The problem
A large automotive group with multiple brands and dozens of legal entities was tracking compliance through a fleet of spreadsheets and an annual auditor visit. With GDPR, DORA, DSA, the Cyber Resilience Act and several ISO frameworks all coming into scope, the existing process was no longer survivable, and the auditors were starting to say so.
The structural complication: regulations apply differently depending on where in the L0–L4 hierarchy you sit. Group-level policies inherit down. Entity-level assessments roll up. No off-the-shelf GRC tool we found modelled this correctly.
Our approach
We built a platform organised around three primitives: hierarchies (the group's actual org chart), regulations (machine-readable scope, applicability, scoring), and assessments (versioned, evidenced, signable). Compliance posture rolls up the hierarchy automatically; policy changes ripple down.
Built offline-first, because parts of the audit happen in factories with bad connectivity. Interactive world-map visualisation so the group risk officer can see at a glance which entity in which country is short on which control.
The hard part: not the platform. The data model. Regulations don't map cleanly to org charts. Most of our six weeks of discovery went into getting that right before writing the first line of UI code.
What we shipped
- Hierarchical organisation management (L0 → L4) with inheritance rules
- Assessment workflow with evidence attachments and audit trail
- Compliance dashboards at group, entity and regulation level
- Interactive D3.js world map visualisation
- JWT auth and offline-first behaviour for field assessments
- Live demo deployed for pilot users
Stack
Why it works
It models the real organisation, not an idealised one. It gives the group risk officer something a spreadsheet structurally cannot: a real-time roll-up of where the compliance posture stands, and where it's degrading.