Compliance Hub App Overview
Stand up an auditor-ready compliance program in minutes on the platform you already run on—Compliance Hub gives you guided program setup, a control register, recurring review and attestation campaigns, findings/remediation tracking, an evidence registry, framework control libraries with cross-framework crosswalks, and one-click auditor export packages.
What is the Compliance Hub App?
Compliance Hub is a lightweight GRC (Governance, Risk & Compliance) layer that turns the people, vendors, contracts, and change records you already manage in MangoApps into a defensible audit program. Instead of standing up a separate compliance tool and re-keying the same data, you author controls, run recurring review campaigns (access reviews, certification reviews, change reviews), track findings to closure, capture evidence, and hand your auditor a read-only, token-gated package—all without leaving the platform. A guided Program Setup stands up the whole scaffold in one step, and it runs standalone (with native vendor & change registers) or gets richer when adjacent apps are enabled.
Core Value Proposition:
- 🚀 Live in Minutes — Guided Program Setup imports a framework’s starter controls and creates your standard recurring reviews in one step
- 🎯 Audit-Ready by Design — Every review is timestamped, locked on completion, and exportable as a multi-sheet auditor package
- 🔁 Recurring, Not One-Off — Controls carry a review frequency; campaigns regenerate automatically so nothing lapses
- 🔺 Closed-Loop Remediation — Flagging a review item opens a tracked finding with an owner, due date, and resolution — the trail auditors want
- 🧩 Answer Once, Satisfy Many — Framework crosswalks show that satisfying a SOC 2 control also covers the equivalent ISO 27001 / SOX control
- 🔗 Standalone or Better Together — Native vendor & change registers mean it works with zero other apps; Supplier Hub / Contracts / Service Desk enrich it automatically when enabled
At a Glance
| ⚙️ Runs Standalone | 📱 Mobile Reviewer | 🤖 AI Agent | 🔒 Auditor Portal |
|---|---|---|---|
| ✅ Yes (native registers) | ✅ Yes | ✅ 9 tools | ✅ Token-gated |
Perfect For:
- 🏢 Compliance & IT leads standing up SOX, SOC 2, ISO 27001, or HIPAA programs — guided setup, control register, campaigns, and exports
- 👥 Managers & control owners who are assigned review items to attest each cycle (including from their phone) and own findings to remediate
- 📋 Auditors who need read-only access to a control register and its evidence without a platform login
How It Works
Compliance Lifecycle
┌────────────────────────────────────────────────────────────────────────────────┐
│ COMPLIANCE HUB LIFECYCLE │
├────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐ │
│ │ AUTHOR │──▶│ LAUNCH │──▶│ REVIEW │──▶│ COMPLETE │ │
│ │ CONTROL │ │ CAMPAIGN │ │ & ATTEST │ │ (LOCKS) │ │
│ └────────────┘ └─────┬──────┘ └─────┬──────┘ └─────┬──────┘ │
│ import library or │ fan-out │ attest / │ │
│ author from scratch │ review items │ flag / N-A ▼ │
│ ▼ ▼ ┌────────────┐ │
│ ┌────────────┐ ┌────────────┐ │ EXPORT │ │
│ │ per User /│ │ attach │ │ PACKAGE │ │
│ │ Cert / │ │ EVIDENCE │ │ (XLSX) │ │
│ │ Change │ └────────────┘ └─────┬──────┘ │
│ └────────────┘ │ │
│ ▼ │
│ ┌────────────────┐ │
│ │ AUDITOR PORTAL │ │
│ │ (token, no login) │
│ └────────────────┘ │
└────────────────────────────────────────────────────────────────────────────────┘
Note: Completing a campaign requires every item to reach a terminal state (attested / flagged / not applicable), then the campaign locks for audit integrity. An admin can unlock it, and the unlock is recorded. Flagging an item automatically opens a tracked finding (owner + due date + resolution) so the deficiency is followed to closure, not lost in a locked campaign.
