Documentation
This guide covers everything you need to install, configure, and run GRC Platform and PurpleGuard. Both products are distributed as Docker images from our private container registry. You deploy them on your infrastructure and manage them with a license key from your customer dashboard.
New here? Start with How Licensing Works, then jump to the install guide for your product.
How Licensing Works
Both products use the same licensing model. When you purchase a subscription, you receive a license key — a signed string that encodes your tier, resource limits, enabled features, and expiration date.
Key Concepts
- License key is version-independent. Your key works with any release of the product. When we ship an update, pull the new image and restart — your same key keeps working until its expiration date.
- License key is self-contained. The key is cryptographically signed (Ed25519). The product verifies it offline using an embedded public key. No internet required for basic validation.
- One key per product. If you buy the bundle, you get two keys — one for GRC Platform, one for PurpleGuard.
- Renewal = new key. When your subscription renews, you receive a new key with an extended expiration. Replace the old key and restart.
Setting Your License Key
Every product reads the license key from an environment variable at startup:
# GRC Platform
export LICENSE_KEY="PG-GRC-eyJsaWQiOiJMS..."
# PurpleGuard
export PURPLEGUARD_LICENSE_KEY="PG-PG-eyJsaWQiOiJMS..."PurpleGuard also supports loading from a file or config:
# Option 2: File
echo "PG-PG-eyJ..." > ~/.purpleguard/license.key
# Option 3: config.yaml
license_key: "PG-PG-eyJ..."Keep your license key private. It encodes your organization ID and subscription tier. Treat it like a password. Never commit it to version control.
Requirements
| Component | GRC Platform | PurpleGuard |
|---|---|---|
| Docker Engine | 20.10+ | 20.10+ |
| Docker Compose | v2.20+ | v2.20+ |
| RAM (minimum) | 4 GB | 2 GB |
| RAM (recommended) | 8 GB | 4 GB |
| Disk | 20 GB | 10 GB |
| OS | Linux, macOS, Windows (WSL2) | Linux, macOS, Windows (WSL2) |
| Database | MySQL 8.0 (included in Compose) | SQLite (built-in) |
| Python (CLI only) | N/A | 3.11+ |
GRC Platform
GRC Platform is a full-stack compliance automation system. It consists of a FastAPI backend, a Next.js frontend, MySQL, Redis, MinIO (S3-compatible object storage), and Celery workers for background tasks.
Docker Compose Installation
1Authenticate with the Container Registry
Use the registry token from your customer dashboard:
docker login ghcr.io -u <your-username> -p <your-registry-token>2Download the Compose File
Download the production docker-compose.grc.yml from your dashboard, or copy the template:
curl -O https://app.rastechsolutions.com/static/deploy/docker-compose.grc.yml3Create Your Environment File
Create a .env file next to the compose file. All sensitive values go here — never in the compose file itself.
# .env — GRC Platform Configuration
# ──────────────────────────────────
# License (required)
LICENSE_KEY=PG-GRC-your-license-key-here
# Database credentials (choose strong passwords)
MYSQL_USER=grc_admin
MYSQL_PASSWORD=your-strong-db-password
MYSQL_ROOT_PASSWORD=your-strong-root-password
MYSQL_DB=grc_platform
# Redis
REDIS_PASSWORD=your-strong-redis-password
# Object storage (MinIO)
MINIO_ROOT_USER=minio_admin
MINIO_ROOT_PASSWORD=your-strong-minio-password
# Security keys (generate with: openssl rand -hex 32)
ENCRYPTION_KEY=0000000000000000000000000000000000000000000000000000000000000001
JWT_SECRET=change-this-to-a-random-64-char-string-use-openssl-rand-hex-32xx
# Frontend URL (the URL where your users access the app)
CORS_ORIGINS=["https://grc.your-company.com"]
PUBLIC_API_URL=https://grc-api.your-company.com
# Optional: License portal for heartbeat
LICENSE_PORTAL_URL=https://app.rastechsolutions.comGenerate real secrets! Do not use the example values. Generate each secret with:
openssl rand -hex 324Start the Stack
# Pull the latest images
docker compose -f docker-compose.grc.yml pull
# Start all services in the background
docker compose -f docker-compose.grc.yml up -d
# Watch the logs
docker compose -f docker-compose.grc.yml logs -fOn first boot, the backend automatically creates the database schema, seeds compliance frameworks (SOC 2, ISO 27001, NIST, HIPAA, PCI DSS), and creates a default admin user.
