Frequently Asked Questions

brightGRC is a unified compliance platform purpose-built for the MENA region. It helps organisations manage global standards (like ISO 27001, SOC 2) alongside regional regulations (like NCA-ECC, SAMA-CSF, Qatar NIA). It covers risk management, audit tracking, evidence automation, and policy governance in one intuitive layer.

You can create an account in under 2 minutes. After signing up, our framework selection wizard helps you activate the compliance modules relevant to your industry and region. Most teams have their core frameworks mapped and initial evidence requests sent within 48 hours.

Yes. Every plan starts with a 14-day free trial — no credit card required. You get full access to all features on your chosen plan so you can evaluate the platform thoroughly before committing.

After 14 days, if you have not subscribed, your account enters read-only mode. Your data is preserved — you can still view everything, but you cannot create new records or run workflows until you activate a subscription. We send reminder emails at day 7 and day 13 of your trial so you are never caught off guard.

No. The platform is built for compliance officers, legal counsel, and business owners — not developers. Most workflows like risk assessments, evidence collection, and policy management are handled via a clean, intuitive interface. For technical teams, we provide an API and webhooks for deeper integrations with your existing security stack.

Absolutely. Many of our customers use brightGRC precisely because they don't have a massive internal team. The platform automates the heavy lifting of evidence gathering and control monitoring. The role-based access system lets you assign specific tasks to IT leads, HR, or Finance, ensuring compliance is a shared, manageable responsibility.

We offer four specialized tiers:

• Privacy Core — Focuses on data privacy (GDPR, PDPL) with cookie consent, script blocking, and basic privacy rights handling.
• Standard GRC — Adds comprehensive GRC modules like Risk Register, Asset Inventory, and Vendor Management. Ideal for growing teams.
• Assurance Plus — Designed for formal certification readiness (ISO 27001, SOC 2, NCA-ECC) with automated evidence collection and the Auditor Portal.
• Enterprise GRC — Custom multi-entity management, cross-framework mapping, dedicated CSM, and unlimited scalability.

View our detailed comparison table →

A seat is a user account within your organisation's workspace. Every team member who needs to contribute to compliance — from IT managers providing evidence to C-level executives reviewing risks — requires a seat. Seats can be assigned specific roles (Admin, Compliance Lead, Auditor, Contributor) to control visibility and edit permissions.

Domain limits apply to the cookie scanner and consent banner module: 1 domain on Cookie, 3 domains on Starter, 15 domains on Advanced, and unlimited on Enterprise. Other compliance modules (DSARs, breach register, RoPA, etc.) are not domain-limited — they apply across your whole organisation.

Yes. You can upgrade at any time from the Billing section of your dashboard — your new plan takes effect immediately. Downgrading is available at the end of your current billing period. If you are on an annual plan, downgrades apply at renewal. Please note that downgrading to a plan with fewer seats or domains may restrict access to certain records until you are within the new limits.

Yes. Annual billing gives you roughly 2 months free: Starter saves €48/year, Advanced saves €238/year. The Cookie plan is annual-only at €72/year. Enterprise pricing is custom and negotiated annually.

We consider discounts for registered non-profit organisations and charities on a case-by-case basis. Please contact us with your organisation's registration details and we will work out an appropriate arrangement.

Data Subject Access Requests (DSARs) are a core requirement of GDPR, Bahrain PDPL, and UAE PDPL. The platform provides a branded intake portal, automated acknowledgement workflows, SLA tracking, and a secure response vault. This ensures you meet regulatory deadlines across different jurisdictions without manual tracking.

The Record of Processing Activities (RoPA) is a requirement under many data protection laws. brightGRC's inventory module helps you map your data flows, identify the legal basis for processing, and link activities to specific vendors or risks. It provides a real-time visualization of your organisation's data landscape.

For frameworks like ISO 27001, SOC 2, or NCA-ECC, brightGRC provides pre-mapped control libraries. The platform automates evidence collection by sending recurring tasks to owners, maintains a Statement of Applicability (SoA), and provides an Auditor Portal where external auditors can review your evidence in a controlled environment.

The Incident Register (rebranding of the Breach Register) helps you log security events, assess notification requirements under different laws, and maintain a timeline of remediation actions. It ensures that if a data breach occurs, you are ready to notify regulators within the mandated windows (e.g., 72 hours for GDPR).

The platform includes modules for Data Protection Impact Assessments (DPIA) and general Information Security Risk Assessments. These modules guide you through identifying threats, assessing likelihood and impact, and documenting treatment plans to bring risks within your organisation's appetite.

Yes. You can export your RoPA, DSAR logs, breach register, audit evidence, and policy documents in PDF, CSV, and JSON formats. The Advanced plan also includes a read-only Auditor Portal where you can grant secure, time-limited access to external auditors without giving them a full user seat.

The core platform is built around GDPR (EU Regulation 2016/679) and UK GDPR. The audit and risk modules can be adapted for ISO 27001 / ISO 27701, SOC 2, and Bahrain PDPL frameworks. Enterprise plans include bespoke framework support and custom control mappings. We are continuously adding new frameworks — submit a request if you need a specific one.