Integration Ecosystem
┌─────────────────┐
│ COMPLIANCE HUB │
└────────┬────────┘
│ composes with (does not re-model)
┌─────────────┬───────────────┼───────────────┬─────────────┐
▼ ▼ ▼ ▼ ▼
┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐
│ USERS │ │ VENDOR │ │ SERVICE │ │ EVIDENCE │ │ ASK AI │
│ │ │ CERTS │ │ DESK │ │ (files) │ │ (Agent) │
└─────┬─────┘ └─────┬─────┘ └─────┬─────┘ └─────┬─────┘ └─────┬─────┘
▼ ▼ ▼ ▼ ▼
┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐
│ Access │ │ Cert │ │ Change │ │ Attach to │ │ Ask │
│ review │ │ review │ │ review │ │ controls /│ │ posture & │
│ subjects │ │ subjects │ │ subjects │ │ items │ │ gaps │
└───────────┘ └───────────┘ └───────────┘ └───────────┘ └───────────┘
Key Features
🚀 Guided Program Setup
Don’t start from an empty app — stand up a running program in one step.
| Feature | Description |
|---|---|
| One-Form Setup | Pick a framework, an owner, and go — reachable from the dashboard’s empty-state prompt or Settings |
| Imports Starter Controls | Pulls the chosen framework’s curated control set into your register |
| Creates Standard Reviews | Spins up the three standard recurring campaigns — Annual Access Review, Annual Certification Review, Quarterly Change Review — as drafts for you to review and activate |
| Idempotent | Re-running only adds what’s missing; it never duplicates existing controls or campaigns |
Use Case: A new admin opens Compliance Hub, clicks “Set up your program”, picks SOX, and in one step has the SOX control set imported and three review cycles scaffolded — ready to assign owners and activate.
💡 Pro Tip: Run Program Setup first to get a working scaffold, then refine — it’s faster than authoring controls and campaigns one at a time.
📒 Control Register
The backbone of the app: a register of the controls you are accountable for.
| Feature | Description |
|---|---|
| Author or Import | Create controls from scratch, upload a CSV, or import a prebuilt framework library |
| Categories | Each control is one of: Access, Vendor, Change, Security, Data, or Other |
| Review Frequency | Monthly, Quarterly, Semiannual, Annual, or Ad-hoc — drives the next-review date |
| Ownership | Assign a control owner responsible for its reviews |
| Provenance | Imported controls remember the framework control they came from (for crosswalk coverage) |
| Lifecycle | Active controls can be retired; overdue and due-soon controls are tracked |
| Launch a Campaign | Spin up a review campaign directly from a control |
Use Case: A team becoming SOX-compliant imports the SOX ITGC starter library, assigns each access control to an owner, and sets quarterly review frequency — the register now drives everything downstream.
💡 Pro Tip: Use the import template (CSV) to bulk-load an existing control spreadsheet, then enrich owners and frequencies in the app rather than re-typing controls one at a time.
🔁 Review & Attestation Campaigns
Controls are static; campaigns are how you prove they are operating.
Campaign Types:
| Type | What It Reviews | Subjects Pulled From |
|---|---|---|
| Access Review | Who has access / what roles | Users |
| Certification Review | Security & compliance certifications | Vendor certifications |
| Change Review | Documented software updates & changes | Service Desk change requests |
| General | Anything else | Manual / control-scoped |
Campaign Lifecycle: draft → active → completed → archived
┌──────────────────────────────────────────────────────────────────────┐
│ CAMPAIGN STATE MACHINE │
├──────────────────────────────────────────────────────────────────────┤
│ ┌────────┐ activate ┌────────┐ all items ┌──────────┐ │
│ │ DRAFT │──────────▶ │ ACTIVE │ terminal ──▶│COMPLETED │ │
│ └────────┘ └────────┘ complete! │ (LOCKED) │ │
│ └────┬─────┘ │
│ archive │ unlock │
│ ┌────▼─────┐ (logged)│
│ │ ARCHIVED │ │
│ └──────────┘ │
└──────────────────────────────────────────────────────────────────────┘
When a campaign is activated, review items are fanned out — one per subject (each user for an access review, each certification for a cert review, each change request for a change review). Reviewers then resolve each item:
| Decision | Meaning |
|---|---|
| Attest | Confirmed correct / appropriate |
| Flag | Needs remediation — captured with a note |
| Not Applicable | Out of scope for this cycle |
Use Case: Each quarter the “User Access Review” campaign activates, generating one item per active employee for the access owner to attest. Anything they flag becomes a remediation trail the auditor can see.
💡 Pro Tip: Turn on require-evidence-on-attest in settings so reviewers can’t sign off an item without attaching proof — the gate is enforced on both the desktop and the mobile reviewer surface.
