All notable changes to this project will be documented in this file.
- Add reusable agent guardrails for prompt injection and data leaks
- Add ability to disconnect Slack channel from compliance page
- Fix goreleaser snapshot
- Add document approval workflow
- Add task priority
- Fix duplicate organization name returning internal error
- Distinguish expired magic links from invalid tokens
- Mark failed evidence descriptions instead of retrying
- Fix file MIME type lookup for evidence description generation
- Add AI-powered evidence description generation
- Fix batch signature dialog wording
- Fix empty search_engine_indexing on trust centers
- Add GraphQL dataloaders for batched record lookups
- Check CAA records before ACME certificate issuance
- Fix Microsoft OIDC token exchange auth style
- Fix SCIM bridge updating all users on every sync
- Fix ACME challenge retry to create fresh orders
- Add SEO controls and sitemap for compliance pages
- Allow editing non-SCIM fields on SCIM-managed profiles
- Add OIDC login support for Google and Microsoft providers
- Add per-email sender name for compliance page emails
- Add audit log feature for recording all actions
- Use actual MIME type for trust center file exports
- Fix trust center SPA asset loading on custom domains
- Add MCP audit report metadata and getAuditReportUrl tool
- Add Homebrew tap publishing for prb CLI
- Fix measure category filter not applying on initial page load
- Add /llms.txt endpoint to trust center compliance page
- Add context page with organization context and meetings tabs
- Allow skipping confirmation email when adding mailing list subscribers
- Support developer-specific env vars in sandbox provisioning
- Rename Vendor to Subprocessor in trust API surface
- Improve pagination performance for findings, obligations, and measures
- Fix unvalidated URL redirection in HTTP redirects
- Fix measure breadcrumb category filter
- Fix SAML ACS endpoint CORS rejection
- Add document archiving
- Add fulltext search to measures page
- Add document types filtering
- Rename ISMS to GOVERNANCE
- Fix owner deletion by qualifying ambiguous tenant_id column
- Fix organization profile using owner's full name instead of org name
- Fix measure count queries missing category column
- Clamp pagination size
- Add unified findings system with GraphQL, MCP, and CLI support
- Add PDF dropzone to audit list for streamlined report upload
- Add dynamic favicon for trust center
- Add SSR for compliance page with dynamic title and meta tags
- Add cross-origin protection for CSRF defense
- Add file visibility (PRIVATE/PUBLIC) and public files API
- Rename NONCONFORMITY to MINOR_NONCONFORMITY and add MAJOR_NONCONFORMITY
- Fix race condition in magic link token verification
- Fix sandbox provisioning issues
- Fix CLI URL scheme handling with http:// addresses
- Fix NDA file display on page reload
- Fix audit report buttons visibility when no file attached
- Fix drag-and-drop issues in audit list dropzone
- Add implemented state and justification to controls
- Add release guide documentation
- Add Lima sandbox environment for parallel feature testing
- Add CLI
- Add validation to mailman service
- SCIM provisioning failure when enrolling existing manual users due to stale external_id conflicts
- SCIM reset not clearing external_id and user_name on profiles
- Compliance page member provisioning for already signed in identities
- Compliage page request all callback redirection
- Fix documents UI
- Fix refetch after publication
- Add nda warning to new compliance update modal
- Autosubmit mailing list confirmation
- Support for mermaid in markdown
- Account activation redirection flow improved
- Compliance updates improvements: display, public
- Add compliance page mailing list
- Support for MS SCIM and Google bridge update
- Account activation flow from document signing request email link
- CI improvements
- Removal of unused table and columns
- Removed adhoc token authentication for document signing and related pages
- Add social links on compliance page
- Fix person update
- Update vendor compliance report UI
- Profiles filter should filter user with console/employee membership by default in console/employee APIs
- CP framework badges name display
