Vendor Trust Operations

Vendor risk, compliance, and training—
finally in one place.

PhoenixGRC gives security teams (and the MSPs that support them) a single platform for managing vendors, running compliance programs, and training people right where the work happens. Less tool-juggling. Less guesswork. A lot less spreadsheet.

Book a demo See the platform
11
Modules, one platform
12+
In-app training moments
SOC 2
Audit-defensible by design
MSP
Multi-tenant from day one
Why we built this

Compliance got chopped into too many tools.

A GRC platform here. Awareness training there. A separate public trust microsite. A questionnaire-response point tool. A vendor risk spreadsheet someone keeps locked. By the time you've stitched them together, you're running compliance with sticky notes — and your security team is doing it on top of their day jobs.

The patchwork most teams run

  • [ × ] A standalone GRC platform
  • [ × ] A separate questionnaire-response tool
  • [ × ] A public trust microsite from yet another vendor
  • [ × ] A vendor risk spreadsheet of record
  • [ × ] An AI governance wiki page no one reads
  • [ × ] An awareness LMS that doesn't reach the workflow
Multiple budget lines, multiple logins, multiple audit trails

What you get with PhoenixGRC

  • [ ✓ ] Vendor onboarding, scoring, and ongoing review
  • [ ✓ ] Contextual training the moment people need it
  • [ ✓ ] Questionnaire response with AI-suggested answers
  • [ ✓ ] A public Trust Center with gated artifacts and magic links
  • [ ✓ ] Risk register, policy lifecycle, and access governance
  • [ ✓ ] AI model governance, aligned to the major frameworks
One platform. One login. One audit trail you can hand to an auditor.
The platform

One platform. Eleven modules. Zero spreadsheets in the middle.

Every module lives in the same workspace, shares the same user identity, and writes to the same audit log. Turn on what you need; the rest stays out of the way.

Vendor Trust

Score every vendor on what actually matters: their compliance posture, their uptime, their access hygiene, and whether they've shown up in a breach feed. One screen, one number, one answer.

Bundled

Vendor Onboarding

A guided intake that tiers vendors by risk, then sends them a one-click link to upload evidence. No new accounts. No email back-and-forth.

Bundled

Compliance Tracking

Track SOC 2, ISO 27001, HIPAA, and PCI DSS attestations per vendor. Catch expirations before your auditor does. Export the whole picture in one click.

Bundled

Policy Management

Author, review, publish, and retire policies in one place. Start from a template, get AI help on the draft, then send the team a link to read it and acknowledge.

Bundled

Risk Register

A real enterprise risk register that connects to the vendors, policies, and findings driving each risk. Every assessment is preserved — nothing gets quietly edited.

Add-on module

Access Governance

See every privileged user, run quarterly access reviews, and catch the joiner-mover-leaver gaps that quietly fail audits. All synced from your directory of record.

Bundled

AI Model Governance

Inventory the AI models your team is using, classify them by risk, and keep an evaluation history. Aligned to the EU AI Act and NIST AI RMF, so the audit conversation is easy.

Add-on module

Public Trust Center

Your security posture on a public page that prospects can actually find. Gated artifacts (SOC 2, pen test, BCP) get released by magic link after a quick approval. Closes deals faster.

Bundled

Inbound Questionnaires

Paste in a prospect's security questionnaire and PhoenixGRC drafts answers from what you've said before. Your team reviews and approves. A four-hour task becomes a twenty-minute one.

Add-on module

Activity Log

Every action by every user, logged once and kept forever. Filter by person, time, or action. Export with one click. The exact thing every auditor asks for.

Bundled

PhoenixLearn

Short, contextual training that lives inside the workflow — a small icon next to the parts of the app where people pause. Click it, learn the concept, get back to work.

Bundled
Training that meets people where they work

Most training tells people what they should know. Ours shows them — right when they need it.

An awareness LMS is great for the annual phishing drill. But when a reviewer is staring at a Critical-tier vendor wondering, "wait, what's the difference between a SOC 2 Type I and a Type II?" — they need an answer in ninety seconds, not a course.

PhoenixLearn puts a small icon next to the parts of the app where people typically pause. Click it, watch a 60-to-90-second module on the concept, take a quick check, get back to work. Every view is logged. Every completion is preserved.

  • Twelve modules, ready on day one. One click installs a starter library covering vendor tiers, compliance frameworks, access governance, evidence, and audit fundamentals.
  • AI helps you author more. Pick a topic, get a structured draft back, edit it, publish. The AI never publishes on its own — you're always in control.
  • Completions are kept forever. Even if you republish a module, the record of who completed which version stays intact for the auditor.
  • A real answer to "how are your reviewers trained?" Competency-based, in context, with timestamps and scores you can hand over.
This is the icon. Same icon, everywhere. Users learn it once.
PhoenixLearn · 90 sec read

SOC 2 Type I vs Type II

A Type I report says the vendor's controls were designed correctly on a given date. A Type II says they actually worked over a 6-to-12-month window. That's why Type II is the one auditors really want.
When you review a SOC 2, three things to check first: how long the audit window was, whether the opinion is "unqualified," and what's in the exceptions section.
Q1. A SOC 2 Type II tells you:
The controls were designed correctly
The controls actually worked over time
There were no incidents during the audit
Two ways to bring it to your clients (or yourself)

Whether you're an MSP or a security team, the same product fits.

