Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.matproof.com/llms.txt

Use this file to discover all available pages before exploring further.

Onboarding

This guide covers what happens after you sign up at app.matproof.com: the setup wizard you go through, what the dashboard looks like at the end of it, and the recommended first week of work to get your first compliance score moving.

What happens at signup

When you sign up, your organization is created with full Professional access for a 14-day trial. You can use every feature; no credit card up front. A banner in the app counts the days remaining. Four actions are gated until a card is on file or you upgrade: exporting compliance reports as PDF, running a penetration test scan, inviting team members, and connecting integrations. Everything else — frameworks, policies, controls, evidence, vendor management, AI policy editor, custom frameworks — works immediately. After the trial:
  • If a card is on file → you continue on Professional
  • If no card → access is paused (no data lost; you can upgrade and resume any time)
See Plans & Pricing for what each tier includes.

The setup wizard

Right after signup, the app routes you to /setup and walks you through a guided wizard. The wizard’s job is to learn enough about your organization to (a) preselect the right controls per framework, (b) generate policies in the right tone and language, and (c) preconfigure your risk register with categories that make sense for your shape of business. The wizard has roughly 18 steps, but they fall into four logical groups. Plan for 20–30 minutes end-to-end; you can save and resume at any point.

Group 1: Organization basics

  • Organization name — what appears on generated reports and notifications
  • Website — used for AI-aided industry classification and to seed the trust portal
  • Description — a few sentences about what your organization does (informs AI-generated policy tone)
  • Industry — drives risk-category presets and framework recommendations
  • Team size — informs control proportionality (small org = lighter formality)
  • Geographic scope — countries you operate in or sell to (drives jurisdictional add-ons like NIS2 transposition)
  • Work location pattern — remote / hybrid / on-site (changes which device and access controls are relevant)

Group 2: Compliance scope

  • Frameworks — pick one or more from the 16 built-in frameworks (DORA, NIS2, GDPR, ISO 27001, SOC 2, EU AI Act, etc.). You can also create Custom Frameworks later for national transpositions or industry standards.
  • Infrastructure — where you host (AWS, Azure, GCP, on-prem, hybrid). Drives cloud-evidence integration recommendations.
  • Software stack — what tools you use (productivity suite, IdP, source control, ticketing). Drives integration recommendations.
  • Authentication — how your team logs into systems (SSO yes/no, MFA enforcement). Pre-fills relevant access controls.
  • Devices — what kinds of devices people use (corporate Macs, BYOD, mobile). Drives device-agent relevance and BYOD policy generation.
  • Data types — what categories of data you process (personal data, payment cards, health data, AI training data, etc.). Drives GDPR/PCI/HIPAA/AI Act applicability.
  • Shipping — whether you ship physical products. Affects supply-chain controls (CSRD, supply-chain due diligence).

Group 3: People & accountability

  • C-suite roster — who holds CISO / CTO / DPO / CCO / CEO accountabilities (used to prefill “responsible person” fields throughout the program)
  • Report signatory — who signs off on audit-ready reports

Group 4: Policy preferences

  • Policy language — which language to generate baseline policies in (German, English, French, Spanish, Italian, Dutch). You can also opt in to “also generate English” so you have parallel EN versions for international audits.
  • Legal acknowledgment — confirm you accept the Terms of Service and DPA
When the wizard finishes, Matproof seeds your organization with: control library mapped to your framework selection, AI-drafted policies in your chosen language, a preconfigured risk register, and a vendor register skeleton. You land on the Frameworks dashboard at /[orgId]/frameworks.

