Skip to main content

Transparent pricing · Multi-framework included

Multi-framework compliance. One control set. From $499/mo.

One live risk register and tamper-evident evidence—a single system of record for your program, not another export folder. Pick a plan below; Starter and Growth subscribe online with workspace provisioning in ~24 hours. External reviewer access on Growth and Enterprise—no separate assessor SKU.

See full feature comparison · Enterprise scope? Request architecture review

Prices shown are monthly equivalents. Annual saves ~17%.

Starter

Under 25 employees

Your first compliance program — one framework, done right.

$499/month

$5,988/yr

Billed annually · ~$499/mo equivalent

Subscribe — Starter Annual

Sign up · credit card required · Stripe

Core capabilities

  • Live risk register and all 93 ISO 27001 controls
  • Tamper-evident evidence vault (SHA-256 fingerprints)
  • Auto-generated Statement of Applicability
  • Up to 3 users · REST API + MCP
Most popular

Growth

25–100 employees

Add frameworks without the per-framework tax.

$1,250/month

$15,000/yr

Billed annually · ~$1,250/mo equivalent

Subscribe — Growth Annual

Sign up · credit card required · Stripe

Everything in Starter, plus

  • Multi-framework control mapping — ISO 27001, SOC 2, and more in one record
  • Scoped external reviewer roles (no separate assessor SKU)
  • Vendor risk, incidents, assets, SoA snapshots
  • Up to 10 users · additional frameworks included as we ship

Enterprise

300+ employees · multi-entity · regulated programs

Compliance across every business line — not a single checkbox.

Custom scope

Framework scope, entities, and user counts are set in an architecture review.

Request architecture review

Custom contract · scoped in review

Everything in Growth, plus

  • Multi-framework programs across entities and assessment cycles
  • Wealth & investment advisory, real estate, financial services, healthcare, and other regulated operators
  • Unlimited users · multi-team / multi-scope workspaces
  • Custom onboarding · SLA-backed uptime · custom contract and invoicing
  • Optional Stratum anchoring for highest-assurance evidence (scoped separately)

100–300 employees? Architecture review scopes the Pro band between Growth and Enterprise.

Secure Stripe checkout · upgrade or downgrade at renewal · credit card required for Starter and Growth

Control map → many frameworks
3
Monitoring connectors shipped
$0
Assessor SKU on Growth+

Additional capabilities ship from what customer programs need — not a fixed roadmap.

Total cost context: Typical year-one stack $45k–$95k vs Arbiter Starter $5,988/yr (≈ $499/mo, billed annually)

See the breakdown →

Why teams switch

One control. Many frameworks.

Most compliance tools charge $8k–$20k+ per year for each added framework. Arbiter maps controls once — included in the price, not sold as add-ons.

FeatureArbiter GrowthTypical single-framework tool
Annual price (mid-market, 1–2 frameworks)$15,000$25,000–$50,000+
Additional frameworksIncludedOften +$8k–$20k per added framework
External reviewer accessScoped roles includedOften higher tier or add-on
Evidence integritySHA-256 fingerprintsVendor attestation / basic hashing
Multi-framework mappingOne control → many frameworksOften priced per framework
Users included10Varies; often capped on lower tiers
Optional Stratum anchoringAvailable (scoped add-on)Not available

Competitor figures are industry estimates (Vanta, Drata, Secureframe-class tools). Verify before customer-facing decks.

Total cost context

Assessment season is expensive. Spreadsheet season is worse.

A first-year compliance program with consultants often runs $30k–$80k. External assessments add another $5k–$15k. Arbiter won't replace your assessor — it gives them a tamper-evident system of record instead of a folder of exports, with SHA-256 fingerprints reviewers can verify independently.

Arbiter is the system of record — not a substitute for accredited assessment or program design.

Typical year-one compliance stack

$45k–$95k

Consultants ($30k–$80k) + external assessment ($5k–$15k)

Arbiter Starter (annual)

$5,988/yr≈ $499/mo · billed annually
Subscribe — Starter Annual

We run Arbiter to certify Arbiter — our ISO 27001 audit lives in the same register you'll use.

