A structured model of your program, the requirements, an evidence repository, and a "what do I do next." Chat delivers all four — with none of the dashboard tax.
Your scope, inventories, controls, and risks — stored, versioned, queryable.
Every policy and control mapped to CC1–CC9, tailored to your system.
Encrypted, hashed, immutable. Built for an auditor to trust.
Claude always knows your phase, your gaps, and your next best action.
Every step happens in the same conversation — Claude moves you from an empty program to an auditor-ready package.
Buy a membership, connect GRC MCP to Claude.
→ connectorClaude interviews you and writes your System Description.
grc_update_scopeEmployees, vendors, systems — captured in conversation.
grc_upsert_vendorTailored authoring prompts — your AI drafts the policy, not us. We version & track acks.
Upload a screenshot; we file it against the right control. Manual only — no integrations.
Guided risk assessment + a gap report with a remediation backlog.
grc_run_readiness_assessmentBurn down gaps until 100% covered.
grc_check_audit_readinessGenerate and share your auditor package — in the web app.
→ web appRemote MCP over Streamable HTTP with OAuth 2.1. Connect once; your program follows you across clients.
The web app does only what chat can't: secure upload, durable storage, billing, and your auditor handoff. No dashboard to learn.
Every artifact is hashed, encrypted with a per-tenant key, and written to an append-only, hash-chained log. Auditor access is read-only, time-boxed, watermarked, and fully logged.
Get started with GRC MCP and then transition to a GRC platform when you're ready. When you need Type 2 or multiple frameworks, export your whole program into a standard GRC platform with your own account — GRC MCP stays your system of record.
For companies with fewer than ten employees. Everything you need to go from zero to audit-ready, run entirely through chat.
GRC MCP isn't a GRC platform. It's a format and methodology — a better way to interact with the GRC platforms you already have, and to run your whole SOC 2 Type 1 program straight from chat.
No — manual upload by design. You drop a screenshot; an AI validates each artifact and files it against the right control. No integrations to configure or break.
Any client that speaks remote MCP — Claude and ChatGPT today, over Streamable HTTP with OAuth 2.1. Connect once; your program follows you.
An independent CPA firm — we're auditor-agnostic. We generate the package they need and a read-only portal to review it.
Yes. Export your whole program into a standard GRC platform with your own account whenever you're ready for Type 2 or multiple frameworks.
Typically under three weeks, depending on how quickly you upload the evidence Claude asks for.