We didn't add multi-tenancy later. It's how PhoenixGRC was built from the first line of code. So the same platform works whether you're managing fifty client tenants or just your own.

If you're an MSP

Sell one platform. Manage every client from one screen.

Bring PhoenixGRC into your service offering. Each client gets their own private workspace; you get a portfolio view across all of them. Less context-switching for your team, less revenue leaking to managed-service competitors.

  • Portfolio view — see every client tenant from one screen.
  • Bulk module controls — turn features on across multiple clients in a few clicks.
  • Predictable per-tenant pricing — you know the unit economics on day one.
  • Strict client isolation — their data stays theirs, enforced at the database level.
  • Starter content included — spin up a new client tenant with twelve training modules in one click.
Request a partner briefing
If you're a security team

One tool. One audit trail. One less budget line item.

Replace your GRC platform and the spreadsheets that grew up around it. Keep your awareness LMS if you like it — PhoenixLearn handles the in-the-moment training your LMS isn't built for.

  • Vendor risk and training, in one place — no more swivel-chairing between tools.
  • An audit trail built into the platform — not something you have to assemble.
  • AI help where it saves real time — policy drafts, questionnaire responses, vendor extraction.
  • A public Trust Center, included — no separate microsite to subscribe to.
  • Training that lives inside the work — not a separate platform your team avoids.
Book a demo
Pricing, in plain English

Annual subscription. Per-tenant uplift. Add-ons when you need them.

Here's the shape of the deal — not the exact number. Real pricing depends on volume, the modules you turn on, and whether you're an MSP or buying for yourself. A thirty-minute call gets you a quote that actually fits.

Base platform

Annual subscription

Vendor Trust, Compliance, Policy, Access Governance, Trust Center, Activity Log, and PhoenixLearn — all included. Single sign-on, secure tenancy, and the full audit log come standard.

Per active tenant

Flat uplift

A predictable per-tenant fee. No per-seat meter, no surprise overage at renewal.

Add-on modules

Per tenant, per year

Risk Register, AI Model Governance, and Inbound Questionnaires are priced separately so you can add them as your clients grow into them — or as your own team does.

Partner terms

MSP tiers

Volume discounts for MSPs. Structured pilots for direct buyers. We'll give you the number on the call.

We don't publish a price page because every deal is shaped a little differently — and we'd rather not have you anchoring on a number that won't fit your situation. Book a call; we'll quote for your actual scope.

Built to pass an audit

The platform is the audit evidence.

Most GRC tools document compliance. PhoenixGRC is built so the audit trail isn't something you have to assemble — it's how the product works.

The record is immutable

Nothing important gets quietly edited

Audit logs, risk assessments, training completions, and AI evaluations are write-once. No one (not even an admin) can rewrite history.

Each tenant is sealed off

Clients can't see each other

Tenant isolation is enforced at the database layer, not by application code that could have a bug. One client's data never leaks into another's screen.

Edits can't collide

Two people can't silently overwrite each other

If two reviewers open the same vendor, the second save shows a conflict instead of clobbering the first. The audit log keeps the trail.

AI stays on a leash

The AI never publishes on its own

AI helps draft policies, suggest questionnaire answers, and write training modules — but a human always reviews and approves before anything goes live.

A few common questions

Things people ask early.

How long does it take to get up and running?

A new tenant is ready in minutes. Realistically, you'll have your first vendor onboarded, evidence collected, and a decision logged within an afternoon. The starter training library installs in one click.

Can your clients author their own training modules?

Today, admins on your team (or your MSP, if you're working with one) create and publish modules — with help from AI. Letting end clients author their own training inside their tenant is on the roadmap.

Where does it run? Is your data isolated?

Cloud-hosted on Microsoft Azure. Each tenant has a private, isolated workspace at the database level — no shared rows, no leaks between clients. Self-hosted / bring-your-own-cloud is a longer conversation if you need it.

What does it connect to?

Microsoft Entra ID for identity and joiner-mover-leaver detection, Have-I-Been-Pwned-style breach feeds, Azure storage for evidence files, and modern AI models for drafting and extraction. A connector framework is available if you need something custom.

Is there a free trial?

Not currently — instead, we run guided pilots for MSPs and structured proofs-of-value for direct buyers. We agree on what "working" looks like before we start, so the pilot tells you something real.

See your security story on one screen.

Tell us a little about you and we'll set up a thirty-minute walkthrough. We typically reply within one business day.

We never share your details. You can unsubscribe any time.
Got it.

Thanks — we'll be in touch shortly.

You'll hear from us within one business day. In the meantime, feel free to keep browsing the site.