Design any operation.
Capture evidence.
Measure compliance.

Novantra is a governance operating layer. Where most GRC tools stop at a dashboard and a folder of uploaded PDFs, Novantra turns each clause of a framework into a tracked obligation, binds it to a control, an evidence rule, an owner, and a workflow, then measures the result from your real source systems. The output is not a report you assemble at audit time. It is proof the platform already holds.

A framework or internal policy enters Novantra and gets broken down into obligations: who must do what, by when. Each obligation is bound to a control, an evidence rule, an owner, and a lifecycle workflow. Day-to-day operations and approvals run through those workflows, and connected source systems generate the evidence. The chain stays intact from the policy clause to the audit-ready proof, with citations.

Novantra is framework-agnostic. ISO 27001, SOC 2 Type I and Type II, NIS2, DORA, GDPR, HIPAA, PCI DSS, and your own internal policies all model the same way: a register of obligations with bindings to controls and evidence. New frameworks ship as control packs you can adopt without code, and you can author, version, and share your own.

A signed, versioned snapshot of your governance posture. It carries which frameworks you operate under, which controls are proven, which evidence is fresh, and which gaps you are tracking. Share it as a single link with a buyer, an auditor, a partner, or an insurer instead of re-attaching the same PDFs to every email thread.

A periodic audit asks what you submitted on the form last quarter. Continuous assurance asks what your live source data says right now. Novantra reads from your approved systems read-only, measures controls against their evidence rules, scores how fresh that evidence is, and surfaces drift, missing reviews, and breach candidates before they ever reach an audit cycle.

Bring your own. Novantra ships with provider adapters and a per-organisation registry of approved models. You can run on a major cloud provider, a sovereign model, your own infrastructure, or a private endpoint. Every call records which model and version handled it, and the platform refuses to silently fall back to a different provider.

No. Your data is your data. Novantra does not feed your content into any model's training corpus, ours or anyone else's. Models are invoked through your provider connection under your retention and zero-data-retention terms, and embeddings and retrieval indexes stay scoped to your tenant or your own infrastructure.

You choose. Managed Cloud runs in the region you select. Running on your own infrastructure is supported on the same code base with feature entitlement controls, and releases ship with reproducible SBOMs so your security team can audit exactly what was deployed. Sensitive PII is column-encrypted with bring-your-own-key support via AWS KMS or Azure Key Vault.

An AI Bill of Materials lists which models, providers, datasets, and policies were used by an AI system, across versions and over time. Regulators and procurement teams ask for it for the same reason they ask for a software bill of materials: when something goes wrong, you need to know exactly what was running. Novantra produces the AI BOM as a side effect of every governed AI call.

No. Novantra is designed to coexist, and integration is first-class. The product surface includes a versioned public REST API at /api/v1/..., OpenAPI documentation, scoped service-account tokens, idempotent writes, and outbound webhooks so your existing GRC, ticketing, ITSM, or BI stack can push obligations, pull connected evidence, and subscribe to drift signals and breach candidates directly. Many teams keep their legacy GRC tool for past-state reporting and run Novantra alongside it for policy-to-action, continuous assurance, the Compliance Passport, and AI governance, migrating at whatever pace their team chooses.

A first usable workspace ships in days, not quarters. Onboarding a single framework with its controls, evidence rules, and one connected source system is typically one to two weeks. Compliance Passport publication is enabled once the first connector is approved by your team. Larger programs (multiple frameworks, multi-entity rollups, AI governance) scale linearly from there.

Both. The product runs the same code from a single-tenant workspace to a multi-entity central rollup. Small teams use it to ship a Compliance Passport for vendor reviews and procurement readiness. Enterprises use the same surface plus the authority-node and connected-evidence layers for cross-entity assurance.

The single workspace license covers one tenant and unlimited internal users. You can buy as many workspaces as you need. The enterprise license does not have any tenant restrictions.

Yes, as long as it fits the license you purchase. The enterprise license is the standard fit for advisory and managed-service work across multiple client tenants.