Platform Documentation

Fair TPRM & GRC Platform — Version 2.5.8

Platform Overview

Fair TPRM is a unified platform built around two integrated modules:

  • TPRM Module — Third-Party Risk Management for tracking, assessing, and scoring vendor relationships throughout their entire lifecycle.
  • GRC Module — Governance, Risk & Compliance for managing your organization’s compliance posture across multiple industry frameworks including SOC 2, ISO 27001, PCI DSS, NIST CSF, CMMC, HIPAA, CIS Controls, NIST 800-171, and the NIST AI Risk Management Framework.

Both modules share the same database, the same permission model, and the same audit log — eliminating data silos and duplicate work.

Key Concept — Unified Assessment: The GRC module uses a single set of 170+ security questions organized across 14 domains. Each question is mapped to requirements in all 9 supported compliance frameworks simultaneously, including the NIST AI Risk Management Framework. Answer once, and Fair TPRM calculates your compliance posture across every framework automatically.

User Roles & Permissions

Fair TPRM uses role-based access control (RBAC) with seven default ACL groups. Each user is assigned to one or more groups that determine which modules and actions they can access.

Group Access Level
Administrator Full access to all modules, settings, and administrative functions across the entire platform.
Cyber TPRM Full access to all TPRM module operations including vendor management, assessments, FAIR analysis, and SRS scoring.
Cyber GRC Full access to all GRC module operations including compliance assessments, controls, evidence, policies, audits, and the risk register.
GRC Contributors Limited access — can complete assigned tasks, provide evidence, and respond to assessment questions delegated to them.
Auditor Read-only access to both TPRM and GRC modules for audit and review purposes.
Procurement Access to vendor onboarding, contract management, and procurement documents within the TPRM module.
Stakeholder Access limited to vendors they own or have been assigned, including the ability to submit vendor requests.
Note: To see the GRC module in the sidebar, a user must belong to the Administrator, Cyber GRC, or Auditor group. Users outside these groups will not see GRC navigation items.

Your First Login

  1. Open your browser and navigate to your organization’s Fair TPRM URL (provided by your administrator).
  2. Enter your Username and Password on the login screen.
  3. If TOTP two-factor authentication is enabled for your account, enter the six-digit code from your authenticator app.
  4. After successful authentication you will land on the Dashboard page.
  5. In the sidebar, click GRC Module to expand its sections and begin working with compliance features.

GRC Module Overview

GRC stands for Governance, Risk & Compliance. The GRC module helps your organization:

  • Assess security maturity across 14 domains using the unified questionnaire
  • Track compliance posture against 9 industry frameworks simultaneously
  • Manage internal controls and map them to framework requirements
  • Collect and encrypt compliance evidence with expiry tracking
  • Manage policies through their full lifecycle from draft to retirement
  • Plan and execute audits with finding tracking and remediation
  • Maintain a risk register with likelihood and impact scoring
  • Run continuous monitors to demonstrate ongoing compliance
Unified Questions: The GRC assessment engine contains 170+ questions organized across 14 security domains. Each question is mapped to requirements in multiple compliance frameworks. When you answer a question, your response automatically contributes to compliance scores for every mapped framework — no duplicate questionnaires required.

Getting Started with GRC — Quick Start

Follow this five-step workflow to complete your first GRC compliance assessment:

  1. Create an Assessment — Define the scope and select the assessment type.
  2. Answer Questions — Work through the 170+ unified questions across 14 security domains.
  3. Upload Evidence — Attach supporting documents and artifacts to your responses.
  4. View Compliance Scores — Review automatically calculated compliance percentages for each framework.
  5. Generate Reports — Export framework-specific compliance reports for stakeholders and auditors.
Prerequisites: You must belong to the Administrator or Cyber GRC group to create and manage assessments. Members of the GRC Contributors group can respond to questions assigned to them but cannot create new assessments.

