We started GetCover because proving compliance was broken — scattered evidence, manual exports, and frameworks trapped in spreadsheets. We built the infrastructure to fix it.
“Make compliance provable, not performative.”
Regulatory frameworks exist to protect people. But the process of proving compliance has become a bureaucratic maze of screenshots, shared drives, and last-minute scrambles before audits. We believe there's a better way — where evidence flows naturally, frameworks are interchangeable datasets, and audit readiness is a continuous state, not a quarterly panic.
NIS2, ISO 27001, SOC 2 — they're all requirements mapped to evidence. Our engine treats them as interchangeable datasets, not hardcoded logic. Add a new regulation without writing a single line of code.
Row-level security in Postgres, hashed tokens for magic links, signed URLs for every download, workspace isolation at the database level. Security isn't a feature we added — it's how the system was built from day one.
Compliance evidence comes from everywhere — internal teams, external vendors, third-party auditors. Magic upload links, file drops, and text entries all converge into one mapped, reviewable evidence library.
Your compliance posture is a living thing. Audit packages freeze it in time — immutable snapshots with PDF reports and ZIP bundles that auditors actually want to receive.
Every workspace is cryptographically separated. MSP operators manage multiple clients without cross-contamination. RLS is the backstop, not the application code.
Three steps: activate a framework, collect evidence, export a package. Every feature we build must serve this core workflow or it doesn't ship.
Compliance tools that aren't secure are compliance theater. Here's how we actually protect your data.
Every database query is filtered through Postgres RLS policies. Even if the API is compromised, workspace data stays isolated.
All evidence artifacts are stored in encrypted buckets with optional client-side envelope encryption for defense in depth.
Magic upload tokens are SHA-256 hashed with a server salt. Single-use, auto-expiring, and never stored in plaintext.
No direct bucket access. Every file download goes through short-lived signed URLs generated after authorization checks.
GetCover is built on open standards and open-source foundations — Postgres, FastAPI, SvelteKit, and Supabase. We believe the best security comes from systems that can be inspected, not from obscurity.
We've sat through the audits, built the spreadsheets, and chased the evidence. GetCover is the tool we wish we had.