- Improve mailer performance
- Display empty state for soa control assessment
- Fix compliance report
- Fix trust center access SQL queries SELECT clauses
- Compliance page full name unified handling through identities and profiles
- Compliance page request all callback page refresh
- Compliance page frameworks ordering and display toggling
- Cmopliance page connect redirection fix for existing identities
- continue URLs for compliance page for better access request flow
- enforce NDA signature with explicit API error catched in error boundary
- framework display name on compliange page org sidebar
- fix: add trust-center config section to entrypoint.sh
- Add delete vendor tool on mcp
- Use default filter with no snapshot for mcp
- Fix CVEs by updating go and open telemetry
- Fix n8n get many organizations
- Display audit name in compliance page
- Add obligation webhooks
- Add user webhooks
- Add mcp control links
- Add vendor risk assessment to mcp
- Add risk and measure mcp tools
- Fix long pdf exports
- Fix mcp list tools returns badly encoded jsonschema
- Fix compliance page show unpblished document title
- Fix compliace page show unpublished document
- Fix infinit redirect when NDA not configured
- Add SOA MCP tools
- Electronic signature for compliace page NDA
- Add vendor contacts to n8n
- Add soa risk assement via document
- Allow more permissive bracket validations
- Fix n8n get many organization 4xx errors
- Fix auditor access to people
- Fix no link button when list is empty
- Fix obligation type not updated
- Add mcp bearer header
- Fix MCP authentication error
- CreateUser sets profile EmailAddress field
- Invitation GraphQL type fix: remove organization & user fields
- Add processing activities to mcp
- Console org dropdown query
- Add access to SOA for auditor
- Do not display inactive profiles on iam home page
- Fix profile update additional email addresses coalesce missing
- n8n operations for users (profiles)
- MCP operations for users (profiles)
- SCIM user title synchronization
- Dropped minio in favor of seaweedFS
- Profile data model linked to org and identity instead of membership
- Moved state and source on profiles instead of memberships
- Refactored invitations into account activations
- Add audit n8n nodes
- Add delete measure to mcp
- Remove deprecated SOA
- Change single document owner to multiple approvers
- Add delete tasks to mcp
- Fix deployment
- Add delete risks to mcp
- Add meetings to mcp
- Fix missing risk validations
- Display control description
- Change download button text while loading in compliance page
- Fix control order in SOA
- Fix saml subject not populated
- Add webhooks
- Fix missing name id format for idp initiated SAML request
- Fix SAML subject must not be updated
- Fix SAML subject not set on first login
- Fix missing NameID format information in SAML metadata
- Upgrade Postgres to 18.1
- IAM: Migrate people into profiles
- Redirect to previous location on authentication or assumption needed
- Fix Google Workspace SCIM bridge does not set active state at creation
- Fix compliance page access request was not active by default
- Fix compliance page request access add non request file to the requested one
- Update javascript dependencies
- Add user exclusion management to the Google Workspace bridge
- Improve compliance page access management UX
- Remove noisy error log from slack queue message
- Suport all vendors fields on mcp
- Fix duplicate assessments
- Upgrade go to 1.25.7
- Add member n8n actions
- Fix controls for CFR framework
- Fix missing
trace_idon resolver logs
- Noisy TLS errors are filtered from logs
- Use s3 presigned URLs for email assets
- Safer docker ubuntu image version with digest
- Safer github actions versions with digest
- Redirect already authenticated user on compliance page home when trying to log in
- Fix column reference "full_name" is ambiguous
- Add HDS framework
- Add 21 CFR Part 11 framework
- Serve email static assets from object store
- Rework the UI of vendor row on compliance page
- Update auth layout on console and compliance page to remove right panel
- Fix create organization node
- Fix npm vulnerabilities
- Fix n8n node cannot fetch many organizations.
- Fix SCIM disable all non SCIM members.