Step 1: Create Your First Assessment

  1. In the sidebar, expand GRC ModuleAssessment & Audit → click Assessment Questionnaire.
  2. Click the Create Assessment button.
  3. Fill in the required fields:
  • Title — A descriptive name for the assessment (e.g., “Q1 2026 Annual Compliance Assessment”).
  • Assessment Type — Choose from five options: Initial Assessment, Annual Review, Gap Analysis, Remediation Validation, or Ad-Hoc Assessment.
  • Scope — Describe what the assessment covers (e.g., “Enterprise-wide security posture”).
  • Lead Auditor — Select the user who will lead the assessment.
  • Start Date and End Date — Define the assessment period.
Example:
Title: Q1 2026 Annual Compliance Assessment
Type: Annual Review
Scope: Enterprise-wide security posture across all business units
Lead Auditor: Jane Smith
Start Date: 2026-01-15
End Date: 2026-03-31

Assessment Statuses

Status Description
Draft Assessment has been created but questions have not been started.
In Progress Questions are actively being answered by the assessment team.
Under Review All questions answered; the lead auditor is reviewing responses.
Completed Assessment has been reviewed and finalized. Scores are locked.
Archived Assessment retained for historical reference. Read-only.

Step 2: Answer Assessment Questions

The unified assessment contains 170+ questions organized across the following 14 security domains:

Code Domain Questions
GOVGovernance & Leadership12
IAMIdentity & Access Management14
DSPData Security & Privacy12
EPSEndpoint Security8
NETNetwork Security12
APSApplication Security9
OPSSecurity Operations12
INCIncident Management8
SCMSupply Chain Management7
PHYPhysical Security6
HRSHuman Resources Security8
BCPBusiness Continuity & DR11
CRYCryptography9
CMPCompliance & Audit8

Answering a Question

  1. Open the assessment and select a domain to begin answering questions.
  2. For each question, select a Maturity Rating from the four-tier scale:
  • 1 — Initial / Ad Hoc: Processes are reactive, undocumented, and inconsistently applied.
  • 2 — Developing: Processes are partially documented but not consistently followed.
  • 3 — Defined: Processes are fully documented and consistently implemented across the organization.
  • 4 — Managed / Optimized: Processes are measured, continuously improved, and aligned with industry best practices.

Conformity Status

Based on the maturity rating you select, the system determines a Conformity Status for each mapped framework requirement:

  • Conforming — The requirement is fully met (typically maturity 3 or 4).
  • Partial — The requirement is partially met (typically maturity 2).
  • Non-Conforming — The requirement is not met (typically maturity 1).
  • Not Applicable — The requirement does not apply to your organization’s scope.
How it works: The maturity rating you select drives the conformity status automatically. Higher maturity ratings produce “Conforming” statuses, while lower ratings produce “Partial” or “Non-Conforming” statuses. You can override the conformity status manually if needed.
Cross-Framework Mapping: Each question maps to requirements in multiple frameworks. When you rate a question, the conformity status is applied to every mapped requirement across all frameworks simultaneously. This means a single response can affect compliance scores for SOC 2, ISO 27001, PCI DSS, and others at the same time.

Step 3: Upload Evidence

Evidence files support your assessment responses and demonstrate compliance to auditors.

  1. While answering a question, click the Attach Evidence button next to the question.
  2. Select a file from your computer (supported formats include PDF, images, and documents).
  3. Add a Description and set the Expiry Date for the evidence.
  4. Click Upload to attach the evidence to the question.
Encryption: All uploaded evidence files are encrypted at rest using AES-256-CBC. Files are protected in transit by TLS 1.3 with post-quantum resistant cipher suites.

Evidence Library

All uploaded evidence is also accessible from the Evidence Library (sidebar → GRC Module → Evidence & Monitoring → Evidence Library). The library provides a centralized view of all evidence across the platform, with filtering by status, expiry date, and linked control or question.

Step 4: View Compliance Scores

  1. Navigate to GRC ModuleComplianceDashboard.
  2. The dashboard displays a card for each supported framework showing a donut chart with the current compliance percentage.
  3. Click any framework card to drill into its detailed compliance report.

Compliance Formula

Compliance % = (Conforming + Partial × 0.5) ÷ Applicable Requirements × 100

Requirements marked as “Not Applicable” are excluded from the denominator, ensuring your score reflects only relevant requirements.

Supported Frameworks

Framework Version Mapped Questions
NIST Cybersecurity Framework (CSF)2.0170+
ISO/IEC 270012022170+
SOC 2 Type II2017170+
PCI DSS4.0132
CMMC / NIST 800-171v2.097
CIS Controlsv895
NIST SP 800-171Rev 290
HIPAA Security Rule201361
NIST AI Risk Management Framework (AI RMF)1.048

Step 5: Generate a Framework Compliance Report

  1. From the Compliance Dashboard, click the framework card you want to report on.
  2. Click the Generate Report button at the top of the framework detail page.
  3. The report is generated and displayed in-browser. Use the Export PDF button to download a copy.

