Skip to content
Encor
PricingStart free

ISO/IEC 42001
Stage-1 documentation ready in weeks.

Skip the months of blank-page drafting. Encor writes the first version of every required artifact — your policy, SoA, per-system risk register, evidence plan — shaped to your AI systems and use cases. Your team reviews, approves, and books the audit.

Start 14-day free trial →See pricing

14-day free trial · Card on file, billed only after the trial ends

Multi-tenant w/ RLSSSO · 2FAGDPR DPA67 IDOR tests · CI-gated
Your path to certification
Stage 1 — Documentation
~5d
Produce 37 documented artifacts and answer ~129 assessment questions across 38 Annex A controls. Encor pre-drafts every artifact and SoA justification from your onboarding, so your team reviews and approves instead of writing from a blank page.
Stage 2 — Evidence
3–6mo
Run risk assessments, internal audits, training, and management reviews for 3–6 months. Encor builds a per-system evidence collection plan and tracks every record in your audit vault.
ISO/IEC 42001 Certified
Book your accredited auditor and present the package. Encor exports your full documentation set and evidence index in one click.
37
Generated artifacts
129
Auditor questions
38
Annex A controls
6 mo
Operating-effectiveness report
How it works

Three moves to audit-ready.

01
Map the gap

129 plain-English questions, scored separately for Stage 1 and Stage 2.

02
Build the SoA

Walk all 38 Annex A controls. Mark applicability. Justify exclusions.

03
Generate the docs

37 required artifacts, populated from your answers, ready to export.

Built-in AI

AI does the first pass.

Calibrated for ISO 42001. You review, edit, ship.

Draft risk register

Per AI system.

Polish documents

Auditor voice.

Implementation guides

Every Annex A control.

Stage 2 playbook

3-month evidence plan.

SoA justifications

Auditor-credible.

Honest readiness

Two stages. We handle the first. We coach the second.

Stage 15 days

Documentation

  • AI policy + scope
  • Roles + responsibilities
  • Risk + impact procedures
  • Statement of Applicability
Stage 23–6 months

Operational evidence

  • Auto-generated 6-month Operating Effectiveness Report
  • Per-system lifecycle stage tracking (A.6.2.2–A.6.2.8)
  • AI Incident Response with 6.1.4 reassessment trigger
  • Verified-effective NC closure (Clause 10.2.b)

We tell you what to collect — you can't skip the calendar.

Platform

Built to make Stage-1 documentation defensible — the kit your auditor reads first.

What we've shipped in the last quarter to take Encor from “demo-ready” to “your auditor's expecting it”.

Clause 5.2 + 7.5.2
Document approval workflow

Every artifact carries a recorded approver, role, version, and content snapshot. Auditors see signed status on every page header.

Clause 9.1 + 9.2 + 9.3 + 10.2
Stage 2 Operating Effectiveness Report

Rolling 6-month evidence summary. Audits / mgmt reviews / NCs / metric updates / risks reassessed, all per month, mapped to clauses.

Annex A.8.4 + Clause 6.1.4
AI Incident Response register

Distinct from NCs and concerns. Categorised (bias / hallucination / drift / privacy / etc.) with the 6.1.4 reassessment trigger surfaced on the dashboard.

Clause 6.1.3
Per-control rationale on risks

The Risk Treatment Plan §4 narrates *why* each Annex A control was selected for each risk — the question every Stage-2 auditor asks.

Annex A.6.2.2 – A.6.2.8
Per-system lifecycle stage

Requirements / Design / V&V / Deployment / Operation / Retirement per AI system. Drives which evidence applies.

Annex A.7.4 + A.7.5
Per-system data sources

Classification + lawful basis + retention captured at onboarding. Renders into the AI Policy and per-system Impact Records.

Belt + suspenders
Pre-export verifier

Blocks the audit-kit ZIP if any artifact ships with empty registers, unresolved placeholders, or under-50%-complete impact assessments.

Multi-tenant
Tenant isolation, CI-enforced

Postgres Row-Level Security on every table; server-side ensureUserOrg() on every API route; 67 cross-tenant IDOR tests block every commit.

Account security
SSO + 2FA

Google + Microsoft OAuth on sign-in. User-controlled TOTP MFA from /settings/security. Procurement-ready.

Security overview →·How the workflow runs →

Ready in 25 minutes.

First pass through onboarding + assessment + SoA. Add your team, invite your auditor, export the kit.

Start 14-day free trial →

14 days free · Card on file · No charge until trial ends · Cancel anytime