5Verify the Deployment
# Health check
curl http://localhost:8000/health
# Expected: {"status":"ok"}
# Open the frontend
open http://localhost:3000Configuration Reference
GRC Platform is configured entirely through environment variables. Here are the key settings:
Application
| Variable | Required | Description |
|---|---|---|
LICENSE_KEY | Yes | Your GRC Platform license key |
APP_ENV | No | development | production (default: development) |
LOG_LEVEL | No | DEBUG | INFO | WARNING | ERROR |
Database
| Variable | Required | Description |
|---|---|---|
DATABASE_URL | Yes | MySQL connection string: mysql+aiomysql://user:pass@host/db |
DATABASE_SSL_MODE | No | disable | require (required in production with external DB) |
Security
| Variable | Required | Description |
|---|---|---|
ENCRYPTION_KEY | Yes | 64 hex characters (32 bytes AES-256 key) |
JWT_SECRET | Yes | At least 64 characters for JWT signing |
CORS_ORIGINS | Yes | JSON array of allowed frontend origins |
Feature Flags
| Variable | Default | Description |
|---|---|---|
FEATURE_AUDIT_CENTER_V2 | true | Enable the Audit Center workflow system |
FEATURE_AD_SCANNER | true | Enable Active Directory / GPO scanning |
Features must also be enabled in your license tier. Setting a feature flag to
true won't work if your license doesn't include it.First Boot & Initial Setup
- Log in with the default admin account:
Email: admin@grc-platform.dev Password: Admin@2024!Secure - Change the admin password immediately via the Settings page.
- Create your organization (tenant) and invite team members.
- Activate frameworks — go to Frameworks and enable the ones relevant to your compliance needs.
- Configure integrations — connect your cloud providers (AWS, Azure, GCP) for automated control testing.
Upgrading GRC Platform
Upgrades are simple — pull the new images and restart. Your license key and data persist across versions.
# Pull the latest images
docker compose -f docker-compose.grc.yml pull
# Restart with the new version
docker compose -f docker-compose.grc.yml up -d
# Verify
curl http://localhost:8000/healthYour license key does not change. The same key works with every version of GRC Platform until it expires.
To pin a specific version:
# In .env
GRC_VERSION=1.2.0
# Then pull + restart
docker compose -f docker-compose.grc.yml pull
docker compose -f docker-compose.grc.yml up -dBackground Workers (Celery)
GRC Platform uses Celery for scheduled and background tasks. The compose file includes both a worker and a beat scheduler. These run automatically.
Scheduled Tasks
| Task | Schedule | Description |
|---|---|---|
| Control tests | Every 4 hours | Run all active automated control tests |
| Integration health | Every 15 min | Check connected integration status |
| Risk scoring | Hourly | Recompute risk scores across all controls |
| AD scanner | Daily 3am UTC | Run Active Directory / GPO scans |
| License heartbeat | Every 4 hours | Phone home to confirm license status |
Troubleshooting
License key errors at startup
# Check the backend logs
docker compose -f docker-compose.grc.yml logs backend | grep -i license
# Common issues:
# - LICENSE_KEY not set in .env
# - Key has expired (check your dashboard for a new key)
# - Key is for the wrong product (GRC keys start with PG-GRC-)Database connection errors
# Wait for MySQL to be healthy first
docker compose -f docker-compose.grc.yml ps
# Check MySQL logs
docker compose -f docker-compose.grc.yml logs mysqlResetting the admin password
# Connect to the running backend container
docker compose -f docker-compose.grc.yml exec backend bash
# Use the built-in password reset
python -m app.scripts.reset_admin_passwordPurpleGuard
PurpleGuard is an AI security platform. It can run as a Docker container (dashboard + optional HTTPS proxy) or as a CLI tool for scanning and connector management.