- Missing logo
- Static handler cache headers handling
- Use svg for slack logo
- Missing google logo
- Missing relay generated files
- Google Workspace to SCIM bridge
- Compliance page logo branding
- Memberships page conditional display of search input
- Upgrade go dependencies
- Console slack connection placeholder display fix
- Slack compliance page access display name empty case
- Compliance page API file access check fix + granular error handling
- Upgrade go to 1.25.6
- Misplaced dependabot.yaml file is making CI fail
- Do not display trust center subprocessors tab when there are none
- Remove query params from compliange page sidebar website displayed URLs
- Refactor trust center pages to make them more maintainable
- Rename Trust Center to Compliance Page on displayed wording
- Compliance page vite dev server proxies graphQL API calls to go server port
- Add noreferrer noopener to compliance page open link from console
- CI Test analytics with junit results format
- CI performance improvements with caching
- Extend dependabot to all dependencies
- AWS path style s3 option for Docker image entrypoint
- Console signatures counts
- Console signatures requests notifications
- New up to date linting rules for TS codebase
- Refactor SOA
- Dropped prettier
- Updated eslint related dependencies
- Ignore new TLS errors in logs
- otel utf8 errors
- Document signing authentication is still done with token
- SOA permissions handling + tenant scoping
- Revert revert console graphql endpoint
- n8n app calls by reverting console graphql endpoint
- n8n http request options URL
- Console invitationResolver.Organization authorize check
- Clean child sessions in IAM memberships migration
- IAM memberships migration for entity ID
- Membership Profile authz done from membership in membershipResolver (it's a 1:1 association)
- Match keycloak URL ports with default base URL one for local dev
- Drop the authentication dialog in favor of a dedicated auth page for compliance page
- Order memberships by organization name on console / and memberships dropdown
- Update kit
- Missing console react-pdf dependency in package.json
- On sign out, clear cookie along with the existing session expiration
- Remove conditional rendering of org search input on console
- Fix organizations page layout vertical alignment
- 5xx on profile loading.
- API keys generated with previous versions are no longer compatible.
- Add SCIM provisioning support.
- Add magic link authentication.
- Add membership disable state.
- Add ABAC policy.
- Filter junk HTTP TLS server errors.
- Change API token format.
- Add session support to compliance page.
- Fix overly strict obligation validation.
- Add processing activity exports
- Add proxy protocol v2 support.
- Add right requests
- Fix people in mcp
- Fix task display
- Fix code blocks in documents
- Fix cancel signature permissions
- Fix people deletion
- Change minutes max length
- Add new GDPR registries
- Create Slack notification when updating trust center access if no existing message found
- Fix trust center nil pointer dereference
- Console: framework logo import
- Add ISO 27701 (2025) framework.
- Add ISO 42001 (2023) framework.
- Add GDPR framework.
- Add CCPA framework.
- Add NIS2 framework.
- Add DORA framework.
- Fix azure blob storage
- Frameworks logo SVG colors
- Framework name displayed in trust center org sidebar
- Add risk vendor risk assesments to n8n
- Add organization filtering
- Use in-house logos when importing framework
- Unblock ACME provision queue on error
- GQLGen version handling with go tool
- Fix GraphQL types
- Blacklist emails from trust requests
- ACME cert renewing
- Fix infinit loop when renew ACME TLS certificate.
- Add service to vendor on n8n
- Add auditor role
- Fix the “no change” error display in documents bulk update
- Update the front end after a document is published
- Update trust center access slack message on console actions
- Add risk management to N8N
- Reject/Revoke trust center document accesses via slack app or console
- New mime types for truct center files
- Fix missing validation on relation existence
- Fix permissions for trust center access
- Enable svg support for company logos
- Allow non conformities without audit
- Fix audit and framework deletion
- Make employee role assignable
- Add employee page
- Add people management to N8N
- Fix invations never deleted when organization is deleted.
- Fix otel network error locally.
- Update kit.
- Missing organization_id on Report
- ESLint issues
- Add n8n vendor operations.
- Fix n8n node always returns success.
- Upgrade golang to 1.25.5
- @probo/node-n8n-probo Meeting operations
- Console permissions initialisation
- Probod dev config values
- Fix missing n8n placeholder.
- Add n8n-node package.
- New UI EditableTable component + implementation on assets page.
- Fix missing compliance page permission again.
- Fix missing compliance page permission.
- Add updatePeople MCP tool.
- Add
SMTP_USERandSMTP_PASSWORDto entrypoint.sh.
- MCP permission tools.
- Add document MCP tools.
- Add document version MCP tools.
- Add document version signature MCP tools.
- Add MCP tools annotation hints.
- Add snapshot MCP tools.
- Add task MCP tools.
- Add control MCP tools.
- Add control mapping MCP tools.
- Fix 5xx on vendor snapshot.
- Add audit MCP tools.
- Fix 5xx when create vendor snapshot.
- Fix compliance page http to https redirect.
- Fix cannot create continious improvment via MCP.
- Fix missing permission to delete custom domain.
- MCP tools for many new objects.
