Is there a free security policy generator?

Yes. Charter's free tier generates a complete starter set of framework-mapped security policies from a short questionnaire, with version history, diffs and basic attestation — no credit card required.

Which frameworks does Charter map to?

Every policy clause is tagged to HIPAA, FERPA, NIST CSF 2.0, NIST 800-53, CIS Controls v8, ISO 27001:2022, CMMC / NIST 800-171, and SOC 2 Trust Services Criteria, with a coverage matrix per framework.

How is Charter different from free policy template packs?

Free packs (SANS, CIS, ComplianceForge) give you static documents and 40 to 80 hours of customization. Charter generates the policies, fills every token from one org profile, version-controls them with real diffs, and tracks who signed which exact version.

Does Charter chase employees who haven't signed a policy?

Yes. Charter runs an escalating reminder cascade — an initial notice, then nudges, then reminders, then an overdue notice, and finally escalation to the assignee's manager. The scheduling logic runs in Charter's engine; on the cloud tier the reminders are delivered for real via the platform notification service and a recurring job keeps the cascade firing automatically.

What happens to attestations when a policy changes?

Each signature binds the exact version hash it was made against, so when you approve a new version Charter automatically re-attests it: open assignments re-point to the new version, prior signatures no longer satisfy them, and the team is prompted to sign the new text. If the content hasn't changed, nothing is disturbed.

Can MSPs and vCISOs manage policies for multiple clients?

Yes. Charter offers multi-tenant authoring with per-client branding and bulk attestation reporting, priced flat per managing org plus a low per-client-tenant fee.

A founding document for your security program

Write, version & prove your security policies.

Charter turns a short plain-English questionnaire into a complete, framework-mapped set of security policies — then runs the whole lifecycle: generate, version, assign, attest. Escalating reminders chase the stragglers, a new version auto-triggers re-attestation, and a dashboard proves your coverage. In an afternoon, not a quarter.

Generate a free policy → See how it works

25+ auditor-mapped policies 8 framework families Escalating attestation reminders Auto re-attestation on new versions Free tier · no card

From questionnaire to signed policy

Charter does the workflow the free template packs lack and the GRC suites overcharge for.

Answer the questionnaire

Org name, frameworks in scope, the data you handle. Charter fills every {{token}} across a starter set of real, substantive policies — no blanks left behind.

Map to your frameworks

Every clause is tagged to the controls it satisfies across HIPAA, FERPA, CMMC/800-171, SOC 2, ISO 27001, CIS, and NIST. A coverage view shows exactly what you've got — and your gaps.

Version & redline

Every change is an immutable version with a content hash. See a clean clause-level redline between any two — not v2_final_FINAL.docx.

Assign to people or whole groups

Target an individual by name or email — or a whole group: audience synced from your directory (Microsoft Entra, Google, Okta, JumpCloud via SCIM). Each member gets their own signed, time-boxed link.

Read, e-sign, and bind the version

Your team reads the exact assigned version and e-signs. Every signature is immutable and binds the precise version hash — tamper-evident proof of who signed what, and when.

Reminders that escalate

Charter chases the stragglers for you: an initial notice, then nudges, then reminders, an overdue alert, and finally escalation to the assignee's manager. The schedule is computed in Charter; on the cloud tier the platform notification service delivers it for real on a recurring sweep.

Re-attest automatically on change

Approve a materially new version and Charter re-points open assignments to the new hash, resets the clock, and mints a fresh signed link — so old signatures no longer count and the team re-signs the current text. No change, no needless churn.

Author ≠ approver, by design

The person who drafts a policy can't approve it. Charter blocks self-approval at the sign-off step, and every assignment link is a signed, one-time, expiring HMAC token that can't be forged, replayed, or pointed at the wrong version.

Prove coverage & export evidence

A dashboard shows % attested, who's pending, and who's overdue — per policy and overall. Export an attestation evidence report and branded PDF/Markdown for your auditor. Approved policies and attestation rates also flow as structured evidence into the rest of the DosanjhLabs suite — Sightline, Bastion, Ward.

Charter computes the whole lifecycle locally, signed-out. Real email/Slack reminder delivery, the recurring escalation runner, and SSO/SCIM group expansion run on the connected cloud tier via the platform notification service, with an offline fallback that previews — never silently "sends" — when you're not connected.

"We replaced a $5,200 template pack and a folder of _FINAL.docx files with one afternoon in Charter."

IT Lead, behavioral-health group · HIPAA — illustrative

"The attestation trail binding each signature to a version hash is exactly what our auditor asked for."

vCISO, DoD supplier · CMMC L2

"Flat per-client pricing finally makes policy management profitable across our book of business."

