SOC 2 HIPAA NIST CSF Notion workspace

GRC US Platform

SOC 2 Type II · HIPAA Security Rule · NIST CSF 2.0 · CCPA/CPRA · NIST AI RMF 1.0

Your enterprise customer wants SOC 2. Your auditor wants HIPAA evidence. Your board wants AI governance. One workspace handles all three.

10
Databases
5
Frameworks
SOC 2
Evidence Repo
HIPAA
PHI Register

Organisation licence

$590

one-time · single organisation · internal use

All 10 databases
SOC 2 Evidence Repository + HIPAA PHI Data Register
Executive dashboard
6 report templates
Get Organisation Licence →
Most popular

Consultant licence

$1,790

one-time · multi-client · duplicate per engagement

Everything in Organisation Licence
Multi-client deployment - duplicate per engagement
Unlimited client workspaces
Priority email support
Get Consultant Licence →

10 databases — built for US audit readiness

Compliance requirements
SOC 2 TSC, HIPAA safeguards, NIST CSF, CCPA/CPRA, NIST AI RMF - pre-mapped with gap status.
🛡
Controls catalogue
Controls mapped to all framework requirements. Linked to risks, evidence and audit findings.
Risk register
Cybersecurity and operational risks. Likelihood x impact scoring. Treatment tracking.
📊
SOC 2 Evidence Repository
Evidence items tagged by TSC control, collection date, owner and status. Audit period tracked.
🏥
HIPAA PHI Data Register
PHI categories, processing systems, business associates, safeguards, access controls and breach history.
Incident register
NIST CSF IR phases. HIPAA breach notification timeline tracking. Linked to controls and evidence.
🏪
Vendor risk register
Third-party providers with security classification, data access scope, BAA tracking and assessment dates.
📋
Audit
SOC 2 Type I/II readiness. Audit plans, findings, corrective actions, owners and deadlines.
🤖
AI systems register
NIST AI RMF 1.0 mapping per AI system. Risk classification, human oversight controls and governance.
📄
Policy library
Security and privacy policies with version control, approval status and review calendar.

Also included: Executive dashboard · 6 report templates (SOC 2 Readiness Report, HIPAA Security Summary, Risk Register Summary, Vendor Risk Summary, AI Governance Report, Board GRC Report) · Settings & Organisation Profile · Documentation & User Guide · Seed data — MedFlow Technologies scenario

Licence details

Organisation Licence — $590

one-time · single organisation

  • All 10 databases
  • SOC 2 Evidence Repository + HIPAA PHI Data Register
  • Executive dashboard
  • 6 report templates
  • Seed data - MedFlow Technologies scenario
  • Documentation and User Guide
  • All v1.x updates
  • Unlimited internal users
Get Organisation Licence →

Consultant Licence — $1,790

one-time · multi-client

  • Everything in Organisation Licence
  • Multi-client deployment - duplicate per engagement
  • Unlimited client workspaces
  • Priority email support
Get Consultant Licence →

Built for

Technology companies Pursuing SOC 2 Type II certification
Healthcare organisations Managing HIPAA PHI compliance
US companies in California With CCPA/CPRA consumer privacy obligations
SOC 2 and HIPAA consultants Deploying audit-readiness workspaces for clients

Frequently asked

Does this make my organisation SOC 2 compliant?

No. SOC 2 Type II certification requires an independent audit by a licensed CPA firm. This workspace organises your controls, collects your evidence and tracks your readiness - so that when the auditor arrives, you are prepared. It accelerates readiness; it does not replace the audit.

Does this make my organisation HIPAA compliant?

No. HIPAA compliance is an ongoing operational requirement, not a certification. This workspace structures your PHI inventory, tracks your safeguards and documents your risk analysis. It does not replace legal review or constitute a HIPAA compliance certification.

Can I use this for multiple clients?

Yes, with the Consultant Licence. Duplicate the workspace for each client engagement at no additional per-client cost. The Organisation Licence is for internal use only.

Is this suitable for a pre-SOC 2 startup?

Yes. Many organisations purchase this workspace to structure their security programme before beginning the formal SOC 2 audit process. The seed data shows you what a mature SOC 2 programme looks like inside the workspace.

Where is my compliance data stored?

In your own Notion workspace. AltShift has no access to your data.

Is this legal or regulatory advice?

No. AltShift GRC US Platform is a structured operational workspace. It does not constitute legal, regulatory or compliance advice and does not guarantee certification, audit success or regulatory compliance.

Single-entity licence Instant download VAT invoice via Lemon Squeezy No subscription 7-day refund policy Editable Word & Excel formats

Delivered as a Notion workspace - requires an active Notion account. Notion is a trademark of Notion Labs, Inc. AltShift is not affiliated with Notion Labs, Inc. SOC 2 is a service mark of the American Institute of Certified Public Accountants.