GRC-as-a-Service
The compliance function
you don’t have to hire.
Compliance work doesn't fit neatly into a quarter. It accumulates between audits: a new vendor to assess, a customer questionnaire with a Friday deadline, a policy refresh that fell off the calendar, a GRC tool that hasn't been touched since onboarding. GRC-as-a-Service is built for that accumulation. A recurring advisory service that runs your compliance program continuously, so your team doesn't have to.
Policies drafted and maintained. Vendors assessed. GRC tools configured and kept current. Customer security questionnaires answered on time. Quarterly compliance reviews with written summaries. Continuous monitoring between reviews so nothing surprises you at your next audit.
What Every Tier Includes
Six services, same definitions across all tiers. Tier determines volume capacity, not feature set
Policy drafting and maintenance
Vigil drafts your security, privacy, and operational policies from scratch or reviews and updates your existing ones. Policies are maintained on a rolling basis as your company evolves. Any policy requiring legal review is flagged for your counsel; Vigil does not provide legal advice.
Vendor risk assessments
Every vendor in your stack reviewed against a standardized risk framework and documented in your vendor registry. New vendors assessed before they get production access. Vendor reassessments conducted annually or when the vendor's risk profile materially changes.
GRC tool management
Vigil configures and maintains your Vanta, Drata, Secureframe, or ComplyJet instance so it stays audit-ready. Includes control mapping, evidence collection workflow setup, integration with your cloud and HR systems, and ongoing maintenance of the tool as your environment changes. If you use a different GRC tool, scoping is confirmed during onboarding.
Security questionnaire support
Enterprise customers asking for SIG Lite, SIG Core, CAIQ, or custom questionnaires. Vigil drafts the responses; your team reviews and approves before they go back to the customer. Questionnaire responses are saved in a response library so repeat questions are answered faster over time.
Quarterly compliance reviews
Every 90 days, Vigil meets with your team to review the state of the program, identify control gaps, realign scope to your current business, and produce a written quarterly summary documenting what was reviewed and what needs attention.
Continuous monitoring
Ongoing oversight of your control environment between quarterly reviews. You hear from Vigil proactively when something needs attention: a control operating inconsistently, a vendor risk change, an upcoming policy renewal. No surprise findings at your next audit.
Tier Scope and Capacity
| Service | Starter | Most Common Growth | Scale |
|---|---|---|---|
| Policies drafted or reviewed | Up to 15 | Up to 25 | Up to 50 |
| Policy maintenance cadence | Annual refresh + ad hoc | Annual + mid-year refresh | Quarterly refresh cycle |
| Vendors tracked / new per year | Up to 20 / 10 | Up to 50 / 25 | Up to 100 / unlimited |
| GRC tool instances managed | 1 tool | 1 tool | Up to 3 tools |
| Security questionnaires per year | Up to 12 (Per Year) | Up to 18 (Per Year) | Up to 36 (Per Year) |
| Questionnaire turnaround | 5 business days | 3 business days | 2 business days |
| Compliance reviews | Quarterly, 60 min | Quarterly 90 min + monthly 30-min | Monthly 60 min + quarterly deep |
| Dedicated Slack channel | Included | Included | Included |
| Response SLA (ad-hoc) | 3 business days | 2 business days | 1 business day |
| Customer security call support | Not included | Up to 4 per year | Up to 12 per year |
| Policy addendum rate | $300/policy | $300/policy | $300/policy |
| Additional vendor assessment | $150/vendor | $150/vendor | $150/vendor |
| Additional questionnaire | $500 each | $500 each | $500 each |
PRICING
Starter
For small teams beginning to formalize compliance, usually before the first enterprise customer asks for SOC 2. Fewer than 15 employees, fewer than 20 vendors, and a single GRC tool (or none yet).
Growth
Common for YC-backed seed to Series A startups with 15–50 employees, 1-5 enterprise customers, 20-50 vendors, and active security questionnaire flow.
Scale
For companies with 50+ employees, 5+ enterprise customers, complex procurement, multi-tool GRC environments, and multi-framework compliance needs (SOC 2 + ISO + HIPAA).
Disclaimer: Published prices reflect standard tier scope. Final pricing is confirmed during the scoping call based on actual scope, framework set, and tooling environment.
Onboarding timeline
Phase 1: Scoping (week 1)
60-minute session to map current state, target frameworks, priority enterprise customers, and tools, followed by onboarding questionnaire.
Phase 2: Foundation (weeks 2 to 4)
Policies drafted or reviewed. GRC tool configured or onboarded. Vendor registry built. Evidence collection workflows set up.
Phase 3: Program operational (weeks 4 to 6)
Controls operationalized, team trained on what to own versus what Vigil handles, first quarterly review calendar set.
Phase 4: Steady state (ongoing)
Monthly or quarterly touchpoints, proactive gap updates, renewal reminders, and same-day support for customer questionnaires.
Disclaimer: The above timeline is a general guideline. The actual timeline may vary based on the complexity of your organization and the scope of the audit. We will work closely with you to establish a timeline that meets your specific needs and requirements.
WHAT'S OUT OF SCOPE
Services explicitly not included in GRC-as-a-Service, available separately or through partner referrals.
Attestation services
Vigil Assurance, PLLC does not provide SOC 1 or SOC 2 audits for GRC-as-a-Service clients. Independence rules require separation between the firm that manages a compliance program and the firm that audits it. Vigil refers attest work to trusted partner audit firms.
Penetration testing and security tooling
Vigil advises on the need for these services and reviews their output, but does not perform them. Partner referrals available.
vCISO and security strategy work
Security posture, threat modeling, incident response planning, and security architecture decisions sit with a vCISO or internal security lead. Vigil partners with several vCISOs and can make introductions.
Legal contract review
Data processing agreements, vendor MSAs, and customer terms of service are reviewed by Client's legal counsel, not Vigil. Vigil will flag compliance implications.
Incident response coordination
If Client experiences a security incident, Vigil supports by updating documentation and liaising with auditors or customers, but does not lead the incident response itself.
Regulatory representation
Vigil does not represent Client before regulators, respond to subpoenas on Client's behalf, or provide expert testimony.
HOW ENGAGEMENT WORKS
To preserve audit independence under AICPA professional standards, Vigil Assurance, PLLC does not provide attestation services (SOC 1, SOC 2) to GRC-as-a-Service clients. This separation is deliberate. It means the eventual audit report is conducted by an independent firm, which is what sophisticated enterprise buyers expect to see. When you're ready for an audit, Vigil refers you to partner audit firms from a curated network. This clause is documented in the GRC-as-a-Service engagement letter.
Working Together
A 30-minute scoping call is the right place to start.
If we're a good fit, we'll send a proposal within 48 hours.
If we're not, we'll tell you who is.
Get in touch now
Tell us what your customers are asking for and where you are now. We will tell you what you actually need, and what you don't.
Write Email