Frequently Asked Questions

Getting Started

How do I get access to ConcertoGRC?

Access is provisioned by your organization's administrator. Contact your admin to have an account created with the appropriate role. If your organization is new to ConcertoGRC, contact sales@concertocompliance.com.

What browsers are supported?

ConcertoGRC supports the latest versions of Chrome, Firefox, Safari, and Edge. We recommend Chrome or Firefox for the best experience.

Can I use ConcertoGRC on mobile?

The platform is accessible on mobile browsers but is optimized for desktop use. Some features like infrastructure diagrams and complex table views work best on larger screens.

How do I reset my password?

Click "Forgot Password" on the login page at app.concertogrc.com. You will receive a reset link at your registered email address. If you use SSO, password resets are managed by your identity provider.

Compliance & Frameworks

Which compliance frameworks does ConcertoGRC support?

SOC 2, ISO 27001, ISO 42001, PCI DSS, HIPAA, and custom frameworks. The Master Framework Library includes pre-built control sets with cross-framework mappings. New frameworks can be added by the Concerto team.

Can I manage multiple frameworks simultaneously?

Yes. Controls can be mapped across frameworks so that a single control implementation satisfies requirements in multiple standards. The Compliance Library shows cross-framework mappings for each control.

What happens when a framework is updated?

The Concerto team updates the Master Framework Library with new or revised controls. Updated controls can be deployed to tenant environments. Existing tenant customizations are preserved -- updates do not overwrite local changes.

How does evidence expiration work?

Each evidence request has a validity period (30 days, 90 days, 6 months, 1 year, or indefinite). When you upload evidence, the expiration clock resets. As evidence approaches expiration, the platform generates tasks to remind owners to collect fresh evidence.

Security & Privacy

Where is my data stored?

All data is stored in AWS infrastructure in the US (us-east-1 region). Database records are in Amazon RDS (PostgreSQL), files in Amazon S3, and secrets in AWS Secrets Manager. See Platform Security for architecture details.

Is my data encrypted?

Yes. Data is encrypted in transit using TLS 1.2+ and at rest using AES-256 across all services (database, file storage, backups).

How is tenant isolation enforced?

Every database query is scoped to your organization's tenant ID. No API endpoint can return data across tenant boundaries. File storage, background jobs, and AI processing are all tenant-scoped. See Shared Responsibility for details.

Does ConcertoGRC have a SOC 2 report?

ConcertoGRC is pursuing SOC 2 Type II certification. Contact trust@concertocompliance.com for current compliance documentation, or visit our Trust Center.

How do I report a security vulnerability?

Email security@concertocompliance.com with details. We follow a responsible disclosure process and aim to acknowledge reports within 2 business days. See Platform Security for our full disclosure policy.

AI Features

Does AI have access to other organizations' data?

No. All AI prompts are scoped to your organization's data only. No cross-tenant data is ever included in AI context. AI processing occurs via Amazon Bedrock, which does not retain input or output data.

Is my data used to train AI models?

No. ConcertoGRC uses Amazon Bedrock, which does not use customer data for model training. Your data is processed for the specific request only and is not retained by the model provider.

Can I disable AI features?

Yes. AI can be disabled globally for your organization in Settings → AI, or individual features can be toggled on/off. When AI is disabled, all AI-powered buttons and suggestions are hidden from the interface.

How do I know which content was AI-generated?

All AI-generated content is marked with the ConcertoGRC AI icon. Generated content is always presented as a suggestion for review -- nothing is auto-applied without human action.

What AI models does ConcertoGRC use?

Claude Sonnet 4.5 for complex analysis and generation, Claude Haiku 4.5 for lightweight tasks and suggestions, and Amazon Titan Embeddings V2 for similarity search. See AI Features for the full model list.

Integrations

Which identity providers are supported?

Microsoft Entra ID (Azure AD) and Google Workspace. Both support automatic user and group sync, MFA detection, and evidence report generation.

Can I connect multiple AWS accounts?

Yes. The AWS integration supports multiple account connections. Each connection syncs GuardDuty findings and IAM configuration to Vulnerability Management.

What MDM providers are supported?

SimpleMDM, Microsoft Intune, and Jamf Pro. All three sync device inventory with encryption, firewall, and passcode compliance tracking.

How often do integrations sync?

Identity providers (Microsoft 365, Google Workspace) sync every 24 hours. AWS integrations sync every 6 hours. Sync frequency is managed by the platform and not currently configurable per tenant.

Data Management

Can I export my data?

Yes. Most list views include CSV export. The Settings → Import/Export tab provides bulk export options. Upon account termination, a 90-day data export window is provided.

How do I request data deletion?

See our Privacy Policy for deletion procedures. Organization administrators can request full account deletion by contacting privacy@concertocompliance.com.

How long are audit logs retained?

Application audit logs are retained for the lifetime of the tenant. Authentication audit logs are retained for 365 days by default (configurable). AI interaction logs are retained for the lifetime of the tenant.

Support

How do I contact support?

Submit a support ticket from within the platform (Support Tickets in the sidebar) or email support@concertocompliance.com. Support is available Monday through Friday, 9 AM to 6 PM US Eastern.

What is the expected response time?

Critical issues (platform unavailable): 1 hour. High (major feature down): 4 hours. Medium (feature degraded): 1 business day. Low (minor/cosmetic): 3 business days. See Service Level Commitments for details.

Is there a status page?

During incidents, we communicate via email to affected organization administrators and in-app banners. For enterprise agreements with formal SLAs, contact sales@concertocompliance.com.

Getting Started​

How do I get access to ConcertoGRC?​

What browsers are supported?​

Can I use ConcertoGRC on mobile?​

How do I reset my password?​

Compliance & Frameworks​

Which compliance frameworks does ConcertoGRC support?​

Can I manage multiple frameworks simultaneously?​

What happens when a framework is updated?​

How does evidence expiration work?​

Security & Privacy​

Where is my data stored?​

Is my data encrypted?​

How is tenant isolation enforced?​

Does ConcertoGRC have a SOC 2 report?​

How do I report a security vulnerability?​

AI Features​

Does AI have access to other organizations' data?​

Is my data used to train AI models?​

Can I disable AI features?​

How do I know which content was AI-generated?​

What AI models does ConcertoGRC use?​

Integrations​

Which identity providers are supported?​

Can I connect multiple AWS accounts?​

What MDM providers are supported?​

How often do integrations sync?​

Data Management​

Can I export my data?​

How do I request data deletion?​

How long are audit logs retained?​

Support​

How do I contact support?​

What is the expected response time?​

Is there a status page?​