Automation-ready

Your compliance data works where your team works.

Risks, controls, and evidence are accessible from the dashboard, the API, and AI tools like Claude and Cursor — through the same role permissions your team already has. GitHub SDLC, Google Cloud, and governance webhooks map signals to controls without duplicating your register.

Connect to your existing stack

GitHub, Google Cloud Security Command Center, and governance webhooks feed monitoring signals into mapped controls. REST API and MCP tools extend the same register to Claude, Cursor, and your automation.

No separate permission systems

API keys carry the same read and write permissions as the team member who created them — your access model doesn't fork when you automate.

Tamper-evident by design, not declaration

Every evidence upload is fingerprinted with SHA-256. Your assessor can verify the file hasn't changed since you uploaded it — no one's word required.

Access control that proves it's working

Every denied access attempt is logged. During an audit, that log is evidence your access controls aren't just documented — they're enforced.

Gap analysis · Catalyst offer

Know your gaps in a week — with a register to fix them in.

We map your infrastructure to your target frameworks, load findings directly into Arbiter, and hand you a prioritized remediation plan — not a slide deck you rebuild from scratch.

Includes 3 months of Arbiter Growth so your gap analysis baseline becomes a live, assessor-verifiable record from day one.

Full feature comparison

What's in each plan.

Compare plans side by side. Starter and Growth are self-serve — sign up and start today. Enterprise scope is set in an architecture review.

FeatureStarterGrowthEnterprise
Risk register — unlimited risks
ISO 27001 control library (all 93)
Evidence vault with tamper-evident fingerprinting
Statement of Applicability — auto-generated
SOC 2 Type II framework
External reviewer roles (Auditor / read-only)
REST API + MCP access (API keys)
Users included310Unlimited
Gap analysis catalyst offer (3 mo Arbiter)

Common questions

Things teams ask us.

How do I get started?

Starter and Growth are self-serve: pick a plan, sign in with your work email or Google, accept Terms of Use, then complete secure Stripe checkout. Your subscription starts when payment is confirmed. Enterprise programs begin with an architecture review.

Do I need to request access?

Not for Starter or Growth — those tiers sign up directly. Enterprise (300+ employees, multi-entity, or regulated programs) is scoped in an architecture review before workspace access.

Why publish pricing instead of "contact sales"?

Procurement teams need an anchor before a call. List price is on the site; Enterprise and founding cohort details are scoped in architecture review.

How do external assessors access our data?

On Growth and Enterprise, invite them as users and assign Auditor or Read-Only Viewer roles. They see only what their role permits — no separate assessor portal SKU. Starter is for internal program build-out; upgrade when you need assessor access.

Can we automate GRC with scripts or AI tools?

Yes. Use Firebase Auth ID tokens or the documented REST API after sign-in. The same REST API and MCP server power scripts and AI agents; permissions inherit from the authenticated user. See Settings → API documentation.

Can my assessor verify evidence without logging in?

Your assessor signs in with a scoped Auditor role — they see only what you've shared, nothing else. Every evidence file carries a SHA-256 fingerprint they can verify independently, so they aren't relying on your export or your word.

Can I upgrade my plan later?

Yes. You can upgrade at any time and pay the difference for the remainder of the billing period. Downgrades take effect at the end of your current period. Your data, evidence vault, and control mappings stay intact regardless of plan.

Annual vs pay-as-you-go monthly?

Annual is the default — lower effective monthly rate, billed once per year. Monthly is available at a premium when you need flexibility without an annual commitment. You can switch at renewal.

Does Arbiter replace my external assessor?

No — certification still requires an accredited assessor. Arbiter gives them a tamper-evident evidence package ready to review, so the assessment moves faster and produces fewer findings caused by missing or disorganized records.

Subscribe and start building your record — minutes, not months.

Starter and Growth: work email or Google, then Stripe checkout. Your workspace provisions after payment. Enterprise and founding programs use an architecture review.