Product

Checkpoint — the compliance console that lives in your tenant

Most GRC platforms ask you to copy your riskiest data — your risk register, your audit findings, your control gaps — into someone else's SaaS. Checkpoint doesn't. Every record is a SharePoint list in your own Microsoft 365 tenant; posture checks read your live Entra, Intune and Defender signals via Microsoft Graph and never leave your browser.

Explore the live demo — no sign-up Book a walkthrough

The demo runs entirely in your browser with sample data — nothing to install, nothing sent anywhere.

Your data never moves. That's the whole point.

Checkpoint has no backend and no database. It's a static web app that signs you in with your own Microsoft account, reads your tenant's security posture read-only, and stores every register as SharePoint lists you already own, govern and back up.

🏠 In-tenant by design

Risks, actions, controls, evidence, audit trails — all SharePoint lists in your tenant, inheriting your permissions, retention and versioning. Off-boarding us costs you nothing: the data was always yours.

🔍 Read-only posture scanning

Sign-in requests read-only Microsoft Graph access. MFA coverage, Conditional Access, PIM usage, guest accounts, device compliance, risky OAuth grants and Secure Score — measured live, never guessed from a spreadsheet.

📄 Evidence that collects itself

Every scan exports the raw Graph data behind each check as timestamped, SHA-256-hashed JSON into your document library, auto-linked to the controls it satisfies. When the auditor asks "prove it", it's already filed.

Everything a certification actually requires

Seven frameworks, cross-mapped so shared evidence is never duplicated: ISO 27001, SOC 2, Essential Eight, ISO 42001, ISO 27701, DISP/IRAP and NIST CSF.

Posture scan & drift alerts

22 automated checks against your live tenant, with configurable thresholds and an optional in-tenant scheduled monitor that flags regressions daily — no one needs to remember to re-scan.

Living Statement of Applicability

Per-framework control sets with applicability, status, ownership, verification dates and evidence links — the document your auditor opens first, always current.

Linked risk & actions registers

Scan findings propose risks; approving one creates the treatment actions; completing actions recalculates residual risk. The audit trail builds itself.

Vendor risk with data classification

Record exactly what data each vendor touches — health information, customer PII, credentials, production access — get a suggested criticality, send questionnaires, and feed review dates into the compliance calendar.

AI governance (ISO 42001)

An AI systems register with EU AI Act risk tiers and impact assessments — plus automated discovery that spots Copilot, OpenAI and other AI apps already consented to in your tenant.

Governance rhythm, built in

Internal audit programme, management review records, a compliance calendar and an append-only audit log — ISO 27001 clauses 9.2 and 9.3 satisfied continuously, not assembled the week before audit.

One-click reporting

SoA export, audit readiness report, executive summary, management review pack — plus a shareable Trust Center page and a time-boxed Auditor Pack your certifier can open without a licence.

Board view

A live, presentation-ready summary — pull it up in the board meeting instead of screenshotting dashboards into slides the night before.

Built like the security tool it is

Least-privilege consent

Sign-in requests read-only scopes. Write access to your SharePoint is requested separately, the first time it's needed — and an admin consents to each step explicitly.

No third-party code at runtime

Strict Content-Security-Policy, no CDN dependencies, content-hashed assets with subresource integrity, and a tamper-evident append-only audit log.

Auditable end to end

Every register change is versioned by your own SharePoint, every material action is written to the audit log, and every scan's raw evidence is hashed and filed.

See it with your own data

Explore the demo in two clicks, or book a 30-minute walkthrough and we'll run a read-only posture scan against your real tenant — you'll leave with your actual gaps, not a sales deck.

Explore the demo Book a walkthrough
📞 Microsoft Teams