probo

probo is open source compliance automation for startups, the kind of tool that gets you through a SOC 2, GDPR, or ISO 27001 audit without paying for an expensive platform. It tracks the controls, evidence, and policies those frameworks demand, with HIPAA and newer ISO standards on the list too. Built in Go with a React frontend, MIT licensed, and free to self-host. This is the open alternative to Vanta, Drata, and Secureframe.

Self-hosting is real work. It runs via Docker, but the stack is substantial: a Go backend, Postgres, a React frontend, and a full observability layer with Grafana, Prometheus, Loki, and Tempo. Standing it up takes Docker, Node 22, and some patience. This is moderate-to-significant ops burden, not a weekend project, though it is far cheaper than the contracts the commercial GRC platforms charge.

Solo founders and small startups facing their first SOC 2 will save real money here, since the commercial tools start in the five figures a year. Small teams with someone technical to run it get most of the value. Larger or less technical orgs that need hand-holding, auditor integrations, and support may still want a paid platform. There is no paid tier from probo; the trade is your time and infrastructure for their subscription fee.

The catch is that compliance software is only half the job. probo organizes evidence and controls, but it will not talk to your auditor for you, and the commercial platforms' real value is often the audit relationships and integrations they bring. Self-hosting saves money; it does not save you from the audit itself.