$8,000/year
Run SOC 2 + ISO 27001 or any two frameworks simultaneously. Same flat price as you grow from 5 to 50 employees.
Price stays the same as you grow from 5 to 50 employees.
See full pricing details →
Stop managing risk in a spreadsheet
See how ComplyJet keeps your risk register live, linked to your controls, and ready for your auditor — built for teams doing this for the first time. 30 minutes, no commitment.
Book a Demo →
Full platform
Risk management connects to every part of your compliance program.
Every feature below is included in your ComplyJet plan — no bolt-ons, no extra modules to configure.
Compliance Automation
Connect your stack, automate evidence, and monitor controls 24/7 — your entire compliance program on autopilot.
Learn more →
Vendor Risk Management
Onboard vendors, score their risk, and track compliance across your entire supply chain.
Learn more →
Access Reviews
Schedule, run, and document access reviews across your identity systems — automatically.
Learn more →
Vulnerability Management
Sync vulnerabilities from Snyk, AWS Inspector, and Wiz directly into your compliance program.
Learn more →
Audit Management
Give auditors a pre-populated workspace. Fewer requests, faster close, no last-minute scramble.
Learn more →
Policy Management
AI-drafted policies distributed and acknowledged by your team, all tied to active controls.
Learn more →
Customer stories
Startups that went from zero to compliant with ComplyJet
Risk managed from day one — without a dedicated GRC team.
FAQ
Common questions
What is a risk register?
A risk register is a documented list of all identified risks to your organisation — their likelihood, potential impact, who owns them, and how they're being treated. It's a formal requirement for SOC 2, ISO 27001, and most other compliance frameworks. Your auditor will ask for it. Most ComplyJet customers are startup founders or engineering leads doing this for the first time — ComplyJet comes with pre-built common risk scenarios so you're not starting from a blank page.
How do I score risks?
ComplyJet uses a standard likelihood-times-impact matrix. You score each risk on both dimensions, and the platform calculates an overall risk level. You can customise the scoring criteria to match your organisation's risk appetite.
What are treatment options?
Mitigate: put a control in place to reduce the risk. Accept: document that you're aware of the risk and have decided to live with it. Transfer: shift the risk to a third party, e.g. through insurance. Avoid: stop the activity that creates the risk. All four options are tracked in the platform.
Is risk management the same as vulnerability management?
No. Risk management is broader — it covers any identified threat to your business, including operational, legal, and third-party risks. Vulnerability management is specifically about technical security weaknesses in your systems. ComplyJet supports both, and the two are linked.
How often do I need to do a risk assessment?
Most frameworks require a formal risk assessment at least annually. ComplyJet sends reminders and guides you through the process so it doesn't get missed. For a startup doing this for the first time, the initial assessment typically takes a few hours — not weeks.
How is ComplyJet different from Vanta or Drata?
Vanta and Drata both include risk management, but the tooling is designed for enterprise workflows — custom scoring models, complex mitigation tracking, board-level reporting. ComplyJet's risk module is scoped for startups: pre-built common risk scenarios, straightforward likelihood and impact scoring, and evidence already tied to your existing controls. You get the same audit-ready output without needing a dedicated risk manager to configure the tool. Same flat price as the rest of the platform.
.svg){kind=logo}
.png)
.png)
.png)
