### What is Gapps? Gapps is an Information Security Governance and Compliance tool that supports 10+ frameworks and has multi tenancy! Currently there are two main modules in Gapps, Compliance Projects and the Risk Register. Here are some of the key capabilities: | Capability | Description | | -------- | ------- | | Multi tenant | Completely separate all data and users at the tenant level | | Self host | Take Gapps and self host on your own infrastructure in seconds for maximum data security | | 10+ frameworks | Gapps supports multiple security frameworks that you can use out of the box | | OIDC Auth | Login with Google, Microsoft and/or email login | | Data storage | Store all data (such as evidence) in Google or AWS buckets | | Auditor Collab | Add auditors to projects and allow them to audit your projects | | Reporting | Built in dashboards and progress tracking | | Policy Editor | Edit your policies in a rich text editor | | Risk Register | Track all risks in a register and create action plans | ### Compliance Projects Everything in Gapps starts from a compliance project. When you create a project, you specify which framework (e.g. SOC2) to start with. Gapps will automatically add the controls and policies that are required. Enter into the compliance project and get started! ### Risk Register Whether your InfoSec team or the auditor identifies a risk, they can place it in the risk register. Once identified, you can assign owners, agree on due dates, risk, impact, severity, etc. One, clean risk register that is linked to your compliance projects.

**Gapps** is an open-source security compliance platform designed to simplify and automate the management of various compliance frameworks. It helps organizations implement, track, and demonstrate controls for standards like SOC 2, ISO 27001, HIPAA, and more. This page outlines the core concepts behind Gapps. --- ## 🏢 Multi-Tenancy Gapps supports **multi-tenancy**, allowing organizations to manage multiple clients, environments, or business units in a single deployment. This is useful for MSPs, consultancies, or large enterprises managing multiple internal orgs. --- ## 🔐 Evidence Management Attach evidence directly to specific controls across frameworks. Whether you're uploading policies, screenshots, or automated logs, Gapps keeps everything organized and mapped to the relevant compliance requirement. Data can be stored locally, S3 or GCS buckets. --- ## 🤝 Auditor Collaboration Gapps is designed with auditors in mind. You can: - Share evidence and responses securely - Provide controlled access - Track audit progress collaboratively This helps reduce back-and-forth and increases audit efficiency. --- ## 📋 Vendor Questionnaires Gapps includes functionality to manage **third-party security questionnaires**. Send, receive, and respond to vendor assessments to streamline your vendor risk management program. --- ## ⚙️ Control Automation (Coming Soon) Where possible, Gapps aims to **automate control validation** by integrating with external systems and pulling data for control verification. This reduces the need for manual evidence gathering. --- ## 🧩 Framework Support Gapps supports many industry frameworks, including: - SOC 2 - ISO 27001 - HIPAA - PCI DSS - NIST CSF - NIST 800-53 - CIS Controls - CMMC - OWASP ASVS - SSF This allows you to manage multiple frameworks in one place and map controls across them. --- ## 🚧 Roadmap Highlights Planned improvements include: - Deeper integration with tools for evidence automation - Expanded reporting capabilities - More granular role-based access controls - Enhanced UI for faster navigation --- For the most up-to-date information, visit the [Gapps GitHub repository](https://github.com/bmarsh9/gapps).

## Quick Start with Docker ### 1. Clone the Repository ``` $ git clone https://github.com/bmarsh9/gapps.git; cd gapps $ docker-compose up -d ``` ### 2. Login The server should be running on `http://localhost:8000`. The default email/password is `admin@example.com:admin1234567` ### 3. Create tenant and project Next, create a Tenant and a Project with you desired framework (e.g. SOC2). Based on the selected criteria, controls and policies will be automatically added to your project. Start exploring your project! ### 4. Access your project Navigate to your project to view all of the controls and policies. ### 5. Important configurations The instructions above will get you started very quickly. However there are a bunch of configuration options in Gapps. Here are a few that you may be interested in: - Authentication -> If you want to allow users to sign in with Google or Microsoft - Storage -> If you want to store evidence (e.g. files) on S3 or GCS - Email -> If you want to enable Gapps to send emails (e.g. for user invites and notifications) - Hostname -> Very important for externally shared links

