Question 1

How does RiskWatch pricing work?

Accepted Answer

RiskWatch is sold as an annual subscription tied to two inputs: the number of named users running assessments and the number of frameworks you activate from our library. There are no per-question, per-control, or per-evidence-upload fees. Volume discounts apply at 25, 100, and 250 users, and multi-framework bundles reduce the marginal cost of adding regulators after the first one.

Question 2

Can I pay monthly instead of annually?

Accepted Answer

Annual billing is the default and is built into the subscription model because customers run audit cycles on annual cadences. Quarterly invoicing is available for enterprise contracts on request, but month-to-month billing is not supported because most regulators (SOC 2, ISO 27001, HIPAA) operate on year-long observation windows that map cleanly to annual licensing.

Question 3

Do you offer volume or multi-framework discounts?

Accepted Answer

Yes. Volume discounts kick in at 25, 100, and 250 active users, and multi-framework bundles reduce the marginal cost of each additional framework by roughly 30 percent after the first. Customers running five or more frameworks typically reach an effective unit price 40 to 55 percent below adding the same regulators on competing GRC tools sold per-control.

Question 4

What is the difference between self-serve and white-glove onboarding?

Accepted Answer

Self-serve customers configure their own framework library, users, and assets through the in-product onboarding wizard and reach first assessment in under a week. White-glove customers get a dedicated implementation manager who runs framework selection workshops, builds custom cross-mapping, migrates legacy evidence, and trains assessors. White-glove is included free for customers committing to three or more frameworks.

Question 5

Is there a free tier or trial?

Accepted Answer

We offer a 30-day free trial of the full platform, every framework, every integration, every report, every user. No credit card is required to start, and trial data is preserved if you convert to a paid plan within 60 days of trial expiry. There is no permanent free tier because the platform is sized for organizations running real audit obligations.

Question 6

What are the renewal terms?

Accepted Answer

Renewals are annual with a 60-day notification window before the renewal date. You will receive a renewal quote 90 days out so procurement has time to review pricing and adjust user or framework counts. Auto-renewal is the default, but you can opt out at any time by emailing your customer success manager or sales@riskwatch.com.

Question 7

Are there extra charges for evidence storage or audit reports?

Accepted Answer

No. Every plan includes unlimited evidence uploads, unlimited audit reports, unlimited surveys, and unlimited document versions. We do not meter API calls, cross-framework mappings, dashboard exports, or user activity. The only metered inputs are seat count and framework count, both negotiated at the start of the term so there are no surprise overage fees mid-cycle.

Question 8

Can I add frameworks mid-contract?

Accepted Answer

Yes. Frameworks can be added at any point during the term and are co-termed to your renewal date so all subscriptions expire together. New framework activation is typically completed within 24 hours of the order, with the full library, control mappings, and survey templates available immediately so your team can begin assessments the same day.

Question 9

What is the typical implementation timeline?

Accepted Answer

Most customers are running their first live assessment within 30 days of contract signature. Week one covers framework activation and SSO configuration. Week two configures users, business units, and assets. Week three runs a pilot assessment and tunes scoring. Week four trains assessors and launches the production cycle. Multi-framework or migration projects typically extend to 60 to 90 days.

Question 10

Can I migrate from a legacy GRC platform?

Accepted Answer

Yes. We migrate from Archer, ServiceNow GRC, MetricStream, LogicGate, OneTrust, AuditBoard, Hyperproof, Drata, Vanta, and home-grown SharePoint/Excel systems. Migration includes evidence library, control catalog, asset register, and historical audit findings. Standard migrations take two to four weeks and are run by our implementation team at no additional cost for white-glove customers.

Question 11

Can I add my own custom framework?

Accepted Answer

Yes. Custom frameworks can be loaded through the framework editor or imported from a CSV/Excel control list. The mapping engine then automatically suggests overlaps with the 40+ standard frameworks already in your library, so you do not have to manually re-answer questions that were already evidenced for ISO 27001, SOC 2, or any other framework you run.

Question 12

What is the customer success model?

Accepted Answer

Every paid customer is assigned a named customer success manager who runs quarterly business reviews, monitors framework coverage, advises on assessment cadence, and escalates support issues. Enterprise customers also get a dedicated technical account manager for integration and API work. CSM engagement is included in every subscription tier, there is no separate professional services SKU to purchase.