🏢 Native Review Register (Vendors & Changes)
Cert and change reviews work with zero other apps — and get richer when adjacent apps are enabled.
| Feature | Description |
|---|---|
| Native Vendor Register | Track software vendors with criticality, certification type, and expiry — feeds certification reviews standalone |
| Native Change Register | Log documented changes with type and date — feeds change reviews standalone |
| Progressive Enhancement | When Supplier Hub / Contracts (vendor certs) or Service Desk (changes) are enabled, those canonical sources are used automatically and deduplicated against the native register — no double entry |
| Source Status | Settings shows, per review type, whether the active source is the connected app or the native register |
Use Case: A small team with only Compliance Hub adds its four critical vendors and their SOC 2 expiries to the register; their certification review fans out from those natively. Later they enable Supplier Hub, and the review automatically pulls the canonical vendor certs — deduped against what they already entered.
💡 Pro Tip: If you already track vendors in Supplier Hub or changes in Service Desk, you don’t need to re-enter them — the review pulls from there automatically. The native register is for teams that don’t (yet) run those apps.
🗂️ Evidence Registry
Proof, attached where it belongs.
| Feature | Description |
|---|---|
| Polymorphic | Attach evidence to a control, a review item, or a finding |
| File or Linked Record | Upload a file, or link an existing platform record as the evidence source |
| Typeahead Source Picker | Search linkable source records by keyword instead of typing an ID |
Use Case: For a change-review item, the reviewer links the actual Service Desk change request as evidence — the audit package then shows the documented change inline, not as a reference the auditor has to chase.
🔺 Findings & Remediation
Flagging isn’t enough — a deficiency must be owned and fixed. Findings close that loop.
| Feature | Description |
|---|---|
| Auto-Opened on Flag | Flagging a review item automatically opens a finding (titled from the item, linked to its control) — idempotent, so re-flagging won’t duplicate |
| Raise Manually | Open an ad-hoc finding against a control at any time, independent of a review |
| Lifecycle | Open → In progress → Remediated / Accepted / Closed, with a stamped resolver and resolution note |
| Owner, Due Date & Severity | Assign an owner and due date; severity is Low / Medium / High / Critical |
| Evidence on Findings | Attach remediation proof directly to the finding |
| Reminders | The daily job nudges finding owners about due-soon and overdue items |
| Surfaced Everywhere | An “Open Findings” dashboard tile (with overdue count), a per-control findings panel, and a filterable Findings register |
Use Case: During an access review a manager flags “Terminated user still active in Okta.” A critical finding opens automatically, assigned to the IT owner with a due date. It shows on the dashboard until remediated — and the resolution is part of the auditor package.
💡 Pro Tip: Filter the Findings register to Overdue before each audit checkpoint — anything lingering there is exactly what an auditor will probe.
🧩 Framework Library & Crosswalks
The GRC differentiator: prebuilt control catalogs plus the mappings between them.
| Feature | Description |
|---|---|
| Framework Catalog | Browse published frameworks (SOC 2, SOX, ISO 27001, HIPAA) and their controls |
| One-Click Import | Import an entire framework — or just the gaps you haven’t covered yet — into your register |
| Crosswalks | Each framework control maps to its equivalents in other frameworks (exact / partial / related) |
| Coverage Matrix | See, per framework, how many controls you’ve imported vs. the gap list |
| “Also Satisfies” Panel | On a control’s page, see which other frameworks’ controls it covers via crosswalk |
┌───────────────────────────────────────────────────────────────────┐
│ ANSWER ONCE, SATISFY MANY │
├───────────────────────────────────────────────────────────────────┤
│ │
│ SOC 2 CC6.1 ◀──── crosswalk ────▶ ISO 27001 A.9.2 │
│ │ │ │
│ └────────── crosswalk ──────────────┘ │
│ │ │
│ ▼ │
│ SOX ITGC Access │
│ │
│ Import & satisfy CC6.1 once → coverage lights up across all │
│ three frameworks. Pursuing a 2nd framework? Import only gaps. │
└───────────────────────────────────────────────────────────────────┘
Use Case: A company already SOC 2-attested pursues ISO 27001. The coverage matrix shows most Annex A controls are already covered via crosswalk — they import only the genuine gaps instead of rebuilding the program.
💡 Pro Tip: Run the coverage matrix before scoping a new framework audit — it converts “how much work is a second framework?” into a concrete gap count instead of a guess.