Yes. The Advanced and Enterprise plans include a REST API and webhook connectors. The API allows you to push DSARs from your website, query consent records, and integrate with your existing CRM, ITSM, or HR systems. Webhooks let you receive real-time event notifications (e.g., a new DSAR submitted, a breach reported) in any system that accepts HTTP POST callbacks.

The risk register (Advanced plan and above) lets you document, score, and track privacy and security risks across your organisation. Each risk has an inherent score (likelihood × impact), a set of controls, and a residual score after controls. Risks can be linked to specific processing activities in your RoPA and assigned to owners for treatment. The register forms part of your Article 32 accountability documentation.

brightGRC is a MENA-native platform. We offer flexible data residency options including Bahrain, UAE, and KSA to ensure you comply with regional data sovereignty requirements. For global customers, we also maintain infrastructure in the EEA. You can select your preferred region during onboarding.

Yes. The platform is built on a Common Control Framework (CCF). This means you only have to implement a control once (e.g., Access Management), and it is automatically mapped to ISO 27001, SOC 2, and NCA-ECC. This "collect once, comply many" approach drastically reduces audit preparation time.

All web traffic uses TLS 1.2 or higher enforced by our reverse proxy — unencrypted HTTP is redirected automatically. Sensitive credentials (such as SMTP passwords) are encrypted at the application level using AES-128-CBC with HMAC-SHA256 and per-company derived keys. All data at rest additionally benefits from disk-level encryption provided by our managed database host. Passwords are never stored in plaintext — we use SHA-256 hashing with a server-side pepper.

Yes. Under GDPR Article 28, we must have a DPA in place with every customer because we process personal data on your behalf as a Data Processor. Our DPA is available at dpa.html and can be accepted electronically (click-wrap). Acceptance is timestamped and stored in our system. We use Standard Contractual Clauses (EU Commission Decision 2021/914) to cover the transfer of data to Bahrain where our technical staff may access systems.

We use a small number of sub-processors, all contractually bound to process data only on our instructions:

• Managed PostgreSQL (EU) — primary database
• SMTP email provider — transactional emails (configurable)
• Encrypted backup provider (EU) — off-site backups

A full, up-to-date list is in our GDPR Compliance Statement. We notify customers at least 30 days before adding any new sub-processor.

Your data is logically isolated per company. Only the seats you create within your account can access your data. Our platform staff may access data for support purposes only when you explicitly grant access, and such access is logged. We never use customer compliance data for our own analytics or marketing. All access is controlled by role-based permissions and full audit logging.

Go to Settings → Seats & Roles in your dashboard. Click "Invite seat", enter the person's name, email, and job title, and assign a role. They will receive an invitation email and can set their password on first login. The number of seats you can add depends on your plan. Administrators can also assign custom permission sets to individual roles.

Yes. Monthly subscriptions can be cancelled at any time; access continues until the end of the paid period. Annual subscriptions can be cancelled at renewal — mid-year cancellation is subject to our refund policy. You can cancel from Dashboard → Settings → Billing → Cancel subscription, or by contacting support.

We offer a 14-day money-back guarantee on new subscriptions. If you are not satisfied within the first 14 days of your first paid term, contact us for a full refund. After 14 days, refunds are pro-rated for annual plans in exceptional circumstances. Full details are in our Refund Policy.

Each company requires its own account and subscription. Multi-entity management — where a single super-admin can oversee multiple company workspaces — is an Enterprise plan feature. This is designed for holding groups, legal firms managing multiple clients, or DPO-as-a-service providers.

Support is available via the in-app Help & Support panel (click the help icon in your dashboard) or via the Support button in the Admin Menu. Enterprise customers have a dedicated Customer Success Manager. We also have a documentation centre with step-by-step guides for every module.

No tool can guarantee compliance — that depends on your organisation's actual operations and security culture. brightGRC provides the structure, automation, and audit-ready documentation to make compliance demonstrable and sustainable. It is a powerful accelerator, but the responsibility for following policies and closing remediation tasks remains with your organisation.

No. brightGRC is a software platform, not a law firm. The templates, workflows, and guidance we provide are operational aids to help you implement compliance processes — they are not legal advice. For advice on your specific circumstances, legal basis assessments, or regulatory matters, please consult a qualified data protection lawyer or your DPO.

The platform does not replace a Data Protection Officer if your organisation is legally required to appoint one (GDPR Article 37). DPO appointment is mandatory for public authorities, organisations that carry out large-scale systematic monitoring, or those that process special category data at scale. If you are required to appoint a DPO, our platform is designed to dramatically reduce their workload by automating routine compliance tasks.

brightGRC supports a wide range of global and regional frameworks including:

• Global: ISO 27001, ISO 27701, SOC 2 (Type I & II), GDPR, NIST CSF.
• Regional (MENA): NCA-ECC (KSA), SAMA-CSF (KSA), Qatar NIA, UAE PDPL, Bahrain PDPL.

Our platform allows you to cross-map controls, so evidence gathered for one framework can be reused for others, significantly reducing duplicate work.