| Key | Default Value | Acceptable Values | Description | |----------------------------------|-------------------------------------|-------------------------------------------|--------------------------------------------------------------| | APP_NAME | Gapps | string | The application name displayed in the UI. | | APP_SUBTITLE | | string | An optional subtitle shown in the UI. | | CR_YEAR | 2024 | string | Copyright year for footer or metadata. | | VERSION | 1.0.0 | string | The version of the application. | | HOST_NAME | localhost | string | Hostname for the application. Use https://localhost:8080 to configure the scheme and port | | PORT | 5000 | string | Set the port for the app to listen on | | LOG_TYPE | stream | stream, file | Logging output type. | | LOG_LEVEL | INFO | DEBUG, INFO, WARNING, ERROR, CRITICAL | Logging verbosity level. | | ENABLE_GCP_LOGGING | false | true, false | Enable Google Cloud logging. | | SECRET_KEY | change_secret_key | string | Flask secret key for session security. | | MAIL_SERVER | smtp.googlemail.com | string | Mail server for sending email. | | MAIL_PORT | 587 | integer | Port for mail server. | | MAIL_USE_TLS | true | true, false | Use TLS for mail transport. | | MAIL_DEBUG | false | true, false | Enable debug output for mail. | | MAIL_USERNAME | | string | SMTP username. | | MAIL_DEFAULT_SENDER | | string | Default sender address for outgoing email. | | MAIL_PASSWORD | | string | SMTP password. | | ENABLE_SELF_REGISTRATION | false | true, false | Enable self-registration (requires email config). | | DOC_LINK | https://github.com/bmarsh9/gapps | URL | Documentation link shown in UI. | | DEFAULT_EMAIL | admin@example.com | email | Default admin email address. | | DEFAULT_PASSWORD | admin1234567 | string | Default admin password. | | HELP_EMAIL | admin@example.com | email | Support contact email. | | ENABLE_GOOGLE_AUTH | false | true, false | Enable Google authentication. | | ENABLE_MICROSOFT_AUTH | false | true, false | Enable Microsoft authentication. | | GOOGLE_CLIENT_ID | | string | OAuth client ID for Google login. | | GOOGLE_CLIENT_SECRET | | string | OAuth client secret for Google login. | | MICROSOFT_CLIENT_ID | | string | OAuth client ID for Microsoft login. | | MICROSOFT_CLIENT_SECRET | | string | OAuth client secret for Microsoft login. | | UPLOAD_FOLDER | app/files/reports | path | Directory to save uploaded reports_

The **Tenants** feature in Gapps enables multi-organization support within a single instance. Each tenant operates as a separate logical workspace with its own users, evidence, frameworks, and configurations. --- ## What is a Tenant? A **tenant** represents an isolated group within Gapps — for example: - A client if you're a security consultant - A business unit in a large enterprise - A separate environment (e.g. staging vs production) Each tenant has: - Its own control mappings and frameworks - Its own users and roles - Its own evidence repository - Its own configurations --- ## Key Benefits - **Isolation:** Tenants do not share data with each other - **Scalability:** Manage multiple orgs or clients from one dashboard - **Delegation:** Assign users to specific tenants with fine-grained roles --- ## Creating a Tenant To create a new tenant: 1. Navigate to the **Tenants** tab in the sidebar 2. Click **"Add Tenant"** 3. Provide the name and optional description 4. Save to create and switch into the tenant context --- ## Switching Between Tenants You can switch tenants at any time from the tenant dropdown in the header. All data shown (controls, frameworks, evidence) will update to reflect the selected tenant. --- ## Managing Tenant Users Each tenant can have its own user list and role assignments: - Go to **Tenants > Users** - Invite users by email - Assign appropriate roles (Admin, Auditor, Contributor, etc.) --- ## Use Cases | Use Case | Example | |----------------------------------|------------------------------------------| | Security consultancy firm | One tenant per client | | SaaS company with environments | One tenant for dev, staging, and prod | | Enterprise with business units | Separate tenants for HR, Engineering, etc| --- ## Notes - Global administrators can manage all tenants - Standard users are scoped only to the tenants they are assigned to - Deleting a tenant will remove all associated data --- For API access or tenant provisioning via script, refer to the [API Docs](./api.md).

The **Projects** feature in Gapps allows you to group controls, tasks, and evidence under specific initiatives. This is useful for organizing compliance workstreams, audits, or framework implementations. --- ## What is a Project? A **project** is a container for related compliance activities. Projects help you: - Track progress toward specific goals (e.g. SOC 2 readiness) - Organize controls and evidence logically - Assign responsibility and due dates Examples: - "SOC 2 Type I Audit – Q3 2025" - "ISO 27001 Implementation" - "Vendor Risk Review – Annual Cycle" --- ## Key Features - Group controls and evidence under a named project - Track status and completion progress - Assign owners and collaborators - Set due dates for audits or deliverables - Filter controls/evidence by project context --- ## Creating a Project 1. Navigate to the **Projects** tab 2. Click **"New Project"** --- ## Managing Projects - **Edit Project**: Click the project name to update metadata - **Add Controls**: Use the control picker to associate controls - **Link Evidence**: Upload or link existing evidence to the project context - **Track Progress**: View how many controls are complete vs in progress

The **Risk Register** in Gapps helps you document, assess, and track organizational risks in a centralized, structured way. It supports proactive risk management aligned with common compliance frameworks like SOC 2, ISO 27001, and NIST. --- ## What is the Risk Register? The risk register is a living document that captures: - Identified risks to your organization - Their likelihood and impact - Associated mitigations or controls - Risk owners and review dates Use it to ensure risks are being continuously evaluated, tracked, and reduced. --- ## Risk Entry Fields Each risk entry includes: - **Title**: A short, descriptive name - **Description**: What the risk is and why it matters - **Likelihood**: Rated (e.g. Low, Medium, High) - **Impact**: Rated (e.g. Low, Medium, High) - **Risk Score**: Calculated based on likelihood × impact - **Status**: Open, Accepted, Mitigated, or Transferred - **Owner**: Who is responsible for managing this risk - **Controls**: Linked controls that help mitigate the risk - **Review Date**: When the risk should be reassessed --- ## Creating a New Risk 1. Navigate to the **Risk Register** tab 2. Click **"Add Risk"** 3. Fill out the risk details 4. Optionally link controls or mitigation strategies 5. Click **Save** --- ## Updating and Reviewing Risks - Click on any risk to edit its details - Update likelihood, impact, and mitigation as circumstances change - Set review dates to prompt future reassessments - Use filters to view risks by owner, status, or score