Question 13

Is there a self-serve onboarding option?

Accepted Answer

Yes. The in-product onboarding wizard walks new admins through framework selection, user invitation, asset import, and survey configuration in roughly two hours. Self-serve customers get the same access to documentation, video training, the knowledge base, and email support, they simply skip the dedicated implementation manager and the white-glove migration workshops.

Question 14

Who from my team needs to be involved in implementation?

Accepted Answer

A program owner (typically a CISO, GRC lead, or compliance manager), an IT contact for SSO/SCIM setup, and one or two subject-matter experts per active framework. Most go-lives complete with five to seven hours of program-owner time spread across four weeks. We do not require a full-time project manager or a dedicated business analyst.

Question 15

Can I run a phased rollout across business units?

Accepted Answer

Yes, and most enterprise deployments do exactly that. The platform supports unlimited business units, regions, and entities under one parent organization, each with its own scoring, dashboards, and access permissions. Common phasing patterns: framework-by-framework, region-by-region, or pilot business-unit first. Your CSM will help design the rollout sequence during kickoff.

Question 16

How many frameworks does RiskWatch support?

Accepted Answer

The standard library includes 40+ frameworks: SOC 2, ISO 27001, ISO 27701, ISO 22301, NIST CSF, NIST 800-53, NIST 800-171, CMMC, HIPAA, HITRUST, PCI DSS, GDPR, CCPA, FedRAMP, FISMA, OSHA, EPA, FERPA, GLBA, NY DFS 23 NYCRR 500, NYDOH, SOX, COBIT, COSO, plus industry-specific frameworks for healthcare, finance, energy, and manufacturing.

Question 17

Can I add a custom framework that is not in the library?

Accepted Answer

Yes. Custom frameworks can be loaded via the framework editor, imported from CSV/Excel, or built from scratch using our control library. The mapping engine then automatically detects overlaps with existing frameworks so questions you have already answered for SOC 2 or ISO 27001 do not need to be re-answered for the custom framework, evidence inherits across the mapped controls.

Question 18

How does the cross-mapping engine work?

Accepted Answer

The cross-mapping engine maintains pre-built relationships between every control in every framework, for example, SOC 2 CC6.1 maps to ISO 27001 A.5.15, NIST CSF PR.AC-1, and HIPAA §164.312(a). When you answer one survey question, the platform automatically applies the same response, score, and evidence to every mapped control across every active framework, eliminating duplicate work.

Question 19

How quickly do you update frameworks when versions change?

Accepted Answer

Framework version updates are released within 30 days of the publishing body's effective date, included in your subscription. NIST CSF 2.0, ISO 27001:2022, PCI DSS 4.0, and HIPAA Security Rule revisions were all available in RiskWatch within their first month. Migration tooling preserves your existing evidence and re-maps it to the new control numbering automatically.

Question 20

Do you support international frameworks beyond US regulations?

Accepted Answer

Yes. The library includes ISO 27001, ISO 27701, ISO 22301, GDPR, UK GDPR, NIS2, DORA, EU AI Act, Australian Privacy Principles, PIPEDA (Canada), LGPD (Brazil), APPI (Japan), India DPDP Act, Singapore PDPA, and Saudi NCA ECC. Additional regional frameworks are added quarterly based on customer demand and regulator publication cadence.

Question 21

Does RiskWatch help with multi-framework audits?

Accepted Answer

Yes, multi-framework audits are the core use case. The unified evidence library means a single document, screenshot, or attestation satisfies controls across every mapped framework. Auditors get framework-specific export packages from one source of truth, and your team avoids the duplicate-evidence problem that drives 60 to 70 percent of audit prep effort on conventional GRC tools.

Question 22

Can I scope assessments differently for each framework?

Accepted Answer

Yes. Each framework can be scoped independently to specific business units, regions, products, or systems, and a single asset can sit inside multiple framework scopes simultaneously. The scoring engine maintains separate posture scores per framework while still inheriting shared evidence, so a SOC 2 audit boundary does not contaminate your ISO 27001 boundary or vice versa.

Question 23

What integrations does RiskWatch offer?

