← → navigate · F fullscreen
BETA · in active development

Joujik Mutualwork

The GRC audit workspace where your evidence never leaves your Drive.

ISO 27001 · SOC 2 · GDPR · Israeli Privacy Law — run real compliance engagements while every file stays in the customer's own Google Drive.

Joujik
The problem

Compliance tools ask you to hand over
your most sensitive evidence.

📤

It lives on their servers

Vanta, Drata & co. ingest your policies, access lists and audit trail into their multi-tenant database.

🚫

Clients refuse to share

Regulated clients won't upload sensitive evidence into a consultant's third-party SaaS. Deals stall.

🔗

You're locked in

Switch vendors or consultants and you re-import everything. The audit trail isn't really yours.

⚠️ May 2025: a major compliance platform publicly disclosed a code change that wrote some customers' integration data into other customers' tenants. Shared multi-tenancy is a structural risk — one our model removes by design.
What it is

A GRC-native audit workspace —
not another box for your data.

Joujik Mutualwork gives consultants and their clients one structured place to run a compliance engagement end-to-end. The twist: the evidence stays in the customer's own Google Drive.

🗂️

Drive-native evidence

Files land in your Drive, in a clean ISO/Annex-A folder tree. We store only pointers + keys.

🤝

Two-sided by design

Consultant ↔ client, with role-aware access and an immutable, shared audit log.

📚

Real frameworks

ISO 27001, SOC 2, GDPR & Israeli Privacy Law ship as static, expert-built templates — no LLM guesswork.

Why it's different from normal SaaS

Your data flows the opposite way.

Normal SaaS

You → the vendor's servers

  • Evidence uploaded to their database
  • Audit log on their infrastructure
  • One bug can cross tenant lines
  • Leaving means exporting & re-importing
Joujik Mutualwork

You → your own Google Drive

  • Evidence stays in your Drive folder
  • Audit log is an append-only file in your Drive
  • We hold only identity + project pointers
  • Hand a regulator one Drive share link
Security advantages

A deliberately tiny blast radius.

🔐 drive.file scope only

We can touch only the files our app creates in your Drive — never the rest. The smallest useful scope, no Google CASA audit baggage.

🧱 Isolation per engagement

Row-level security on every table, plus per-engagement membership checks — a consultant on one engagement can't see another's data.

🗝️ Encrypted tokens at rest

OAuth refresh tokens are AES-256-GCM encrypted, key-separated, never logged, never sent to the browser.

📜 Append-only audit log — in your Drive

An append-only NDJSON of every action is retained in your .joujik/ folder — exportable and auditor-friendly.

💡 If Joujik disappeared tomorrow, every byte of your audit would still be in your Drive — readable in a text editor. You lose the tooling, never the data.
How it compares

Who actually holds your audit?

Joujik MutualworkVanta · DrataMonday · Notion
Where evidence files liveYour Google DriveTheir serversTheir servers
Where the audit log livesYour Drive (.joujik/)Their databaseNo audit surface
If the vendor goes awayYou keep everythingExport & hopeExport & hope
Switch vendor mid-engagementHand over a Drive linkRe-import allRe-import all
GDPR access / export / deleteNative in your DriveVia the vendorVia the vendor
How it works

From kickoff to audit packet.

1 · CreateSpin up an engagement & pick a framework
2 · InviteBring in the other side (consultant ↔ client)
3 · ScopeDecide the SoA / classification
4 · EvidenceUpload — straight to your Drive
5 · ReviewConsultant verdicts: comply / OFI / NC
6 · ReportExport the audit packet

A real engagement, walked through next — ISO/IEC 27001:2022.

ISO 27001 · walkthrough

Invite-only, two-sided.

Two clear portals — consultant and client. Access is by approval (private beta), and either side can own the Drive folder — the owner keeps the evidence, even if the other party changes.

mutualwork.joujik.com
portal selection
mutualwork.joujik.com/projects/new
new project framework picker
Step 1 · Create

Pick a framework.

Choose ISO 27001:2022 and the engagement spins up a Drive folder and materialises the 93 Annex A controls + clauses 4–10 as 126 audit tasks — ready for evidence.

Step 2 · Invite

Bring in the other side.

The engagement owner invites the counterpart by email with a role. Client side and consultancy side are tracked separately — with a live, shared member list.

mutualwork.joujik.com/projects/…/members
invite a member
…/projects/…/soa
statement of applicability
Step 3 · Scope

The Statement of Applicability.

Mark each of the 93 Annex A controls applicable or excluded — with a justification (per clause 6.1.3). Submit, and the applicable controls become live tasks.

Step 4–5 · Evidence & review

Upload, then the auditor verdicts it.

The client uploads evidence (straight to Drive); the consultant runs an internal-audit review of each control — comply, OFI or non-conformity — with a quality tag and a comment to the client.

…/tasks/4.1
control with evidence and review
mutualwork.joujik.com/projects/…
project board with verdicts
Live progress

A real audit, end to end.

126
audit tasks reviewed
91%
approved

93 Annex A controls + clauses 4–10 · 94 comply · 21 OFI · 11 non-conformity — every verdict logged.

The moat, made visible

Every file lives in your Drive.

drive.google.com
ISMS folder in Drive
drive.google.com
Annex A folders in Drive

The app provisions a clean ISMS/ + Annex A/ tree with a folder per control — created via Google's drive.file scope. Your evidence, your ownership, your portability.

The deliverable

One click → a full audit packet.

Export a polished, branded PDF: cover page, the complete Statement of Applicability, and per-control evidence, verdicts & review history. Markdown & JSON exports too.

Generated from the live engagement — the 126-control ISO 27001 example shown here.

report cover
report SOA table
More projects available

Four frameworks. One workspace.

Each ships with an expert-built, framework-specific setup wizard — not a generic checklist.

ISO 27001

93 controls + clauses 4–10

SOC 2

184 TSC items

GDPR

39 mapped obligations

Israeli Privacy Law

81 obligations

SOC 2 · 2017 TSC

Scope the Trust Services Criteria.

A guided wizard walks Security, Availability, Confidentiality, Processing Integrity & Privacy — Type I vs II, carve-out vs inclusive — each decision cites the AICPA TSP and is logged.

…/projects/new/soc2-classification
SOC 2 scope wizard
…/projects/new/gdpr-classification
GDPR classification wizard
GDPR · EU 2016/679

Controller or processor?

A 12-step classification — role, territorial scope, DPO trigger, transfers, special categories — with the exact legal basis (Art. 3(2), Art. 27…) cited at every turn.

Israeli Privacy Law · 1981 + Reg. 2017

Bilingual, and it does the math.

A 7-step Hebrew/English wizard classifies the entity & database, then auto-derives the security level (תקנה 21) and generates exactly the tasks that apply.

privacy-classification
privacy wizard
privacy-classification
derived security level
Status

An honest beta — and moving fast.

Live today

  • End-to-end ISO 27001 engagement
  • Two-sided roles + RLS isolation
  • Evidence in the customer's Google Drive
  • SOC 2 · GDPR · Israeli Privacy wizards
  • One-click PDF / Markdown / JSON audit packet

Next

  • Per-task threaded comments & white-label exports
  • Metadata fully migrated into the customer's Drive
  • Billing & self-serve onboarding
Built and shipped solo — product, security architecture, AI tooling and GRC content.
Let's talk

Interested? Get in touch.

Whether you're a partner, an investor, a potential customer, or the idea just resonates at this level — I'd love to hear from you.

Connect on LinkedIn → service@joujik.com

Joujik Mutualwork · beta · mutualwork.joujik.com