Skip to content
Logo probo
Get compliant
About The people and vision powering Probo Blog The latest news from Probo Stories Hear from our customers Changelog Latest product updates Docs Documentation for Probo GitHub Explore our open-source compliance tools

Core Concepts

Understanding the key concepts in Probo will help you get the most out of the platform. This page explains the data model and how the different entities relate to each other.

Organizations

Section titled “Organizations”

The top-level entity in Probo. All compliance data — frameworks, controls, risks, vendors, evidence — belongs to an organization. Users are invited as members of an organization.

Frameworks

Section titled “Frameworks”

Compliance standards your organization follows, such as SOC 2, ISO 27001, or GDPR. Each framework defines a set of controls that your organization must satisfy. You can import built-in frameworks or create custom ones.

Controls

Section titled “Controls”

Specific requirements within a framework. For example, “Access controls must be implemented for all production systems” or “Data must be encrypted at rest.” Controls represent what needs to be achieved.

Measures

Section titled “Measures”

Actions and processes your organization implements to satisfy controls. A single measure can satisfy multiple controls across different frameworks. For example, a “multi-factor authentication” measure might satisfy access control requirements in both SOC 2 and ISO 27001.

Risks

Section titled “Risks”

Identified threats to your organization’s security, privacy, or compliance posture. Risks are assessed for likelihood and impact, and linked to the measures that mitigate them.

Vendors

Section titled “Vendors”

Third-party service providers and suppliers your organization relies on. Vendor management includes tracking contracts, conducting risk assessments, and monitoring compliance status.

Assets

Section titled “Assets”

Systems, applications, databases, and infrastructure that your organization operates. Assets are inventoried and linked to the controls and risks that apply to them.

Evidence

Section titled “Evidence”

Documentation and artifacts that prove your controls are operating effectively. Evidence can be collected manually or automatically, and is linked to controls for audit preparation.

Tasks

Section titled “Tasks”

Actionable items assigned to team members. Tasks track work like implementing a control, reviewing a vendor, completing an assessment, or remediating a finding.

Audits

Section titled “Audits”

Formal evaluations of your compliance posture. Probo helps you prepare evidence packages, organize documentation, and track audit findings and remediation.

Documents

Section titled “Documents”

Policies, procedures, and other compliance documents managed within Probo. Documents support versioning and digital signatures.

Findings

Section titled “Findings”

Identified gaps or failures in your compliance controls. Findings include nonconformities (major and minor), observations, and exceptions. Each finding tracks what went wrong, the root cause, remediation actions, and deadlines.

Obligations

Section titled “Obligations”

Legal and regulatory requirements your organization must fulfill. Obligations are tracked separately from framework controls to capture jurisdiction-specific requirements.

Data Classification

Section titled “Data Classification”

Categories for your organization’s data based on sensitivity level. Data classification drives how information is handled, stored, and protected.

Processing Activities

Section titled “Processing Activities”

Records of data processing activities, as required for GDPR compliance. Each record documents what data is processed, the legal basis, retention periods, and data subjects involved.

DPIAs (Data Protection Impact Assessments)

Section titled “DPIAs (Data Protection Impact Assessments)”

Assessments required for high-risk data processing activities under GDPR. DPIAs evaluate the necessity and proportionality of processing, and identify measures to mitigate risks to data subjects.

TIAs (Transfer Impact Assessments)

Section titled “TIAs (Transfer Impact Assessments)”

Assessments for international data transfers. TIAs evaluate whether the destination country provides adequate data protection and what supplementary measures are needed.

States of Applicability (SoA)

Section titled “States of Applicability (SoA)”

An ISO 27001 concept that tracks which controls from Annex A are applicable to your organization and their current implementation status. The SoA is a required document for ISO 27001 certification.

Snapshots

Section titled “Snapshots”

Point-in-time captures of your compliance posture. Snapshots are useful for audit preparation, historical tracking, and demonstrating progress over time.

Meetings

Section titled “Meetings”

Records of compliance-related meetings, including decisions made, attendees, and action items that result from discussions.

How Concepts Relate

Section titled “How Concepts Relate”

The core workflow in Probo follows this chain:

  • Frameworks contain Controls that define what must be achieved
  • Measures implement Controls — a single Measure can satisfy multiple Controls across Frameworks
  • Risks are mitigated by Measures
  • Evidence proves that Measures are working effectively
  • Tasks drive the day-to-day work of implementing and maintaining compliance
  • Audits verify that everything is in place and operating as expected

Next Steps

Section titled “Next Steps”
Quickstart Deploy Probo and set up your first compliance framework
MCP API Overview Interact with all these concepts programmatically via AI tools
SSO Overview Set up authentication for your team