Solution 01
Czech GRC platform — one view of everything your security and compliance has to handle.
Compliance isn't about having paperwork. It's about knowing where you stand at any given moment.
Observa helps you handle regulations and standards without chaos. Smart automation and AI keep security under control with everything in one clear place.
More on observa.cz ↗Most companies today run their compliance in Excel. It works — until the first audit, the first incident, or the first time someone leaves who "had it all in their head". Spreadsheets, shared drives, email threads. Nobody knows which version is current.
Observa changes that. It connects requirements across 11 frameworks (ZKB, NIS2, ISO 27001, DORA, NIST, and more), holds the records of assets, risks, vendors, policies, and incidents, and propagates a change in one place into all of them automatically. Observa maps requirements between frameworks and includes a modern AI assistant that explains your security issues over your own data. All data stays in EU data centres.
Observa is a platform built for Czech companies, in Czech, and above all securely. Without large outlays or a big compliance department.
Start today from CZK 2 990/month, with a 7-day free trial — no card, no commitment. A security platform built by security people for security people.
AI assistant · included in Professional
A modern AI assistant right inside Observa. Instead of a 200-page PDF or asking an outside consultant, you ask in the app — in your own language and over your real data.
The AI knows your assets, risks, policies, and maturity, and answers concretely — not in generic phrases from the internet. It helps surface gaps, explain regulatory requirements, and summarise impact for leadership in seconds.
Typical questions
Seven modules, one database
Each module addresses a specific obligation and shares data with the others — assets, risks, policies, and mapping. No double entry, no broken-up Excels between teams.
Score maturity for one framework and Observa automatically proposes coverage in nine others — 950+ linked requirements.
Once you assess your maturity for one reference framework (typically ZKB or ISO 27001), Observa propagates the state to all other frameworks that share controls. Instead of dozens of separate self-assessments, you have one source of truth that flows into reports, dashboards, and filings.
Central asset registry with roles, classification (CIA), and ties to risks, vendors, and incidents.
Assets are the foundation. Without them you can't meaningfully run risk management or plan controls. Observa offers a structured registry with roles (owner, custodian, processor), classification (confidentiality, integrity, availability), and ties — who processes it, where it runs, what risks it carries.
Run a risk register following the NÚKIB methodology with custom scales and a calculation formula, tied to assets and remediation.
Every risk has clear parameters: threat, vulnerability, impact, likelihood, resulting score. Observa supports different scoring methodologies (5×5 matrix per NÚKIB, quantitative FAIR), maintains change history, and links risks to specific assets and countermeasures. When a risk crosses the acceptable threshold, it shows up automatically on the management dashboard.
Vendor register including contracts, DPAs, risk score, and continuity plans — with pre-expiry alerts.
The supply chain is under regulator scrutiny — DORA, NIS2, and ZKB all explicitly require third-party risk management. Observa keeps track of contracts, DPAs, RTO/RPO, security questionnaire results, and expirations — with an automatic alert 60 days before the end.
Run incidents from detection to closure with automatic generation of NÚKIB notifications at 24h / 72h / final stages.
Incident workflow with an event timeline, impact records, affected assets, and actions taken. Observa watches the legal notification deadlines (NÚKIB 24h, 72h, final) and generates the form in the required structure — no copying from Word under stress at 2 a.m.
Author policies right in the browser, version them, and have employees confirm acknowledgement — ZKB templates included.
A policy in a PDF on a shared drive isn't a policy — it's a forgotten document. Observa records the version, approver, validity date, and a list of which employees have acknowledged it. The auditor asks: who approved the current version of the access control policy? Three clicks to the answer.
One click generates SoA, Risk Register, Audit Package, and NÚKIB notifications — over 40 PDF templates.
Reports always generate from current data, not a static snapshot. Every PDF is signed with a SHA-256 hash for forensic traceability — you can prove at any time what the state was at a given moment.
Plan and approve changes tied to risks and incidents — including roll-back plans and a CAB calendar.
RFCs with mandatory fields (reason, impact, roll-back, approver), CAB calendar, links to risks and incidents, audit trail. Meets ITIL and the change-management requirements of § 12 of decree 410/2025.
Architecture
Multi-tenant isolation at the DB level (row-level scope)
AES-256 at rest, TLS 1.3 in transit
Audit log with hash-chain, immutable
EU hosting — no data ever leaves Europe
Integrations
Observa has an open REST API, webhooks, and bulk import/export via CSV. You connect assets, risks, vendors, and incidents to your existing systems — CMDB, ticketing, SOC, or anything with an API.
Full read and write via REST API — assets, risks, vendors, incidents, and tasks. Token authentication, documented in OpenAPI.
Events from Observa (new risk, incident, DPA expiration) get pushed to your system via webhook — wire them into Teams, Slack, or your own app.
Bulk-import assets, risks, vendors, and users from a CSV template — ideal for first deployment or migrating off Excel.
Export full reports and data as PDF (SoA, Risk Register, Audit Package) or CSV for backup or your own analysis.
Sign in with corporate identity — Azure AD, Google Workspace, or any SAML provider. Included in the Enterprise plan.
Set up alerts via email, Microsoft Teams, or directly in the app. No leaks in forgotten tasks.
Pricing
Three plans, transparent pricing on the web, billing monthly or yearly with a 15% discount. Seven-day free trial — no card, no commitment, no salesperson on the phone. Starting from CZK 2 990/month.
Professional
11 frameworks, AI assistant included, 40+ PDF reports including Audit Package.
Who it's for
01
You're among thousands of new in-scope entities that have to prove conformance — without an enterprise GRC budget.
02
You're preparing for certification and need a tool that holds the asset, risk, control, and evidence registers — not an Excel sheet that nobody can keep current.
03
You manage security for several clients or your whole company alone — you need one clear hub instead of ten scattered spreadsheets.
Frequently asked
No payment card, no commitment, no salesperson on the phone. After seven days the trial ends automatically — if you want to continue, you pick a plan and pay. No automatic charges. The trial covers full Professional functionality so you can really feel what the platform offers.
Yes — at any time. On an upgrade (Starter → Professional) we charge only the prorated difference for the rest of the period. On a downgrade the change applies from the next billing cycle. Annual billing has a 15% discount.
All data is stored in the EU (data centres in CZ and EU). Observa is consciously built for the European market — no transfer outside the EU, full GDPR compliance, DPA available. The AI assistant also runs in an EU data centre with a zero-retention policy (your data isn't stored or used for training).
Both. If you have internal GRC capacity and want to deploy yourselves, Observa works out of the box with prebuilt templates. If you need help with methodology, populating the registers, and connecting the controls, we have an implementation package (often combined with the vCISO service from CypherOn).
Yes, always. Customer lock-in is bad product design in our view. All data can be exported at any time in standard formats (CSV, JSON, PDF reports) via UI or API.
SSO (Azure AD / Google Workspace / SAML), custom compliance frameworks, SIEM export (Splunk, Sentinel), a dedicated Customer Success Manager, and priority support SLA. For larger organisations with their own security requirements.
Let's start
Start the trial without commitment, or book a 30-minute demo where we walk you through the platform on your own use cases.