Workflow

Control Mapping Concierge

Import existing customer controls from CSV/XLSX, review deterministic mapping suggestions, preserve customer IDs as aliases, and commit with rollback support.

Owner: Product + Compliance EngineeringLast reviewed: 2026-05-03

Default mode

Strict

Deterministic only, no public AI

Max upload

10 MB

CSV/XLS/XLSX, up to 2,000 rows per preview batch

Review model

Human-in-loop

No silent auto-commit

Rollback

Per batch

Alias/evidence/status snapshot

Rendering diagram…
Upload -> preview -> review -> commit -> rollback.

Where to start

Open Dashboard -> Compliance -> Control Mapping. You can also reach the workflow from the Controls page through the Mapping Concierge action.

Most customers should choose Spreadsheet upload. Prepared JSON rows are an advanced onboarding-team path. Secure data room, live connector, and greenfield starts are roadmap options and remain disabled until their full workflows are shipped.

Template columns

  • customer_control_id — required; stored as a searchable alias after commit.
  • title — required; used for deterministic title/objective matching.
  • framework_ref — optional; exact references receive the highest confidence.
  • owner — optional; carried forward as reviewer context.
  • status — optional; recognized statuses update the mapped OneComply control.
  • evidence_ref — optional; URL, filename, or note references separated by semicolon, pipe, or newline.
  • notes — optional; retained for review context.

Review queues

The workbench separates rows into operational queues: unreviewed, accepted, rejected, blockers, warnings, and unmatched. Download the error sheet when blockers need to be sent back to the customer for correction.

Commit and rollback

Commit applies approved rows transactionally. OneComply creates customer control aliases, links evidence metadata, updates recognized statuses, writes the audit trail, and stores a rollback snapshot. Exact unchanged re-import rows are no-ops during commit so duplicate evidence metadata is not created.

Rollback restores aliases and statuses captured in the snapshot and removes evidence metadata created by that batch. The import and rollback events remain visible in history.

Sign-off package

Before commit, reviewers can download a Markdown sign-off package with coverage by framework, the decision ledger, unmatched rows, evidence-reference completeness, and the declared processing mode. Use this as the customer review artifact before onboarding baseline approval.

Export ID modes

Once customer aliases are committed, dashboard exports that reference controls can use OneComply IDs, customer IDs, or both. Both IDs is the recommended audit default because it lets customer teams reconcile legacy registers while preserving OneComply framework traceability.

Strict mode is the safe default

Strict mode does not use public AI and does not transmit tenant control data outside the OneComply processing boundary. Private AI modes call only a customer-approved private endpoint when configured, with customer control IDs, raw evidence values, and owner names redacted from the request.

Current limitations

  • Curated external source-library crosswalk datasets are still being expanded.
  • Automatic live connector pulls from GRC, ticketing, and document systems are not yet live.
  • Spreadsheet uploads support CSV and XLSX, up to 10 MB and 2,000 rows per preview batch.
  • Sign-off package export is Markdown; PDF rendering is not yet live.

Continue reading

Evidence Pipeline

How evidence metadata and files become audit-ready.

Cross-Framework Mapping

How mappings are scored, validated, and kept current.

Data Model

Controls, evidence, aliases, and audit trail entities.

Security Model

Tenant isolation and RBAC controls.