- HTTP to HTTPS redirect for trust center.
- MCP client always lost their session.
- New MCP tools.
- Fix SAML entrypoint config.
- Fix missing permission to verify SAML domain.
- Update go dependencies
- Fix snapshot creation
- Fix asset permissions
- Fix invitation permissions
- Fix ca-cert-bundle entrypoint.sh
- Fix document permissions
- Fix missing healthcheck for postgres docker compose prod.
- Fix missing
AUTH_COOKIE_SECUREsupport in entrypoint.sh.
- Fix support PostgreSQL CA bundle in Helm charts with file path option
- Add role management.
- Enable IdP-initiated SAML
- API keys now have access to the organization they just created.
- Add beta MCP server.
- Add official Kubernetes HEML chart.
- Add SAML IDP initiated flow support.
- Add meeting object.
- SAML role is not mandatory anymore.
- Test a fix of the deletion freeze
- Fix document validations
- Fix vendor url validations
- Fix vendor validations
- Add field validation system
- Make secure cookie configurable
- Update documentation
- Fix download button in pdf preview
- Add clearer error messages
- Fix organization creation
- Fix organization display order
- Add SAML support
- Add vendors to processing activities
- Add custom order ranking to trust center references
- Fix create report access query
- Fix report list in trust center update access modal
- Change trust center console UX/UI
- Add trust center files
- Fix HTML entities displaying incorrectly in PDF exports (e.g., "&" showing as "&")
- Add slack integration for trust center access management
- Markdown links now open in new tab with security attributes
- Add invitation filtering by multiple states (PENDING/ACCEPTED/EXPIRED)
- Settings page now shows only pending and expired invitations (accepted invitations are hidden)
- Fix document classification not being passed when creating documents
- Fix document classification changes not syncing to draft versions
- Fix organization invitations filter not being applied at database level
- Add customizable document classification
- Invitation status not updated on the UI
- Inconsistent updates of nullable values
- Add signature filtering by state (REQUESTED/SIGNED) on document signatures tab
- Add HTTP to HTTPS redirect for custom domain 404 pages
- Optimize document PDF export signature loading with single query instead of N+1 queries
- Fix compliance website wording
- Fix ordered list display in documents
- Fix 5xx on risk measures resolver
- Broken document scroll when document list unfollded
- React pdf race condition
- Increase signature link period from 7 days to 30 days
- Not all signature are visible
- Use hosted png for logo in emails
- Fix audit update in trust center settings
- New signatures page design
- New emails design
- Fix organization logo update
- Add invitation management
- Bootstrap role management
- Refactor of authentication and authorization
- Add retry tracking for certificate provisioning and renewal.
- Add automatic cleanup of stale provisioning attempts (4+ hours old)
- Add max retry limit (3 attempts) before marking domains as failed
- Add distinction between fatal and transient ACME errors
- Silently reject TLS connections without SNI (health checks, scanners)
- Fix stale certificate provisioning attempts blocking the queue
- Fix SQL measure queries
- Remove trust center slug config UI
- Add EU as possible contry code for vendor
- Add horizontal logo to documents
- Fix file download Content-Disposition header format
- Add document version on document list
- Add procedure document type
- Allow to filter measures by state
- Support ID-based trust center URLs with slug fallback
- Show custom domain URL on trust center page when configured
- Update framework icons
- Remove verifiedAt field from CustomDomain
- Remove criticity on assets
- Fix trust center design on custom domain
- Send trust center invitation with custom domain when available
- Fix evidence deletion
- Fix dead ACME challenge
- Socket binding for trust center
- Fix filename content type regression
- Add missing permission to binary in docker image
- Add custom domain to trust centers
- Fix vendor compliance reports files migration
- Fix evidence files migration
- Store all file data in one table
- Display more measures and tasks
- Fix access to public documents for unauthenticated users
- Store id of accepted nda
- Add public documents on trust centers
- Allow missing NDA
- Fix trust center v2 design
- Restrict deletion of users who have assets
- Add access by document on trust center
- Add ordering measures by name in the API
- Fix resetting state during measure editing
- Handle document mapping conflict error
- Remove document description and footer in template
- Add trust center v2
- Add optional watermark and signatures in pdf export
- Remove description from pdf export
- Fix request document signature
- Allow
.csvfile as evidences. - Remove section id from obligations
- Change obligations status enum
- Add link between obligations and risks
- Add reference companies for trust center trusted by section
- Fix watermark display in trust center
- Display countries on trust centers
- Decouple users from people
- Add more details to organization
- Add bulk export documents
- Add bulk delete documents
- Display risk description
- Uniformize date diplay
- Add risk order by owner full name
- Build trust center in the make file
- Add nda to trust centers
- Add confidential watermark to trust center documents
- Add countries to vendors
- Add category back to vendors
- Fix framework export email
- Fix release workflow
- Send framework export by email
- Order organization by name
- Rename registries
- Soft delete documents
- Store sidebar state
- Fix framework export for evidence link
- Add framework exports
- Add risks snapshots
- Fix tabs counter
- Fix password page redirection
- Add vendor snapshots
- Fix document deletion and update errors
- Remove signature block from trust center documents
- Fix non mandatory fields on vendor
- Add compliance registry snapshots
- Add continual improvement snapshots
- Add processing activity registry snapshots
- Add assets snapshots
- Add processing activity registries
- Add continual improvement registries
- Add noncoformity registry snapshots
- Probo instance allow crawling bot to index.