Docker Installation
1Authenticate with the Container Registry
docker login ghcr.io -u <your-username> -p <your-registry-token>2Create Your Environment File
# .env — PurpleGuard Configuration
# ─────────────────────────────────
# License (required)
PURPLEGUARD_LICENSE_KEY=PG-PG-your-license-key-here
# Dashboard authentication (required)
AUTH_USERNAME=admin
AUTH_PASSWORD=your-strong-password
# Optional: API key for programmatic access
API_KEY=your-api-key
# Gateway proxy (set to true to enable HTTPS interception)
PROXY_ENABLED=false
PROXY_HOST=your-proxy-hostname
PROXY_PUBLIC_PORT=18443
# Security policies
APPROVED_PROVIDERS=openai,anthropic,azure-openai,aws-bedrock,google-ai,google-vertex
DLP_ACTION=alert # redact | block | alert | log
SHADOW_AI_ACTION=alert # block | alert | log
PROMPT_SECURITY_ACTION=alert # block | alert | log
# Optional: License portal for heartbeat
LICENSE_PORTAL_URL=https://app.rastechsolutions.com3Start PurpleGuard
# Pull the latest image
docker compose -f docker-compose.purpleguard.yml pull
# Start
docker compose -f docker-compose.purpleguard.yml up -d
# Check logs
docker compose -f docker-compose.purpleguard.yml logs -f4Verify
# Dashboard
open http://localhost:18080/dashboard
# Health check
curl http://localhost:18080/healthCLI Installation
PurpleGuard also ships as a Python CLI for scanning, connector management, and gateway control.
1Install with pip
# Requires Python 3.11+
pip install purpleguard
# With all connectors
pip install "purpleguard[connectors]"
# With DLP support
pip install "purpleguard[dlp]"
# Everything
pip install "purpleguard[connectors,dlp]"2Set Your License Key
# Option A: Environment variable
export PURPLEGUARD_LICENSE_KEY="PG-PG-your-key-here"
# Option B: License file (persists across sessions)
mkdir -p ~/.purpleguard
echo "PG-PG-your-key-here" > ~/.purpleguard/license.key
# Option C: Config file
cat > ~/.purpleguard/config.yaml << 'EOF'
license_key: "PG-PG-your-key-here"
EOF3Verify Installation
# Check version
purpleguard version
# List available connectors
purpleguard connectors list
# Run a scan
purpleguard scan run --target https://api.openai.com/v1/chat/completionsGateway Setup
The AI Traffic Gateway is an HTTPS proxy (based on mitmproxy) that intercepts traffic to AI providers. It enables shadow AI detection, DLP scanning, and prompt security enforcement.
Enable the Proxy
# In .env
PROXY_ENABLED=true
PROXY_HOST=your-proxy-hostname # The hostname clients will use
PROXY_PUBLIC_PORT=18443 # The port clients will connect toDistribute the CA Certificate
The gateway generates a CA certificate on first boot. Clients need this certificate to trust the proxy.
# Download the CA cert from the dashboard
curl -o purpleguard-ca.pem http://localhost:18080/ca.pem
# Or copy from the container
docker compose -f docker-compose.purpleguard.yml cp purpleguard:/app/data/ca/ca.pem ./purpleguard-ca.pemConfigure Clients
Point client machines at the proxy using a PAC file (auto-generated) or manual proxy settings:
# PAC file URL (auto-routes AI traffic through the proxy)
http://your-proxy-hostname:18080/proxy.pac
# Manual proxy configuration
export HTTPS_PROXY=https://your-proxy-hostname:18443
export SSL_CERT_FILE=./purpleguard-ca.pemSecurity Policies
| Variable | Options | Description |
|---|---|---|
DLP_ACTION | redact | block | alert | log | Action when PII/credentials detected in prompts |
SHADOW_AI_ACTION | block | alert | log | Action for unapproved AI provider traffic |
PROMPT_SECURITY_ACTION | block | alert | log | Action for prompt injection attempts |
AI-SPM Connectors
Connectors discover and inventory AI services across your cloud providers. Available connectors depend on your license tier.