What Each Requirement Card Shows

The compliance report lists every requirement for the selected framework. Each requirement card displays:

  • Reference — The framework requirement identifier (e.g., CC6.1 for SOC 2, A.8.2 for ISO 27001).
  • Title — The requirement name or description.
  • Status Badge — Conforming, Partial, Non-Conforming, or Not Applicable.
  • Mapped Questions — Each linked unified question showing its maturity rating, conformity status, validation notes, and attached evidence.

CSF Maturity Score Dashboard

  1. In the sidebar, navigate to GRC ModuleAssessment & AuditCSF Maturity Score.
  2. Select an assessment from the dropdown to view its maturity scoring.

The CSF Maturity Score dashboard displays:

  • Overall FAIR Score — A single weighted score (1.0–4.0) representing your organization’s overall security maturity.
  • Radar Chart — A visual comparison of maturity scores across all 14 security domains.
  • Domain Score Cards — Individual maturity scores for each of the 14 domains with color-coded tier indicators.
  • Framework Compliance Bars — Horizontal bar charts showing compliance percentages for each supported framework.
  • Gap Analysis Summary — A breakdown of domains where maturity falls below your target threshold, with recommendations for improvement.

Frameworks Page

  1. Navigate to GRC ModuleComplianceFrameworks.
  2. Select a framework from the list to view its requirement tree.

The Frameworks page displays the full requirement hierarchy for each supported framework. Requirements are organized in a tree view with expandable sections, domains, and individual requirements. Each requirement shows its conformity status and linked assessment questions.

Internal Controls

Internal controls document the security measures your organization has in place. Controls can be mapped to requirements across multiple frameworks simultaneously.

  1. Navigate to GRC ModuleComplianceControls.
  2. Click Add Control to create a new control.
  3. Fill in the control details:
  • Title — A descriptive name for the control.
  • Description — What the control does and how it is implemented.
  • Type — Preventive, Detective, or Corrective.
  • Category — Technical, Administrative, or Physical.
  • Status — Not Implemented, Partially Implemented, or Fully Implemented.
  • Effectiveness — Effective, Partially Effective, or Ineffective.
  • Risk Level — Low, Medium, High, or Critical.
  • Owner — The user responsible for maintaining this control.
  • Test Frequency — How often the control is tested (e.g., Monthly, Quarterly, Annually).
  • Framework Mapping — Select which framework requirements this control satisfies.
Cross-Framework Mapping: A single control can be mapped to requirements in multiple frameworks. For example, an access review control might satisfy SOC 2 CC6.1, ISO 27001 A.9.2.5, and PCI DSS 7.1 simultaneously.

Framework Crosswalk

The crosswalk tool lets you compare coverage between any two supported frameworks to identify gaps and overlaps.

  1. Navigate to GRC ModuleComplianceCrosswalk.
  2. Select a Source Framework from the first dropdown (e.g., SOC 2).
  3. Select a Target Framework from the second dropdown (e.g., ISO 27001).
  4. The crosswalk displays a side-by-side mapping showing which source requirements map to target requirements, and highlights any gaps where the target framework has requirements not covered by the source.

Evidence Library

The Evidence Library provides a centralized view of all compliance evidence uploaded across the platform.

  1. Navigate to GRC ModuleEvidence & MonitoringEvidence Library.
  2. Click Upload Evidence to add a new evidence file.
  3. Fill in the Title, Description, Expiry Date, and optionally link the evidence to a control or assessment question.
  4. Select the file and click Upload.

Evidence Statuses

Status Description
Current Evidence is valid and within its expiry date.
Expired Evidence has passed its expiry date and needs to be renewed.
Superseded Evidence has been replaced by a newer version.
Draft Evidence has been uploaded but not yet approved or finalized.

Policy Management

The Policy Management feature lets you create, review, approve, and publish organizational policies with version tracking and periodic review scheduling.

  1. Navigate to GRC ModulePolicy ManagementPolicies.
  2. Click Create Policy to add a new policy.
  3. Fill in the policy details:
  • Title — The policy name (e.g., “Acceptable Use Policy”).
  • Category — The policy category (e.g., Information Security, Access Control, Data Privacy).
  • Review Frequency — How often the policy should be reviewed (e.g., Annually, Semi-Annually).
  • Content — The full policy text, entered in the rich text editor.