- Add data snapshot
- Fix query loops in public trust center
- Fix button display when disconected in public trust center
- Add trust center access requests
- Fix authentification token error
- Add compliance registries
- Add vendor services
- Replace mailhog
- Add nonconformity registries
- Fix trust center dark mode
- Fix display of download buttons in the public trust center
- Add baa to vendors
- Add dpa to vendors
- Add contacts to vendors
- Add name to audits
- Add audits to controls
- Add document draft deletion
- People now have contract start and end dates in the UI and API.
- Lists can filter out people whose contracts have ended.
- Fix closing of document deletion pop up
- Fix creation of empty draft without save
- Fix various SQL queries failures due to trust center
- Fix internal information leaking to API
- 5xx on risk show page
- Add organization deletion
- Add Probo by default
- Fix data page display
- Add trust center
- Add edition of document fields
- Fix PDF tables
- Fix display issue on control and framework
- Fix control creation
- Fix document draft creation
- Add control exclusion
- Fix small issues on SOA
- Fix missing document download button
- Fix document version selector
- Fix duplicate people
- Revision of multiple UI elements
- Add document version selector on details page
- Add document bulk publication
- Add document bulk signature request
- Add cancel signature request
- Add cancel request mutation
- Add bulk publish document version mutation
- Add bulk request signature mutation
- Add policy PDF export
- Update go dependencies
- Update node dependencies
- Fix 5xx on document type order
- Allow to change doucment order in the UI
- Change default document sorting order
- Fix missing risk score on detail risk page
- Fix matrix risk score color on risk matrix
- Fix SOA with risk
- Fix missing framework controls
- Generate excel in memory instead of using fs
- Add updated at and created at order for vendor
- Fix SOA filename
- Add SOA generator
- Show last assessment date
- Add URI evidence type
- Add link dialog for measure evidences
- Add default security header to API
- Add support for extra header
- Fix tasks deadline
- Fix order people by kind
- Fix missing people role order
- Remove all data after logout
- Enforce maximum password limit
- Mitigate timing attack on signin
- Use httplogger on GraphQL error
- Returns internal error when error is known
- Add forgot password pages
- Pagination for people, vendors, documents, data and assets
- Fix 404 on email confirmation page
- Fix 404 on invitation confirmation page
- Fix login redirection
- Fix form not reset after submit
- Fix filedrop upload too small file size
- Fix framework view too many queries
- Fix image upload failed
- Fix measure count
- Fix 5xx on document count for risk
- Fix leaking pg connections
- Fix API path contain undefined
- Fix localhost enforce at build time
- Add backend fulltext search on controls, documents, risks and measures
- Add
totalCountfield inConnectionobject - New console design
- Use new enum for data classification
- Prevent publishing of document versions with no changes
- Update AI prompt used for changelog generation
- Add deadline on tasks
- Add controls manual create, update, and delete
- Add assets inventory
- Add data inventory
- Add title and owner id to document versions
- Add automatic changelog
- Added sort key
updated_atfor vendors
- Fix 5xx on signature request
- Fix sort key 5xx
- Change policies to documents
- Add type to documents
- Fix HIPAA import
- HIPAA releated risks
- Add framework import from json
- New add vendor UI
- Add url input type for vendor assessement
- Add automatic vendor assessment
- Add vendor category fields
- Add vendor business associate agreement url and subprocessors list url
- Fix 5xx when create new vendor
- Fix 5xx when update a vendor
- Fix missing
positionfield migration
- Rename severity into risk score
- Add contract dates fields
- Add people position field
- Fix conflict http header fields
- Add docker image security scan
- Show latest risk updated date