📤 Auditor Exports & Read-Only Portal
Hand the auditor a package, not a screen-share.
| Feature | Description |
|---|---|
| Multi-Sheet Export | Generate an XLSX package covering controls, campaigns, items, and evidence |
| Download | Pull the export file directly |
| Publish | Mint a secure, token-gated URL the auditor opens with no platform login |
| Expiry | Optionally set the published link to expire |
| Unpublish | Revoke access at any time |
Use Case: Instead of provisioning an auditor account, the compliance lead publishes an export with a 30-day expiry and emails the link. The auditor reviews the register and evidence read-only; access self-revokes when the link expires.
📊 Analytics Dashboard
Manager-and-above visibility into program health.
Standard Analytics:
- Controls by framework, status, and category (doughnut breakdowns)
- Open / overdue / completed campaign counts
- Pending and flagged review items
- A multi-month completion trend
🤖 Compliance Hub AI Agent
Ask the compliance program questions in natural language through Ask AI. The agent ships with nine tools (gated by the app’s agent_enabled toggle):
Read tools:
- list_controls — “show SOX controls”, “which controls are overdue”
- compliance_posture_summary — “are we audit-ready?” roll-up of controls, campaigns, and items
- list_review_campaigns — “which review cycles are open / overdue?”
- list_my_pending_items — “what do I need to attest?”
- find_evidence_gaps — “which controls have no evidence or are overdue for review?”
- framework_coverage — “what SOC 2 controls are we missing?”
- list_findings — “what findings are open?”, “which findings are overdue for remediation?”
Write tools (controller-replayed, permission-checked):
- create_control — author a control conversationally
- launch_review_campaign — kick off a review cycle
🔔 Notifications & Inbox
Reviewers and owners are kept in the loop without nagging.
| Type | When It Fires |
|---|---|
| Assignment | A reviewer is assigned a review item (in-app Inbox action request + optional email) |
| Due-Soon Digest | A campaign is approaching its due date |
| Overdue Alert | A campaign has passed its due date |
| Finding Reminders | A finding’s owner is nudged when remediation is due-soon or overdue |
Assignment and activation publish an actionable Inbox item that deep-links to the work; attesting, flagging, or marking N/A resolves it. A daily background job (ComplianceHubDailyJob) regenerates recurring campaigns and sends the due-soon, overdue, and finding-remediation reminders.
📱 Mobile Reviewer Surface
Reviewers can clear their attestation queue from their phone. The mobile view shows their pending items and lets them attest in place — honoring the same evidence-required gate and campaign lock as the desktop app. Management tasks (authoring controls, running exports) stay on the responsive desktop app.
User Roles & Permissions
| Role | Capabilities |
|---|---|
| Reviewer (any assignee) | See and resolve review items assigned to them (attest / flag / N/A), attach evidence, act from mobile |
| Manager | Reviewer capabilities + the analytics dashboard |
| Admin / App Admin | Run Program Setup; author & import controls; manage the vendor & change register; launch, complete & unlock campaigns; raise & resolve findings; manage the framework library; generate & publish auditor exports; configure settings |
| Auditor (external) | Read-only access to a published export via its token URL — no login |
Manage gating: “manage” actions (authoring controls, the register, findings, campaigns, exports, setup) are governed by the Who can manage setting —
admins_onlyby default, orany_userto let members manage too. Members can always attest items assigned to them.
How We Compare
See how MangoApps Compliance Hub stacks up against dedicated GRC automation platforms:
| Feature | MangoApps Compliance Hub | Vanta | Drata | Sprinto |
|---|---|---|---|---|
| Control register & framework libraries | ✅ | ✅ | ✅ | ✅ |
| Cross-framework crosswalks / coverage matrix | ✅ | ✅ | ✅ | ✅ |
| Recurring review & attestation campaigns | ✅ | ✅ | ✅ | ✅ |
| Findings / remediation tracking | ✅ | ✅ | ✅ | ✅ |
| Read-only auditor access (no login) | ✅ | ✅ | ✅ | ✅ |
| Works standalone, no external connectors required | ✅ | ⚡ | ⚡ | ⚡ |
| Evidence pulled from in-platform records | ✅ | ⚡ | ⚡ | ⚡ |
| Continuous automated cloud-control monitoring | ❌ | ✅ | ✅ | ✅ |
| Part of a unified employee platform | ✅ | ❌ | ❌ | ❌ |
| Legend: ✅ Included | ❌ Not Available | ⚡ Limited / via integrations |
Why MangoApps Compliance Hub?