Policy Lifecycle

DraftReviewApprovedPublishedRetired

Audits & Findings

The Audits feature supports your internal and external audit processes from planning through remediation and closure.

  1. Navigate to GRC ModuleAssessment & AuditAudits.
  2. Click Create Audit to start a new audit.
  3. Define the audit scope, assign the audit lead, and set the timeline.
  4. During fieldwork, record findings using the Add Finding button. Each finding includes a title, description, severity rating, affected control, and recommended remediation.
  5. Assign remediation tasks to responsible parties and track progress through to closure.

Audit Statuses

Status Description
Planning Audit scope and resources are being defined.
Fieldwork Audit testing and evidence collection are underway.
Reporting Findings are being documented and the audit report is being drafted.
Remediation Findings have been reported and remediation tasks are in progress.
Closed All findings have been resolved and the audit is finalized.

Risk Register

The Risk Register tracks organizational risks with quantified likelihood and impact scoring.

  1. Navigate to GRC ModuleAssessment & AuditRisk Register.
  2. Click Add Risk to create a new risk entry.
  3. Fill in the risk details:
  • Title — A concise name for the risk.
  • Description — A detailed description of the risk scenario.
  • Category — The risk category (e.g., Operational, Technical, Compliance, Strategic).
  • Likelihood — Probability of occurrence on a 1–5 scale.
  • Impact — Severity of consequences on a 1–5 scale.
  • Treatment Strategy — Accept, Mitigate, Transfer, or Avoid.

The Inherent Risk Score is calculated as Likelihood × Impact (range 1–25) before controls are applied. The Residual Risk Score is recalculated after treatment controls are linked, reflecting the remaining risk after mitigation measures are in place.

Continuous Monitors

Continuous monitors run automated compliance checks on a scheduled basis to demonstrate ongoing compliance to auditors.

  1. Navigate to GRC ModuleEvidence & MonitoringContinuous Monitors.
  2. Click Create Monitor to define a new monitor.
  3. Fill in the monitor details:
  • Title — A descriptive name for the monitor.
  • Check Type — The type of check to perform (e.g., Certificate Expiry, DNS Configuration, Policy Review Due).
  • Frequency — How often the monitor runs (Hourly, Daily, Weekly, or Monthly).
  • Collector Configuration — The technical configuration for the data collection method, including target endpoints and thresholds.

Task Inbox

The Task Inbox shows all GRC tasks assigned to the currently logged-in user. Tasks are generated when assessment questions or remediation items are delegated to you.

  1. Navigate to GRC ModuleAssessment & AuditTask Inbox.
  2. Review your assigned tasks, which include the task type, due date, and priority.
  3. Click a task to open it, complete the required action (answer a question, upload evidence, or confirm remediation), and mark it as done.

GRC Dashboard

The GRC Dashboard provides a single-pane-of-glass view across your entire compliance program. It displays:

  • Framework Compliance Heatmap — Color-coded compliance scores for all 9 frameworks at a glance.
  • Control Implementation Progress — Percentage of controls that are fully implemented, partially implemented, and not implemented.
  • Evidence Freshness — Visual indicator of how many evidence items are current, approaching expiry, or expired.
  • Open Findings — Count of unresolved audit findings grouped by severity (Critical, High, Medium, Low).
  • Policy Review Status — Policies due for review, overdue, and recently reviewed.
  • Monitor Health — Pass/fail status of all continuous monitors with trend indicators.
  • Risk Register Summary — Distribution of risks by treatment strategy and current risk levels.

TPRM Module Overview

The TPRM (Third-Party Risk Management) module provides end-to-end vendor risk management. It allows you to track and assess vendors, assign risk tiers, send security assessments, perform FAIR risk quantification, monitor 4th party dependencies, and discover Shadow SaaS applications across your organization.

For detailed information about TPRM capabilities, visit the Vendor Lifecycle and FAIR Analysis pages.

Adding a New Vendor

To add a vendor, navigate to the TPRM Module in the sidebar and click Add Vendor. Complete the required fields including Vendor Name, Domain, Type, Tier, contact information, and data handling details such as PII Count and SPII Count (the number of personally identifiable and sensitive personally identifiable information records the vendor will access).