Accepted Answer

Native integrations include Okta, Azure AD/Entra ID, Google Workspace, AWS, Azure, Google Cloud, Jira, ServiceNow, Slack, Microsoft Teams, Splunk, CrowdStrike, Qualys, Tenable, Rapid7, Sentinel One, Microsoft Defender, Wiz, KnowBe4, Proofpoint, Mimecast, ZeroFox, BitSight, SecurityScorecard, plus a public REST API and webhook framework for any system not on the native list.

Question 24

Do you support SSO?

Accepted Answer

Yes. SAML 2.0 and OpenID Connect (OIDC) are supported with every enterprise plan at no additional cost. Pre-configured connectors exist for Okta, Azure AD/Entra ID, Google Workspace, Ping Identity, OneLogin, JumpCloud, Duo, and any generic SAML 2.0 identity provider. Custom claim mappings, just-in-time provisioning, and SP-initiated and IdP-initiated flows are all supported.

Question 25

Do you support SCIM provisioning?

Accepted Answer

Yes. SCIM 2.0 is supported for automated user lifecycle management, provisioning, de-provisioning, group sync, and role assignment based on identity-provider attributes. Pre-built SCIM connectors are available for Okta, Azure AD/Entra ID, Google Workspace, OneLogin, and JumpCloud. Custom attribute mappings let you sync business unit, location, or job title for use in scoping and reporting.

Question 26

Do you have a public API?

Accepted Answer

Yes. The RiskWatch REST API exposes every object, assessments, surveys, controls, evidence, findings, users, business units, frameworks, and reports, for read and write operations. API tokens are scoped per-integration with granular permissions. Webhook subscriptions push real-time events for assessment status changes, finding lifecycle, and evidence updates. Full OpenAPI spec is available in the developer portal.

Question 27

Can RiskWatch pull evidence from cloud accounts automatically?

Accepted Answer

Yes. Cloud connectors for AWS, Azure, and Google Cloud automatically pull configuration evidence, IAM policies, encryption settings, logging configuration, network ACLs, security group rules, and attach it to the relevant control on every assessment cycle. Wiz, Prisma Cloud, and Lacework integrations also feed CNAPP findings directly into the platform's risk register.

Question 28

Do you integrate with CMDB or asset management systems?

Accepted Answer

Yes. ServiceNow CMDB is the most common integration and pulls the authoritative asset list directly into RiskWatch's asset register, including ownership, criticality, and lifecycle state. We also integrate with Atlassian Jira Service Management, Device42, and BMC Helix CMDB. Custom CMDB integrations are supported via the REST API and a CSV-import workflow for systems without a public API.

Question 29

Can RiskWatch import from spreadsheets?

Accepted Answer

Yes. Bulk import is supported for assets, users, controls, frameworks, evidence, and findings via CSV or Excel templates available in-product. Import jobs validate data, surface errors row-by-row, and let you preview the result before commit. This is the most common migration path for customers moving off legacy GRC tools or SharePoint-based compliance programs.

Question 30

Is RiskWatch SOC 2 Type II certified?

Accepted Answer

Yes. RiskWatch maintains an annual SOC 2 Type II report covering security, availability, and confidentiality trust service criteria. The current report is available under NDA from your sales contact or by emailing security@riskwatch.com. We also publish an annual SOC 3 report for customers who need a publicly shareable attestation without the proprietary controls detail in the Type II.

Question 31

Are you ISO 27001 certified?

Accepted Answer

Yes. RiskWatch is ISO 27001:2022 certified by an accredited registrar, with the certificate and Statement of Applicability available under NDA. The information security management system covers the entire platform, supporting infrastructure, and the engineering, customer success, and security teams. Surveillance audits are conducted annually with full re-certification on the standard three-year cycle.

Question 32

Where is customer data stored?

Accepted Answer

Customer data is stored in AWS US-East (Virginia) by default. EU customers can be provisioned in AWS Frankfurt for GDPR data residency requirements, and UK, Canadian, and Australian residency options are available on enterprise contracts. Data residency is committed in writing in your Master Services Agreement and enforced at the infrastructure layer, your data does not leave the chosen region.

Question 33

How is data encrypted?