- 🔗 Evidence Is Native — Your users, vendor certifications, and change requests already live here, so review subjects and proof come from the source rather than a separate connector
- 💰 No Separate GRC Subscription — It’s another app on the platform you already run, not a standalone tool to procure and integrate
- 🎯 Right-Sized — A defensible SOX / SOC 2 / ISO / HIPAA review-and-attest program without the cost and complexity of a full continuous-monitoring suite
Compliance Hub is a review-and-attest control program, not a continuous cloud-monitoring agent. If your audit hinges on real-time automated tests of cloud infrastructure, pair it with a dedicated scanner — for the access reviews, certification reviews, change documentation, evidence, and auditor handoff that most audits actually turn on, Compliance Hub keeps it all on one platform.
Getting Started
For Administrators
- Enable Compliance Hub for your business in the Apps Marketplace (it’s licensed, opt-in)
- Click “Set up your program” (dashboard prompt or Settings) — pick a framework and an owner to import starter controls and scaffold the standard reviews in one step
- Add your vendors and changes to the Register (or rely on Supplier Hub / Service Desk if you run them)
- Review the draft campaigns, assign owners, and activate them
- Tune Settings — framework library, evidence-on-attest, who-can-manage, and the AI agent
For Managers & Control Owners
- Open Compliance Hub and check your assigned review items
- Attest, flag, or mark N/A each item — attach evidence where required (flagging opens a finding to track)
- Work your assigned findings to closure and monitor the analytics dashboard for overdue campaigns and findings
For Auditors
- Receive a published export link from the compliance team
- Open it — no login required — to review the control register and evidence read-only
Best Practices
- ✅ Start with Program Setup to scaffold controls and reviews fast, then refine
- ✅ Set review frequencies up front so recurring campaigns regenerate on their own
- ✅ Require evidence on attest for any control an auditor will scrutinize
- ✅ Run the coverage matrix before committing to a second framework
- ✅ Publish exports with an expiry instead of standing up auditor accounts
- ✅ Work findings to closure — every flag becomes a finding; clear the Overdue list before audit checkpoints
- ✅ Let campaigns lock on completion; only unlock with a documented reason
Frequently Asked Questions
Q: How do I get started quickly?
A: Use Program Setup — from the dashboard’s “Set up your program” prompt (or Settings), pick a framework and an owner. It imports that framework’s starter controls and creates the three standard recurring reviews as drafts in one step. Re-running it only adds what’s missing.
Q: Do I need Supplier Hub or Service Desk for certification and change reviews?
A: No. Compliance Hub has a native vendor & change register, so those reviews work standalone. If you do run Supplier Hub / Contracts or Service Desk, the reviews pull from those automatically and deduplicate against the native register — no double entry.
Q: What happens when I flag a review item?
A: Flagging automatically opens a tracked finding — titled from the item, linked to its control — with an owner, due date, and a remediation lifecycle. It surfaces on the dashboard and in the Findings register until resolved, and its resolution is part of the auditor package.
Q: How do recurring reviews work — do I have to relaunch a campaign every quarter?
A: No. Each control carries a review frequency, and a daily background job regenerates recurring campaigns and sends due-soon and overdue reminders automatically.
Q: Can an auditor see our data without a MangoApps account?
A: Yes. Generate an audit export, then publish it to mint a token-gated, read-only URL (optionally with an expiry). You can unpublish to revoke access at any time.
Q: We’re SOC 2-certified and now need ISO 27001 — do we rebuild everything?
A: No. Import the SOC 2 framework, then use the coverage matrix and crosswalks to see which ISO 27001 controls are already covered. You import only the genuine gaps.
Q: What happens when a review campaign is completed?
A: Completion requires every item to be in a terminal state (attested / flagged / not applicable). The campaign then locks for audit integrity; an admin can unlock it, and the unlock is recorded.
Q: Where does the data for access, certification, and change reviews come from?
A: Compliance Hub composes with the rest of the platform — access reviews pull from Users, certification reviews from vendor certifications, and change reviews from Service Desk change requests. It doesn’t re-model that data.
Related Resources
- Apps & Extensions Overview — The full MangoApps app ecosystem
- Asset Pro — IT asset inventory that feeds vendor and asset context
- Contracts — Vendor certifications and obligations referenced in reviews
- Service Desk — Change requests reviewed in change-review campaigns
- Inspections & Audits — Operational/safety inspections alongside compliance controls
Compliance Hub turns the work you already do in MangoApps into a defensible audit program — set up in minutes, review on a cadence, track findings to closure, prove with evidence, and hand your auditor a package, not a screen-share.