Vendor Tiers: Vendors are classified into three tiers based on risk. Tier 1 vendors are critical (highest risk, most oversight), Tier 2 vendors are significant (moderate risk), and Tier 3 vendors are low-risk (minimal data access or business impact).

Vendor Lifecycle

Every vendor follows a defined lifecycle from initial request through offboarding. The status flow is:

DraftPending ReviewIn ReviewApproved / RejectedActiveAnnual ReviewOffboarded

Each transition is logged in the audit trail, and automated notifications can be configured for status changes. See the Vendor Lifecycle page for full details.

Vendor Assessments

Security assessments can be sent directly to vendors through the platform. The vendor receives an email with a secure link to complete the questionnaire. Responses are automatically scored and integrated into the vendor’s risk profile. Assessments can be customized by tier, and follow-up assessments can be triggered based on scoring results.

Security Risk Scorecard (SRS)

The SRS provides an external security score for each vendor based on automated scanning of their public-facing infrastructure. Scoring categories include DNS configuration, SSL/TLS certificate health, email security (SPF, DKIM, DMARC), and open port exposure. Signal weights are fully configurable by administrators. See the Monitoring page for details.

FAIR Analysis

Fair TPRM implements the FAIR (Factor Analysis of Information Risk) quantitative risk model to estimate the financial impact of vendor-related security incidents. The analysis produces an Annualized Loss Expectancy (ALE) and recommended cyber insurance coverage. All multipliers and thresholds are configurable. Visit the FAIR Analysis page for a complete overview.

4th Party Risk

Fourth-party risk tracking lets you identify and monitor your vendors’ vendors — the downstream dependencies that could affect your organization. The platform maps these sub-service relationships and flags concentration risk when multiple vendors rely on the same fourth party.

Shadow SaaS Discovery

Shadow SaaS discovery identifies unapproved SaaS applications in use across your organization. The feature detects cloud services that have not been formally onboarded through the TPRM process, enabling your security team to assess risk, enforce governance, and bring shadow applications under management.

General Settings

The General Settings page (Admin → Settings → General) allows administrators to configure core platform settings including the Application Name, Company Name, and Support Email address. These values appear throughout the platform interface and in system-generated emails.

Branding & Theme

Customize the platform’s appearance from Admin → Settings → Branding. Upload your organization’s logo, set primary and accent colors, and adjust the sidebar navigation width. Branding changes take effect immediately for all users.

User Management

Manage user accounts from Admin → Users. Administrators can create new users, assign them to one or more ACL groups, enable or disable TOTP two-factor authentication, and deactivate accounts. Group membership determines which modules and actions each user can access.

  1. Navigate to AdminUsers.
  2. Click a user to edit, or click Add User to create a new account.
  3. In the ACL Groups section, check the groups this user should belong to.
  4. Click Save to apply changes.

Email Configuration

Configure outbound email from Admin → Settings → Email. Enter your SMTP server details including host, port, encryption method (TLS/SSL), username, and password. The platform uses email for vendor assessment invitations, task notifications, password resets, and audit reminders.

SAML / SSO

Fair TPRM supports SAML 2.0 single sign-on for enterprise identity providers. Configure SSO from Admin → Settings → SAML. You will need to provide the IdP Entity ID, SSO URL, SLO URL, and X.509 certificate from your identity provider. SCIM 2.0 provisioning is also supported for automated user lifecycle management.

AI Integration

Fair TPRM offers optional AI-powered features for generating executive risk summaries, suggesting control descriptions, and analyzing assessment gaps. Configure AI integration from Admin → Settings → AI. The platform supports integration with compatible AI services, and all AI features can be enabled or disabled individually.

Recommended: Self-Host OpenWebUI or LibreChat

For full control over your AI integration, we recommend self-hosting OpenWebUI or LibreChat alongside Fair TPRM. Both are free, open-source AI front-ends that run as a single Docker container and are compatible with Fair TPRM’s AI integration settings.

Why self-host AI? Your vendor risk data, FAIR analyses, and compliance assessments stay on your infrastructure. No data is sent to third-party services unless you explicitly configure an external LLM provider. You can even run fully local models via Ollama for a completely air-gapped setup.