| Connector | Tier | Description |
|---|---|---|
| AWS Bedrock | Starter+ | Models, endpoints, access policies |
| AWS SageMaker | Starter+ | Training jobs, endpoints, notebook instances |
| Azure AI | Starter+ | Cognitive Services, Azure OpenAI deployments |
| M365 Copilot | Professional+ | Copilot usage, data access patterns |
| GCP Vertex AI | Starter+ | Models, pipelines, feature stores |
| Databricks | Professional+ | Model serving, MLflow experiments |
| Snowflake Cortex | Professional+ | Cortex functions, LLM usage |
| HuggingFace | Professional+ | Inference endpoints, model repos |
| Salesforce Einstein | Enterprise | Einstein GPT, prediction builder |
| ServiceNow | Enterprise | Now Assist, virtual agent |
| GitHub Copilot | Enterprise | Copilot seat usage, suggestion metrics |
Configuring Connectors
# config.yaml
connectors:
- connector_type: aws_bedrock
enabled: true
credentials:
aws_access_key_id: AKIA...
aws_secret_access_key: ...
region: us-east-1
- connector_type: azure_ai
enabled: true
credentials:
tenant_id: ...
client_id: ...
client_secret: ...
subscription_id: ...Instance limits apply. The number of active connectors counts toward your instance limit. Starter: 1, Professional: 5, Enterprise: 25+. Connectors beyond your limit will be skipped at startup.
Upgrading PurpleGuard
# Docker
docker compose -f docker-compose.purpleguard.yml pull
docker compose -f docker-compose.purpleguard.yml up -d
# CLI
pip install --upgrade purpleguardSame license key. Your key works across all versions until expiration. No re-purchase needed for updates.
PurpleGuard Troubleshooting
License errors
# Check which key source is being used
docker compose -f docker-compose.purpleguard.yml logs | grep -i license
# Verify CLI license
purpleguard version
# If license is invalid, you'll see the error here
# Common issues:
# - PURPLEGUARD_LICENSE_KEY not set
# - Key starts with PG-GRC- (wrong product — use PG-PG- keys)
# - Key has expiredProxy not intercepting traffic
# Verify proxy is running
curl -x https://localhost:18443 https://api.openai.com/v1/models
# Check PROXY_ENABLED=true in .env
# Verify clients have the CA certificate installed
# Check PAC file is accessible: curl http://localhost:18080/proxy.pacEnvironment Variable Reference
GRC Platform
| Variable | Required | Default | Description |
|---|---|---|---|
LICENSE_KEY | Yes | — | GRC license key (starts with PG-GRC-) |
DATABASE_URL | Yes | — | MySQL async connection string |
REDIS_URL | Yes | — | Redis connection URL |
ENCRYPTION_KEY | Yes | — | 64 hex chars for AES-256 encryption |
JWT_SECRET | Yes | — | 64+ char JWT signing secret |
CORS_ORIGINS | Yes | ["http://localhost:3000"] | Allowed frontend origins (JSON array) |
LICENSE_PORTAL_URL | No | — | Portal URL for heartbeat |
APP_ENV | No | development | Environment name |
PurpleGuard
| Variable | Required | Default | Description |
|---|---|---|---|
PURPLEGUARD_LICENSE_KEY | Yes | — | License key (starts with PG-PG-) |
AUTH_USERNAME | Yes* | — | Dashboard login username |
AUTH_PASSWORD | Yes* | — | Dashboard login password |
PORT | No | 18080 | HTTP dashboard port |
PROXY_ENABLED | No | false | Enable HTTPS gateway proxy |
PROXY_PORT | No | 18443 | Proxy listen port |
DLP_ACTION | No | alert | DLP enforcement action |
SHADOW_AI_ACTION | No | alert | Shadow AI enforcement action |
APPROVED_PROVIDERS | No | All major providers | Comma-separated approved providers |
LICENSE_PORTAL_URL | No | — | Portal URL for heartbeat |
License States
| State | Condition | Behavior |
|---|---|---|
| Valid | Before expiration date | Full access. Everything works normally. |
| Grace | 0-7 days after expiration | Full access + warning banner. Renew your subscription. |
| Degraded | 7-14 days after expiration | Read-only mode. You can view data but not create or modify. |
| Invalid | 14+ days after expiration, or missing/tampered key | Access blocked. All authenticated requests return 403. |
Support
- Email: support@rastechsolutions.com
- Sales: sales@rastechsolutions.com
- Enterprise customers: Contact your dedicated account manager directly.
Include your license ID (visible in your dashboard) and product version when contacting support.