Accepted Answer

Data is encrypted at rest using AES-256 with AWS KMS-managed keys and encrypted in transit using TLS 1.3. Customer-managed keys (BYOK) are available on enterprise contracts for organizations with regulatory requirements for key custody. Database backups are encrypted with the same standards, and all internal service-to-service traffic uses mutual TLS authentication and certificate-based authorization.

Question 34

What subprocessors do you use?

Accepted Answer

Our subprocessor list, AWS for hosting, Datadog for observability, Sentry for error tracking, Salesforce for CRM, Stripe for billing, plus a small number of communication tools, is published at riskwatch.com/subprocessors and updated 30 days before any addition takes effect. Customers may object to new subprocessors during the notice period under their Data Processing Agreement.

Question 35

Do you have a responsible disclosure program?

Accepted Answer

Yes. Security researchers can submit findings to security@riskwatch.com or through our HackerOne program. We acknowledge submissions within 24 hours, triage within 72 hours, and pay bounties scaled to severity per the published policy. We do not pursue legal action against good-faith researchers operating within the program scope and have a public hall of fame recognizing past contributions.

Question 36

How do you handle data deletion and retention?

Accepted Answer

Customer data is retained for the active term of the subscription plus a 30-day grace period for export. After grace period expiry, data is purged from primary storage within 30 days and from encrypted backups within 90 days, in line with our published retention schedule. Deletion attestations are provided on request for customers with regulatory obligations under GDPR, HIPAA, or state privacy laws.

Question 37

What are the support tiers?

Accepted Answer

All paid customers get email support with a four-business-hour response target. Enterprise customers add 24×5 phone support and a one-hour response target for severity-1 issues. Premium support, with 24×7 phone coverage and a 30-minute severity-1 response, is available as an add-on for customers running mission-critical compliance programs with strict regulator-imposed deadlines.

Question 38

What are your support SLAs?

Accepted Answer

Severity-1 issues (platform unavailable) are responded to within one hour for enterprise tier, with continuous engagement until resolved. Severity-2 (major function impaired) targets four hours. Severity-3 (minor function impaired) targets one business day. Severity-4 (request for information) targets two business days. SLAs are contractually committed in your subscription agreement and reported on monthly through your customer success manager.

Question 39

Is there a customer success program?

Accepted Answer

Yes. Every paid customer is assigned a named customer success manager who runs quarterly business reviews, monitors framework coverage, advises on assessment cadence, and helps connect you with peer customers solving similar regulatory challenges. CSM engagement is included in every subscription tier, there is no separate professional-services contract or hourly billing for routine guidance.

Question 40

Is there a knowledge base?

Accepted Answer

Yes. Our knowledge base at help.riskwatch.com covers product walkthroughs, framework-specific guides, integration setup, API reference, and the public changelog. Articles are versioned alongside product releases so you always see documentation matching your current platform version. Search is full-text and uses a semantic ranker so natural-language questions return the right article most of the time.

Question 41

Do you offer training for end users?

Accepted Answer

Yes. Every customer gets unlimited access to our on-demand training library covering the assessor role, administrator role, executive dashboard role, and integration developer role. Live monthly office hours are open to all customers, and white-glove customers get role-specific live training sessions during onboarding. Custom training programs are available for enterprise customers running large multi-region rollouts.

Question 42

Is there a customer community?

Accepted Answer

Yes. The RiskWatch Customer Community is a private Slack workspace plus a quarterly virtual user-group meetup. Customers share assessment templates, framework interpretations, audit lessons learned, and integration recipes. Our product team monitors the community and uses signal from it to prioritize roadmap items, and many of the cross-mapping improvements shipped in the last year originated from community requests.

Question 43

How do I escalate a support issue?

Accepted Answer

Severity-1 issues should be opened by phone for enterprise customers and via the in-product chat or support@riskwatch.com for everyone else, with the word URGENT in the subject line. If response targets are missed, escalate to your customer success manager or to escalations@riskwatch.com, which routes to a director-level on-call rotation that operates 24×7 for severity-1 incidents.

Common questions about the RiskWatch platform

Pricing and plans

Implementation and onboarding

Frameworks and compliance coverage

Integrations and data

Security and privacy

Customer support

Didn't find what you were looking for?