- Log error when GraphQL resolver failed
- Update Golang dependencies
- Update to latest Ubuntu LTS
- Update to latest Golang version
- Allow data and text file for evidences
- Fix missing people when inviting user already in other organization
- Fix cannot upload organization logo
- Task page list
- Task is now linked to organization
- Fix cannot see vendor assessment note
- Add filetype validation for end-user upload
- Fix http cache etag
- Fix cannot delete measure
- Add ISO 27001 document header
- Add policy downlaod
- Enable HTML support in Markdown renderer
- Show owner of the policy in list
- Show number of singatures in the policy list
- Link evidences to measure
- Add markdown table support
- Explicit risk score calcul
- New vendors in the built-in lists
- Add end-user confirmation before sending policy sign notification
- Add assessed at in the vendor list
- Fix not aligned button on policy list view
- Remove start and end service date of vendor
- Fix 5xx when invite user in an organization
- Evidence URL not set
- New vendors in the built-in lists
- Update javascript dependencies
- Fix open redirect when the redirect url use
//
Fix typo mesure instead of measure
- Static files are served using GZip
- Static fiels are served with ETag and Cache header fields
- Entrypoint JS/CSS has no chunk hash
- Add policy unlogged sign
- Policy history
- Policy signature
- New vendors in the built-in lists
- Fix cannot delete measure with linked risk
- Fix SQL syntax error
- Add delete measure in the UI and GraphQL API
- Remove
importancefield from measure as it's not used anymore
- Fix delete evidence from task list does not work
- Fix cannot load attached measure risks
- Risk can have note
- Cache static assets
- Fix psql
generated_gidreturns padded base64 - Fix
user_idnot set when create new organization - Fix
additional_email_addressesnot set when invite in organization
- New "Risk assessments" tab for vendors that allows you to:
- View all risk assessments for a vendor in one place
- Create new risk assessments with data sensitivity and business impact ratings
- Track assessment expiration dates
- Automatic people record creation when accepting invitations
- New vendors in the built-in lists
- Introduced a connector framework enabling integration with external
services:
- Add OAuth2 connector implementation
- Completely redesigned vendor list page
- Completely redesigned vendor detail page
- Improved compliance reports table with better file size formatting and date display
- People may be linked to user
- New vendors in the built-in lists
- Update risk library with new risks
- Upgrade Golang dependencies
- Upgrade Node dependencies
- New vendors in the built-in vendors list
- New vendors in the built-in vendors list
- More explicit scale, legend and score for risk matrix
- Fix grammar for "people" in the navigation bar
- Fix editor change cursor position at each keystroke
- Fix editor does not display list icon
- Improve UI of the risk matrix
- Rename "Mitigation" in "Mesure"
- Added business owner and security owner fields to vendors
- Improved vendor detail page with organized sections
- Split information into logical sections (Basic Information, Ownership, Risk & Service, Documentation)
- Better visual organization of vendor information
- New risk treatment strategy options: Mitigate, Accept, Avoid, Transfer
- Risk ownership functionality
- Enhanced risk management with inherent and residual risk assessment capabilities
- Added new fields to track both inherent and residual likelihood/impact values
- Introduced risk severity calculation as the product of likelihood and impact
- Added visual risk matrix to view risk distribution by severity
- New risk-policy mapping functionality allowing risks to be linked to policies
- New risk-control mapping functionality enabling risks to be linked to controls
- Added edit functionality for risks with a new edit page
- New popover components for mitigation information on the mitigations list view
- Pre-populated risk templates from a JSON data source
- Update vendors catalog.