Setup overview:

  1. Deploy OpenWebUI or LibreChat — Run the Docker image on the same server as Fair TPRM or on a separate host. Both support Docker Compose for easy deployment.
  2. Configure an LLM provider — Connect to OpenAI, Anthropic, a local Ollama instance, or any OpenAI-compatible API endpoint.
  3. Point Fair TPRM to your AI service — In Admin → Settings → AI, enter the URL of your self-hosted AI instance and your API key.
  4. Enable AI features — Toggle individual AI capabilities: executive summaries, control suggestions, and gap analysis.

Cost: $0 for self-hosted OpenWebUI or LibreChat. If using a cloud LLM provider, costs depend on your API usage (typically a few dollars per month for moderate use). Fully local models via Ollama are completely free.

Security Rating Services: Shodan API

For continuous external security scoring, Fair TPRM integrates with the Shodan API. A Shodan membership (approximately $59/month) gives Fair TPRM automated Security Rating Scores for your entire vendor portfolio — including TLS analysis, CVE detection, network security, and application hardening.

Configure the Shodan API key in Admin → Settings → SRS. Shodan is automatically provisioned for free during the hosted demo.

Total cost of ownership: Fair TPRM ($0) + self-hosted AI ($0) + Shodan API (~$59/month) = a complete TPRM & GRC platform with AI-powered analysis and continuous security monitoring for under $60/month. Compare that to commercial TPRM platforms that charge $50,000–$200,000+ per year.

Glossary

Term Definition
ACLAccess Control List — defines which permissions are granted to each user group.
AssessmentA structured evaluation of security maturity using the 170+ unified questions across 14 domains.
CIS ControlsCenter for Internet Security Controls — a set of prioritized cybersecurity best practices (v8 supported).
CMMCCybersecurity Maturity Model Certification — a US Department of Defense framework for contractor security.
Conformity StatusThe compliance state of a requirement: Conforming, Partial, Non-Conforming, or Not Applicable.
ControlA security measure implemented to mitigate risk, mapped to one or more framework requirements.
CrosswalkA mapping between two compliance frameworks showing how requirements in one correspond to requirements in another.
CSFCybersecurity Framework — refers to the NIST Cybersecurity Framework used for maturity scoring.
DomainOne of 14 security categories (e.g., GOV, IAM, DSP) that organize the unified assessment questions.
EvidenceDocuments, screenshots, or artifacts uploaded to support assessment responses and demonstrate compliance.
FAIRFactor Analysis of Information Risk — a methodology developed by the FAIR Institute for quantifying cyber risk in financial terms.
FairScoreThe overall weighted maturity score (1.0–4.0) calculated from assessment responses across all 14 domains.
FindingA gap or deficiency identified during an audit that requires remediation.
FrameworkA compliance standard (e.g., SOC 2, ISO 27001) with a defined set of requirements that the platform maps to unified questions.
GRCGovernance, Risk & Compliance — the module for managing internal compliance across multiple frameworks.
HIPAAHealth Insurance Portability and Accountability Act — US healthcare data privacy and security regulation.
ISO 27001International standard for information security management systems (2022 edition supported).
Maturity RatingA 1–4 score assigned to each assessment question: 1 (Initial), 2 (Developing), 3 (Defined), 4 (Managed/Optimized).
NIST 800-171NIST Special Publication 800-171 — security requirements for protecting Controlled Unclassified Information (CUI).
NIST AI RMFNIST AI Risk Management Framework — a framework for managing risks associated with artificial intelligence systems throughout their lifecycle.
PCI DSSPayment Card Industry Data Security Standard — requirements for organizations handling credit card data (v4.0 supported).
PIIPersonally Identifiable Information — data that can identify an individual (name, email, SSN, etc.).
RequirementA specific control objective or security measure defined by a compliance framework.
SOC 2Service Organization Control 2 — an auditing framework for service providers based on Trust Services Criteria.
SPIISensitive Personally Identifiable Information — a subset of PII that requires heightened protection (SSN, financial data, health records).
TPRMThird-Party Risk Management — the module for managing vendor risk throughout the vendor lifecycle.
Unified QuestionOne of 170+ security questions in the assessment engine, each mapped to requirements across multiple compliance frameworks.

Free & Open Source

Fair TPRM is free software for the world to download and self-host. Security teams with limited budgets can deploy full TPRM and GRC capabilities at no cost. Try the live demo or clone the repository and deploy on your own infrastructure.

Demo Download Source