From e735c29781d9c6408237c602d79fecdf9669712b Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 26 Nov 2025 08:58:21 -0500
Subject: [PATCH 1/7] [dev] [Itsnotaka] daniel/ai-policy-edit (#1838)

* feat(api): add AI chat endpoint for policy editing assistance, initial draft for ai policy edits

* fix: type error

* feat(policy-editor): integrate AI-assisted policy editing with markdown support

* refactor(api): streamline POST function and enhance markdown guidelines

* refactor(policy-editor): improve policy details layout and diff viewer integration

* refactor(policy-editor): simplify policy details component and enhance AI assistant integration

* refactor(policy-editor): remove unused AI assistant logic and simplify component structure

* feat(ui): add new components to package.json for diff viewer and AI elements

* chore: update lockfile

* refactor(tsconfig): reorganize compiler options and update paths

* fix(policies): resolve infinite loop in policy AI assistant

* fix(api): update policy editing assistant instructions and tool usage

---------

Co-authored-by: Daniel Fu <itsnotaka@gmail.com>
Co-authored-by: Amp <amp@ampcode.com>
---
 .husky/commit-msg                             |   3 -
 .../editor/components/PolicyDetails.tsx       | 104 +++++++++-
 .../components/ai/policy-ai-assistant.tsx     |  75 +++----
 .../app/api/policies/[policyId]/chat/route.ts | 183 +++++++++++-------
 packages/ui/src/components/diff-viewer.tsx    | 127 +++++++++---
 5 files changed, 338 insertions(+), 154 deletions(-)

diff --git a/.husky/commit-msg b/.husky/commit-msg
index 766bd7721..a78cc751d 100755
--- a/.husky/commit-msg
+++ b/.husky/commit-msg
@@ -1,4 +1 @@
-#!/usr/bin/env sh
-. "$(dirname "$0")/_/husky.sh"
-
 npx commitlint --edit $1
diff --git a/apps/app/src/app/(app)/[orgId]/policies/[policyId]/editor/components/PolicyDetails.tsx b/apps/app/src/app/(app)/[orgId]/policies/[policyId]/editor/components/PolicyDetails.tsx
index ab897c2f8..ab303af21 100644
--- a/apps/app/src/app/(app)/[orgId]/policies/[policyId]/editor/components/PolicyDetails.tsx
+++ b/apps/app/src/app/(app)/[orgId]/policies/[policyId]/editor/components/PolicyDetails.tsx
@@ -1,15 +1,22 @@
 'use client';
 
 import { PolicyEditor } from '@/components/editor/policy-editor';
+import { useChat } from '@ai-sdk/react';
 import { Button } from '@comp/ui/button';
 import { Card, CardContent } from '@comp/ui/card';
-
 import { DiffViewer } from '@comp/ui/diff-viewer';
 import { validateAndFixTipTapContent } from '@comp/ui/editor';
 import '@comp/ui/editor.css';
 import { Tabs, TabsContent, TabsList, TabsTrigger } from '@comp/ui/tabs';
 import type { PolicyDisplayFormat } from '@db';
 import type { JSONContent } from '@tiptap/react';
+import {
+  DefaultChatTransport,
+  getToolName,
+  isToolUIPart,
+  type ToolUIPart,
+  type UIMessage,
+} from 'ai';
 import { structuredPatch } from 'diff';
 import { CheckCircle, Loader2, Sparkles, X } from 'lucide-react';
 import { useAction } from 'next-safe-action/hooks';
@@ -22,6 +29,50 @@ import { updatePolicy } from '../actions/update-policy';
 import { markdownToTipTapJSON } from './ai/markdown-utils';
 import { PolicyAiAssistant } from './ai/policy-ai-assistant';
 
+function mapChatErrorToMessage(error: unknown): string {
+  const e = error as { status?: number };
+  const status = e?.status;
+
+  if (status === 401 || status === 403) {
+    return "You don't have access to this policy's AI assistant.";
+  }
+  if (status === 404) {
+    return 'This policy could not be found. It may have been removed.';
+  }
+  if (status === 429) {
+    return 'Too many requests. Please wait a moment and try again.';
+  }
+  return 'The AI assistant is currently unavailable. Please try again.';
+}
+
+interface LatestProposal {
+  key: string;
+  content: string;
+  summary: string;
+}
+
+function getLatestProposedPolicy(messages: UIMessage[]): LatestProposal | null {
+  const lastAssistantMessage = [...messages].reverse().find((m) => m.role === 'assistant');
+  if (!lastAssistantMessage?.parts) return null;
+
+  let latest: LatestProposal | null = null;
+
+  lastAssistantMessage.parts.forEach((part, index) => {
+    if (!isToolUIPart(part) || getToolName(part) !== 'proposePolicy') return;
+    const toolPart = part as ToolUIPart;
+    const input = toolPart.input as { content?: string; summary?: string } | undefined;
+    if (!input?.content) return;
+
+    latest = {
+      key: `${lastAssistantMessage.id}:${index}`,
+      content: input.content,
+      summary: input.summary ?? 'Proposing policy changes',
+    };
+  });
+
+  return latest;
+}
+
 interface PolicyContentManagerProps {
   policyId: string;
   policyContent: JSONContent | JSONContent[];
@@ -46,10 +97,37 @@ export function PolicyContentManager({
     return formattedContent;
   });
 
-  const [proposedPolicyMarkdown, setProposedPolicyMarkdown] = useState<string | null>(null);
+  const [dismissedProposalKey, setDismissedProposalKey] = useState<string | null>(null);
   const [isApplying, setIsApplying] = useState(false);
+  const [chatErrorMessage, setChatErrorMessage] = useState<string | null>(null);
   const isAiPolicyAssistantEnabled = useFeatureFlagEnabled('is-ai-policy-assistant-enabled');
 