- Updated risk creation form to include both inherent and residual risk parameters
- Improved risk list view with risk matrix visualization
- Enhanced breadcrumb navigation for risk detail pages
- Refactored risk-mitigation mapping to remove redundant probability/impact fields
- Renamed probability field to likelihood for better alignment with risk management terminology
- Improved license file formatting in vendors and risks data directories
- Fixed URL in attribution text (
getprobo.com→www.getprobo.com)
- Added vendors.json data file under Creative Commons Attribution-ShareAlike 4.0 license`
- New vendor data management system with comprehensive vendor information
- Pre-populated vendor database with 12 common SaaS vendors and their certifications
- Vendor details page with extended fields for improved vendor management:
- Legal name and headquarters address
- Website URL
- Certification tracking with tag-based interface
- Links to important vendor documents (SLA, DPA, security pages)
- Support for multiple compliance certifications per vendor
- Fix cannot create vendor when the name is too similar to suggested one
- Fix UI showing double button to close evidence preview modal
- Fix cannot delete vendor with compliance reports (added cascade delete constraint)
- Add vendor compliance reports UI
- Controls can now be linked to policies, enabling better organization of compliance documentation and clearer traceability between policies and security controls
- New UI for viewing and managing policies related to a specific control
- Simplified policy data model by removing version field and optimistic concurrency
- Refactored policy update flow to load-modify-save pattern
- Added user-friendly error messages when importing frameworks that already exist
- Update ISO 27001 and SOC2 framework definition.
- BREAKING: Renamed GraphQL mutations for control-mitigation mappings:
createControlMapping→createControlMitigationMappingdeleteControlMapping→deleteControlMitigationMapping- Input and payload types have been updated accordingly
- Add import control <> mitigation mapping.
- Add mitigation tasks import.
- Add auto-scroll to opened category.
- Added support for mapping controls to policies:
- New GraphQL mutations
createControlPolicyMappinganddeleteControlPolicyMapping - Controls can now be associated with both mitigations and policies
- New bidirectional relationships:
- Control objects now expose a
policiesfield to list associated policies - Policy objects now expose a
controlsfield to list associated controls
- Control objects now expose a
- New GraphQL mutations
- Added vendor compliance reports:
- New GraphQL types
VendorComplianceReportand related connection types - New GraphQL mutations
uploadVendorComplianceReportanddeleteVendorComplianceReport - New
complianceReportsfield on the Vendor type - Support for uploading, viewing, and managing vendor compliance documentation
- New GraphQL types
- Added pre-configured frameworks:
- Added ISO/IEC 27001:2022 and SOC 2 framework templates
- Improved framework import interface with dropdown menu for template selection
- Support for one-click import of standard compliance frameworks
- Evidence can now be requested.
- Fix unfoldable mitigation category when open via the URI fragment.
- Fix ctrl+click on mitigation does not open new tab.
- Fix error handling in framework view when no controls are available.
- Add sidebar to show a task.
- Add task estimate edition.
- Add control+framework auditor views.
- Add import mitigations support.
- Add import framework support.
- Add risk object management.
- Add risk template.
- Add mapping between control and risk.
- Rename control in mitigation.
- Home page is now mitigations page.
- Fix panic in GraphQL resolver are not reported.
- Fix otal trace never started.
- Fix React.lazy chunck error.
- Fix login page show
unauthorizederror. - Fix cannot delete task with evidences.
- Fix cannot download file with non-ASCII filename.
- Add forget password.
- Allow evidence to be a link.
- Add task import support.
- Allow to create vendor when it not exist in the auto-complete.
- Add service account people kind.
- Make task time estimate optional.
- Set invitation token to 12 hours.
- Order people by fullname.
- Order vendor by name.
- Allow to edit control state without going to edit page.
- Redirect on people list after people creation.
- New UI for the framework overview page.
- Fix flickering on hover on categories.
- Fix control order under a category.
- Fix UI does not refresh after importing a framework.
- Fix cannot create control.
- Fix missing include cookie on confirmation invit.
- Fix sign-in does not include cookie.
- Fix missing version when create task.
- Fix random order on framework overview.
- Fix change task state not visible on UI.
- Fix control card items alignement.
- Fix cannot delete task.
- Fix password managers misidentifying token fields as usernames in reset password and invitation confirmation forms.
Initial release.