Building at Antler

Your audit is in 3 weeks. Nobody's touched the docs.

An AI agent that does the GRC manager's work. ISO 27001, SOC 2, ISO 42001, NIS2, and whatever else your auditor checks. Always current.

Slack Slack
GitHub
AWS
Vendors
Policies
Risk Register
Evidence
SoA
Teddy
Agent
The drift problem
Compliance drifts the day after you certify.

Without Teddy, compliance is a year-long grind: drift between audits, panic two weeks before. With Teddy, you stay flat year-round.

100% 80% 60% 40% 20% 0% Audit readiness AUDIT AUDIT Jan Apr Jul Oct Jan Questionnaire filled Gap caught Access reviewed
Questionnaire filled
A customer asked for your latest security questionnaire. Teddy filled it in from your policies and sent it back in 11 minutes.
Gap caught
Your policies say all data is encrypted. Teddy found one file storage that wasn't, fixed it, and updated the docs to match.
Access reviewed
Quarterly access review came due. Teddy Slacked the 4 admins, got everyone to confirm in under 2 hours, logged the whole thing.
← Teddy keeps you above the line, year-round →
Without Teddy With Teddy Auditor's bar (80%)
Architecture
Three layers. One audit-ready picture.

Teddy reads your Trust Center, cross-checks your internal docs, and watches your live systems. The findings that matter live in the gaps between.

// Trust Center
6 findings
A.8.24 High
Cryptography policy claims AES-256-GCM but no key-rotation schedule is documented.
ISO 27001 SOC 2 ISO 42001
A.5.23 Med
Cloud-security policy missing references to a major SaaS vendor in scope.
ISO 27001 SOC 2 NIS2
Surface-level policy gaps
// SoR Documents
+2 contradictions
RISK-04 Med
Risk register lists 12 systems in scope, but asset inventory shows 15.
ISO 27001 ISO 42001
VEND-08 Med
Vendor risk doc notes one S3 bucket exempt from encryption-at-rest.
ISO 27001 SOC 2 DORA
Hidden cross-doc contradictions
// Live Systems
+1 drift
AWS-CT High
CloudTrail confirms default S3 bucket encryption is disabled on the exempted bucket.
ISO 27001 SOC 2 TISAX
Real drift in production
// Causal chain
Trust Center
Says everything is encrypted
SoR
Admits one bucket is exempt
Live
Confirms the exempt bucket is in production
Fix
Encrypt the bucket. Retire the exemption.
Evidence collection
Your GRC manager that never logs off.

The 3 to 5 hours a week your team loses to screenshotting AWS, Slacking "sign this" at midnight, and hunting last quarter's access reviews. Teddy handles it across Slack, email, and your evidence log.

Slack
2 threads
#grc-teddy · Teddy reaches out
Teddy 9:14
Hey Alice, access review for prod IAM is due. Are the 4 admins still valid?
Alice 9:16
Yes, all four ✓ — logged.
DM · @maya · customer asks Teddy
Maya 10:42
A customer asks how we encrypt their data. Quick answer for the reply?
Teddy 10:42
AES-256-GCM at rest, TLS 1.3 in transit. Quarterly key rotation via AWS KMS, hosted in eu-central-1. Full detail: trust.yourco.com/encryption
Email
Sent · 9:17
// Evidence log
Notion · today
09:30A.5.18 access review
10:06A.8.29 pen-test
10:55VEND-12 DPA
11:14A.5.30 vendor risk
11:42A.8.24 encryption
12:00+ 19 more today
Also works with
Where Teddy fits
Use Teddy with your current stack. Or instead of it.

Already paying Drata or Vanta? Teddy plugs in alongside and cuts the manual hours. Starting fresh? One agent covers ISO 27001, SOC 2, ISO 42001, NIS2, and the rest.

// Layer on top
Keep your stack. Add Teddy.
  • Cuts 3–5 hours/week of evidence-collection per engineer
  • Catches drift between Drata/Vanta's reports
  • Cross-checks your SoR docs and live systems
  • Your team stops screenshotting
// Or replace it
Skip the seat-license bill.
  • One agent covers every framework
  • ISO 27001 · SOC 2 · ISO 42001 · NIS2 · more
  • No per-employee seats
  • No consultant retainer for the routine work
FAQ
Questions teams ask before they pilot Teddy.
ISO 27001, SOC 2 (Type I and Type II), ISO 42001 for AI management systems, NIS2, TISAX, and DORA at launch. Teddy works at the control layer, so adding new frameworks is incremental, not a full re-build. If you need a framework that isn't on the list yet, tell us in your intro call.
Drata and Vanta are dashboards that track whether your controls exist. Teddy is an AI agent that does the work the dashboard expects of you: collecting evidence, drafting policies, reviewing access, chasing approvals in Slack. Many teams keep Drata for auditor-facing reporting and layer Teddy on top to eliminate the manual grind.
No. Pre-cert: point Teddy at your stack and it generates the policy library, runs a gap audit against the standard, and tells you what to fix before the auditor walks in. Post-cert: Teddy keeps your evidence current year-round so the next surveillance audit becomes a non-event.
Two paths. For things Teddy can verify directly (encryption settings, access policies, audit logs), it pulls from the live system via read-only API connectors and writes the evidence to your system of record. For things that need a human attestation (access reviews, vendor approvals), Teddy DMs the right person in Slack or email, parses the reply, and logs it. The human stays in the loop on judgment calls. Teddy handles the busywork.
Teddy is a thin agent layer. Evidence and policies live in your existing system of record: Notion, Confluence, SharePoint, Google Drive, wherever you keep docs. Teddy reads from your stack, writes back to your stack, and stores nothing customer-facing on our side. Hosting region: EU.
If you're on a mainstream stack (Slack or Microsoft Teams, Notion or Confluence, GitHub or GitLab, AWS or Azure or GCP, Okta or Entra or Google Workspace), yes. Teddy connects via read-only APIs and posts updates as a bot user. For niche tools, we can usually build a connector inside 2 weeks. Talk to us.
AI-Act and ISO 42001 are first-class in Teddy. If you're an AI company, the Teddy library includes the ISO 42001 control set with mapping to the AI-Act articles, the risk-classification workflow, model-card templates, and the training-data governance evidence flow. New regulations are exactly where Teddy's automation matters most.

Stop dreading your next audit.

Join the waitlist for early access. We're onboarding a small group of teams first.

Paul Book an intro call 30 minutes