PickYourTechPickYourTech home
Gapps logo

Gapps

Security compliance platform tracking progress across multiple frameworks

Compliance Automation & GRC

Self-hosted compliance management platform supporting SOC2, ISO27001, NIST, HIPAA, and six other security frameworks with multi-tenancy, SSO, and auditor collaboration.

Gapps banner

Overview

Purpose

Gapps is a self-hosted security compliance platform designed for organizations tracking their progress against industry-standard security frameworks. It consolidates compliance management for SOC2, NIST CSF, NIST-800-53, CMMC, HIPAA, ASVS, ISO27001, CSC CIS18, PCI DSS, and SSF into a unified dashboard.

Capabilities

The platform provides control tracking, project oversight, and risk register functionality. Multi-tenancy support enables managed service providers and enterprises to segment compliance programs by business unit or client. OIDC-based single sign-on streamlines authentication, while auditor collaboration features facilitate evidence sharing and review workflows. File storage integrates with S3 and Google Cloud Storage for artifact management.

Deployment

Gapps runs via Docker Compose with PostgreSQL as the backing database. Organizations can load custom frameworks by defining controls and subcontrols in JSON format, enabling adaptation to proprietary or emerging compliance requirements. The platform supports both containerized production deployments and local development configurations with Flask.

Highlights

Ten pre-loaded security frameworks including SOC2, ISO27001, NIST, and HIPAA
Multi-tenant architecture with OIDC single sign-on for enterprise access control
Auditor collaboration workspace with S3/GCS file storage integration
Custom framework loader accepting JSON-defined controls and subcontrols

Pros

  • Comprehensive framework coverage spanning healthcare, government, and commercial standards
  • Self-hosted deployment maintains full data sovereignty and control
  • Multi-tenancy enables MSPs to manage multiple client compliance programs
  • Extensible framework system supports custom or emerging compliance requirements

Considerations

  • Requires Docker and PostgreSQL infrastructure management
  • Integration ecosystem still under development per roadmap
  • Database migration procedures needed during version upgrades
  • Manual JSON authoring required for custom framework definitions

Managed products teams compare with

When teams consider Gapps, these hosted platforms usually appear on the same shortlist.

Delve logo

Delve

AI-native compliance automation with agent-based evidence collection

Drata logo

Drata

Automated security compliance for SOC 2, ISO 27001, and more

Oneleet logo

Oneleet

Unified security & compliance platform with pentesting and continuous monitoring

Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.

Fit guide

Great for

  • Managed service providers tracking compliance across multiple client tenants
  • Enterprises requiring on-premises compliance data residency
  • Organizations managing multiple concurrent framework certifications
  • Teams needing auditor collaboration without third-party SaaS dependencies

Not ideal when

  • Teams requiring turnkey SaaS with zero infrastructure overhead
  • Organizations needing mature third-party tool integrations today
  • Small teams without Docker or database administration experience
  • Use cases demanding mobile-native compliance workflows

How teams use it

MSP Multi-Client SOC2 Management

Service provider tracks SOC2 Type II progress for 15 clients in isolated tenants with auditor-shared evidence repositories

Healthcare HIPAA + NIST Dual Compliance

Hospital system maps overlapping controls across HIPAA and NIST 800-53 frameworks to reduce duplicate audit effort

Government Contractor CMMC Preparation

Defense subcontractor uses control dashboard to demonstrate CMMC Level 2 readiness during pre-assessment

Custom Framework for Industry Regulation

Financial institution loads proprietary regulatory framework via JSON to track state-specific compliance requirements

Tech snapshot

HTML72%
Python16%
CSS10%
JavaScript1%
Shell1%
Dockerfile1%

Tags

nist-csf27002complianceiso27001grcowasp-top-10nist800-53pci-dssowaspcis18hipaacmmcsecuritynistsoc2cscpciasvs

Frequently asked questions

How do I resolve database connection errors on startup?

Unset SQLALCHEMY_DATABASE_URI and POSTGRES_HOST environment variables when running within Docker, or configure them to point to your external PostgreSQL instance with proper host, user, password, and database values.

Can I add custom compliance frameworks beyond the ten included?

Yes. Create a JSON file defining controls and subcontrols, save it to app/files/base_controls/ (or your FRAMEWORK_FOLDER path), then create a new tenant or use the 'Reload Frameworks' button on an existing tenant.

What happens during version upgrades?

Edit the image version in docker-compose.yml (four instances), run docker-compose up -d, then perform database migration using the documented docker exec commands to update schema changes.

How do I reset all compliance data?

Set the RESET_DB environment variable to 'yes' before starting Gapps. Warning: this deletes all existing data in the database.

Can I run Gapps outside Docker for development?

Yes. Start the PostgreSQL container separately, expose its ports, set POSTGRES_HOST to localhost, configure database environment variables, and run 'export FLASK_CONFIG=development;bash run.sh' to start the application.

Project at a glance

Stable
Visit siteView repo
Stars
638
Watchers
638
Forks
146
Repo age3 years old
Last commit6 months ago
Self-hostingSupported
Primary languageHTML

Last synced 12 hours ago