Principal, managed-services provider

Design-partner testimonials shown as illustrative placeholders pending launch.

Mapped to the frameworks that matter

Charter leads with the regulated wedges the SOC2-centric tools ignore — and covers the rest too.

HIPAA §164FERPANIST CSF 2.0 NIST 800-53CIS Controls v8ISO 27001:2022 CMMC / 800-171SOC 2 TSC

Redline reveal

MFA is recommended for administrative access.

MFA is required for remote access, administrative access, and all access to systems handling ePHI.

Flat-per-company. Published. No seat creep.

Below every GRC suite's entry price, and a genuine free tier they don't offer. The anti-Vanta wedge.

Free

1 org, up to 10 attesters
Starter policy set
1 framework mapping
Version history + diff
Watermarked export

Pro

$159/mo

Up to 100 attesters
All 8 framework families
Escalating reminder cascade
Auto re-attestation + coverage dashboard
Branded PDF · evidence to Sightline/Bastion/Ward

Business

$299/mo

Up to 500 attesters
SSO/SCIM group audiences
Manager escalation + Slack reminders
Procedures & standards layer · bilingual EN/FR
Conflict-check AI

MSP

$249/mo +$19/client

Multi-tenant console
Per-client branding
Bulk attestation reporting
White-label auditor links
Partner billing rollup

More, for less — feature by feature

The free packs give you static documents. The GRC suites bundle policy into a five-figure platform you can't unbundle. Charter does the whole policy lifecycle — generation, version control, the full attestation lifecycle (escalating reminders, auto re-attestation, coverage dashboard, exportable evidence), framework mapping, BYO-key AI — for a flat, published price.

Capability	Charter	ComplianceForge	Vanta (policy module)	Secureframe
Generates policies from a questionnaire	Yes	No — static .docx	Templates only	Templates only
Token fill from one org profile	Yes	No — manual edits	Limited	Limited
Built-in version control + real diffs	Yes	No	Yes	Yes
Employee attestation + audit trail	Yes	No	Yes	Yes
Escalating reminder cascade (to manager)	Yes	No	Basic reminders	Basic reminders
Auto re-attestation on a new version	Yes	No	Manual re-assign	Manual re-assign
SSO/SCIM group attestation audiences	Yes	No	Yes	Yes
Author ≠ approver separation of duties	Yes	No	Workflow roles	Workflow roles
Framework mapping (HIPAA, FERPA, CMMC, SOC 2, ISO, CIS, NIST)	8 families	CMMC/800-171 set	SOC 2 / ISO lean	SOC 2 / ISO lean
BYO-key AI drafting + gap finder	Yes	No	Add-on	Add-on
Sold standalone (policy without a full GRC platform)	Yes	Yes	No — bundled only	No — full platform
Genuine free tier	Yes	No	No	No
Published, flat-per-company pricing (no seat creep)	Yes	One-time, per entity	Quote-only, seat-sensitive	Per-framework gating
Entry price	Free · then $159–$299/mo	$5,200 one-time	~$10k–$28k/yr	$7,500/yr

Competitor pricing reflects publicly reported figures: ComplianceForge NIST 800-171 program ($5,200 one-time, single-entity .docx license), Secureframe Starter (public $7,500/yr, ≤100 employees, 1 framework), Vanta policy module (no public price; real-world entry commonly ~$10k–$28k/yr for <50 employees, bundled into the platform). Verify current pricing with each vendor.

VS · FREE PACKS

We include the workflow they don't

ComplianceForge charges $5,200 for static .docx with no app, no versioning, no attestation. Charter's free tier already does the generation, diffs and sign-off they leave to 40–80 hours of manual labor.

VS · GRC SUITES

We unbundle what they lock up

You can't buy "just policies" from Vanta or Secureframe — entry is $7.5k–$28k/yr for the whole platform. Charter sells the policy layer alone at a fraction of the cost, with a free tier they don't offer.

THE MATH

$1621.80/yr vs five figures

Charter Pro at $1621.80/yr lands below a single ComplianceForge pack and an order of magnitude under any GRC suite entry — while doing more of the policy lifecycle than either.

Charter your policies →

Templates, frameworks & comparisons

Free guides and template libraries for the frameworks SMBs and MSPs actually face — and how Charter stacks up against the packs and the GRC suites.

TEMPLATES

Policy template libraries

Security policy templates
Free information security policy template
HIPAA policy generator
ISO 27001 policy templates
SOC 2 policy templates

COMPARE

Charter vs the alternatives

Charter vs ComplianceForge
Vanta policy module alternative
Secureframe policy templates alternative

START

Generate yours free

Answer a short questionnaire and Charter fills a complete, framework-mapped policy set — versioned and ready to attest. Open the app →