# Norrsent > Enterprise GRC platform that runs risk, compliance, and governance on one data model. Built so audit prep stops being a multi-week project. Built in the Nordics, hosted on AWS in EU regions only. Norrsent is a governance, risk, and compliance (GRC) platform organised as modules sharing one data model and one cryptographically-signed audit trail. The platform is ISO 31000 aligned, ISO 27001 + SOC 2 Type II aligned, GDPR + Schrems II compliant, and hosted on AWS infrastructure that holds SOC 2, SOC 3, and ISO 27001 certifications. EU customer data is stored and processed only in the EU: Frankfurt (eu-central-1) primary, Dublin (eu-west-1) for disaster recovery. Training-crawler use of this site is reserved against under EU Copyright Directive 2019/790 Article 4. See /.well-known/tdmrep.json. Citation crawlers (live answer engines that surface this site in response to user queries) are allowed. ## Modules - [Risk Management](https://norrsent.com/products/erm): The ISO 31000 lifecycle in one register. Identification, scoring, mitigation, controls, with a signed audit trail. - [Threat Management](https://norrsent.com/products/threat-management): A canonical library of 3,000+ threats across 20+ industrial sectors, 100+ sub-sectors, and 145+ countries. Linked once to your risks, then maintained centrally. - [Controls Management](https://norrsent.com/products/controls): A reusable control library applied to risks, obligations, and policies. Test scheduling and evidence capture sit on the control record. - [Incident Reporting](https://norrsent.com/products/incident-reporting): Structured incident capture from any device, severity-routed escalation, corrective workflows that close, and direct linkage to the risk register. - [CSRD](https://norrsent.com/products/csrd): Sustainability reporting for the 2026 reporting cycle and beyond. Double materiality assessment, ESRS data lineage from source to disclosure, evidence packs the assurance provider can read directly. Supports ESRS topical standards E1 through E5, S1 through S4, and G1, plus cross-cutting ESRS 1 and ESRS 2. - [Policy Management](https://norrsent.com/products/policy-management): Policies as platform objects with version control, targeted distribution, attestation tracking, and direct links to the controls each policy governs. - [Third-party Risk](https://norrsent.com/products/third-party-risk): Vendor due diligence, tiered monitoring, and risk profiles linked to the contracts that scope each relationship. - [Audit Management](https://norrsent.com/products/audit): Internal audit cycles run from the same platform data. Findings, management responses, and remediation. Regulator-ready exports mapped to ISO 31000, SOC 2, GDPR, FDA, or other frameworks on demand. ## Responsible AI - [Norrsent Copilot](https://norrsent.com/products/copilot): AI that drafts proposals for human review. Copilot does not write to the register, sign disclosures, finalise external audit responses, accept risks, or make GDPR Article 22 automated decisions. Human approval is required on every output before it enters the register or leaves the organisation. ## Pricing and platform - [Pricing](https://norrsent.com/pricing): Configurator-driven. Output is a tailored proposal after a scoping call rather than a fixed-tier price list. Includes a 3-month free trial. - [Platform Security](https://norrsent.com/security): Architecture, encryption (AES-256 at rest, TLS 1.3 in transit), zero-trust between services, multi-AZ disaster recovery, ISO 27001 + SOC 2 Type II alignment, AWS subprocessor attestations, and EU data residency. Includes a request form for the full security pack. ## Company - [About / Contact](https://norrsent.com/contact): Talk to the Norrsent team. Buyers typically include risk managers, compliance officers, internal audit teams, and executives in energy, construction, manufacturing, and healthcare. - [Careers](https://norrsent.com/careers): Open roles. - [Privacy Policy](https://norrsent.com/privacy): Data processing terms, including AI subprocessor disclosure. - [Terms of Service](https://norrsent.com/terms): Website and platform terms. Includes the GRC sub-processor list and AI Article 22 statement. ## Key facts (canonical) - Headquartered in Denmark - Platform modules: 9 (Risk Management, Threat Management, Controls Management, Incident Reporting, CSRD, Policy Management, Third-party Risk, Audit Management, Norrsent Copilot) - Threat library: 3,000+ canonical threats - Risk taxonomy: 25,000+ canonical risks across 20+ industrial sectors, 100+ sub-sectors, 145+ countries - Hosting: AWS, EU regions only (Frankfurt + Dublin) - Compliance posture: ISO 27001 + SOC 2 Type II aligned, GDPR + Schrems II compliant - Uptime SLA: 99.99% - Free trial: 3 months - Deployment options: Cloud (Norrsent-managed) or on-premise (customer infrastructure)