Your first week — day by day

The wizard gets you to a populated workspace. The first week of actual work turns that into a moving compliance score.
1

Day 1 — Review what was generated

From the Frameworks dashboard, click into your primary framework. Skim the controls list and the AI-generated policy library. Reject anything that doesn’t fit; edit anything that’s close but not right. Don’t try to perfect everything — just calibrate the AI’s tone for your organization on 2–3 policies.Where to be: /[orgId]/frameworks → click your framework → review controls and policies tabs.
2

Day 1–2 — Invite your team and assign control owners

Compliance work fails without ownership. Go to People and invite each person who will own at least one control. Pick from the five built-in roles:
  • Owner — everything including billing
  • Admin — manages frameworks, evidence, vendors, team (no billing)
  • Auditor — read-only; perfect for external auditors
  • Employee — submits evidence and completes assigned tasks
  • Contractor — same as Employee, flagged separately for audit reporting
See Roles & Permissions for the full breakdown and how to define custom roles.Then go back into your framework and assign each control to a specific owner. Controls without owners do not get evidence and do not move the score.Where to be: /[orgId]/people to invite, then /[orgId]/frameworks/[id]/controls to assign.
3

Day 2–3 — Connect your highest-impact integration

One well-chosen integration replaces dozens of manual evidence uploads. Start with the integration that covers the most controls in your framework selection:
If you primarily run on…Connect first
Cloud (AWS / Azure / GCP)The relevant cloud connector
Google Workspace or Microsoft 365Your IdP integration
GitHub / GitLab for the engineering orgYour source-control integration
Where to be: /[orgId]/integrations → pick one → follow the OAuth flow.After connection, Matproof scans the connected system, populates evidence on the controls it covers, and surfaces any gaps as findings.
4

Day 3–4 — Publish your top policies

Go through the auto-generated policy library and publish the 5–10 highest-priority policies (information security, access control, incident response, BCP, vendor management). For each:
  1. Read it, edit anything wrong, save.
  2. Set a review date (typically annual).
  3. Assign a policy owner.
  4. Click Publish — published policies become available for team acknowledgement and for control evidence.
Where to be: /[orgId]/policies → open each → edit → publish.
5

Day 4–5 — Run your first risk assessment

With frameworks selected and policies in place, walk through the risk register:
  1. Open /[orgId]/risks (or whatever the risks route is in your sidebar).
  2. Work through the preseeded risk categories — Matproof has scoped them to your industry and data types.
  3. For each risk, score likelihood and impact, set treatment (accept / mitigate / transfer / avoid), assign an owner.
  4. Link risks to the controls that mitigate them — this closes the loop between policies, controls, and risk.
Where to be: Risks section in the sidebar.
6

Day 5+ — Start collecting manual evidence on the gaps

After steps 1–5 you’ll have a real compliance score with visible gaps. Go to Findings to see them in one list, sort by severity, assign owners, and close them out one at a time. Many gaps are closed with a single document upload (existing security training, BCP test results, prior pen-test reports).Where to be: /[orgId]/findings → filter by status: open → close from highest severity down.

After the first week

By the end of week one, a typical first-time customer has:
  • Setup wizard complete, baseline policies generated
  • 5–10 policies published with owners and review dates
  • 1–2 integrations connected, automated evidence flowing for ~30–50% of controls
  • Team invited and at least one control owner assigned per high-priority control
  • Risk register reviewed, top 10 risks scored
  • First batch of findings triaged
Compliance score on the framework dashboard typically moves from 0% → 40–60% in the first week, with the rest closed over the following 4–6 weeks of evidence collection. If you remember nothing else from this guide: 
1. Frameworks   → know what you're solving for
2. Policies     → establish baseline documentation
3. People       → assign ownership to controls
4. Integrations → automate the boring evidence
5. Risks        → identify what you're protecting against
6. Evidence     → close the remaining gaps manually
7. Findings     → ongoing — triage and remediate
Skipping ahead — for example, uploading evidence before assigning control owners — works but creates orphan evidence that nobody maintains. Follow the order above for the cleanest setup.

What’s next

Compliance Frameworks

Understand how controls map across frameworks

Policy Management

Customize and publish your generated policy library

Custom Frameworks

Build your own frameworks for transpositions or industry standards

Findings

Track and close gaps across every framework