+  const {
+    messages,
+    status,
+    sendMessage: baseSendMessage,
+  } = useChat({
+    transport: new DefaultChatTransport({
+      api: `/api/policies/${policyId}/chat`,
+    }),
+    onError(error) {
+      console.error('Policy AI chat error:', error);
+      setChatErrorMessage(mapChatErrorToMessage(error));
+    },
+  });
+
+  const sendMessage = (payload: { text: string }) => {
+    setChatErrorMessage(null);
+    baseSendMessage(payload);
+  };
+
+  const latestProposal = useMemo(() => getLatestProposedPolicy(messages), [messages]);
+
+  const activeProposal =
+    latestProposal && latestProposal.key !== dismissedProposalKey ? latestProposal : null;
+
+  const proposedPolicyMarkdown = activeProposal?.content ?? null;
+
   const switchFormat = useAction(switchPolicyDisplayFormatAction, {
     onError: () => toast.error('Failed to switch view.'),
   });
@@ -65,15 +143,17 @@ export function PolicyContentManager({
   }, [currentPolicyMarkdown, proposedPolicyMarkdown]);
 
   async function applyProposedChanges() {
-    if (!proposedPolicyMarkdown) return;
+    if (!activeProposal) return;
+
+    const { content, key } = activeProposal;
 
     setIsApplying(true);
     try {
-      const jsonContent = markdownToTipTapJSON(proposedPolicyMarkdown);
+      const jsonContent = markdownToTipTapJSON(content);
       await updatePolicy({ policyId, content: jsonContent });
       setCurrentContent(jsonContent);
       setEditorKey((prev) => prev + 1);
-      setProposedPolicyMarkdown(null);
+      setDismissedProposalKey(key);
       toast.success('Policy updated with AI suggestions');
     } catch (err) {
       console.error('Failed to apply changes:', err);
@@ -141,8 +221,10 @@ export function PolicyContentManager({
             {showAiAssistant && isAiPolicyAssistantEnabled && (
               <div className="w-80 shrink-0 min-h-[400px] self-stretch flex flex-col">
                 <PolicyAiAssistant
-                  policyId={policyId}
-                  onProposedPolicyChange={setProposedPolicyMarkdown}
+                  messages={messages}
+                  status={status}
+                  errorMessage={chatErrorMessage}
+                  sendMessage={sendMessage}
                   close={() => setShowAiAssistant(false)}
                 />
               </div>
@@ -151,10 +233,14 @@ export function PolicyContentManager({
         </CardContent>
       </Card>
 
-      {proposedPolicyMarkdown && diffPatch && (
+      {proposedPolicyMarkdown && diffPatch && activeProposal && (
         <div className="space-y-2">
           <div className="flex items-center justify-end gap-2">
-            <Button variant="ghost" size="sm" onClick={() => setProposedPolicyMarkdown(null)}>
+            <Button
+              variant="ghost"
+              size="sm"
+              onClick={() => setDismissedProposalKey(activeProposal.key)}
+            >
               <X className="h-3 w-3 mr-1" />
               Dismiss
             </Button>
diff --git a/apps/app/src/app/(app)/[orgId]/policies/[policyId]/editor/components/ai/policy-ai-assistant.tsx b/apps/app/src/app/(app)/[orgId]/policies/[policyId]/editor/components/ai/policy-ai-assistant.tsx
index 461f37139..561bdc973 100644
--- a/apps/app/src/app/(app)/[orgId]/policies/[policyId]/editor/components/ai/policy-ai-assistant.tsx
+++ b/apps/app/src/app/(app)/[orgId]/policies/[policyId]/editor/components/ai/policy-ai-assistant.tsx
@@ -9,58 +9,43 @@ import {
 import { Tool, ToolHeader } from '@comp/ui/ai-elements/tool';
 import { Button } from '@comp/ui/button';
 import { cn } from '@comp/ui/cn';
-import { DefaultChatTransport, getToolName, isToolUIPart } from 'ai';
-import type { ToolUIPart } from 'ai';
-import { useChat } from '@ai-sdk/react';
+import {
+  getToolName,
+  isToolUIPart,
+  type ChatStatus,
+  type ToolUIPart,
+  type UIMessage,
+} from 'ai';
 import { X } from 'lucide-react';
-import { useEffect, useRef, useState } from 'react';
+import { useState } from 'react';
 
 interface PolicyAiAssistantProps {
-  policyId: string;
-  onProposedPolicyChange?: (content: string | null) => void;
+  messages: UIMessage[];
+  status: ChatStatus;
+  errorMessage?: string | null;
+  sendMessage: (payload: { text: string }) => void;
   close?: () => void;
 }
 
 export function PolicyAiAssistant({
-  policyId,
-  onProposedPolicyChange,
+  messages,
+  status,
+  errorMessage,
+  sendMessage,
   close,
 }: PolicyAiAssistantProps) {
   const [input, setInput] = useState('');
-  const lastProcessedToolCallRef = useRef<string | null>(null);
-  
-  const { messages, status, error, sendMessage } = useChat({
-    transport: new DefaultChatTransport({
-      api: `/api/policies/${policyId}/chat`,
-    }),
-  });
 
   const isLoading = status === 'streaming' || status === 'submitted';
 
-  useEffect(() => {
-    const lastAssistantMessage = [...messages].reverse().find((m) => m.role === 'assistant');
-    if (!lastAssistantMessage?.parts) return;
-
-    for (const part of lastAssistantMessage.parts) {
-      if (isToolUIPart(part) && getToolName(part) === 'proposePolicy') {
-        const toolInput = part.input as { content: string; summary: string };
-        
-        if (part.state === 'input-streaming') {
-          onProposedPolicyChange?.(toolInput?.content || '');
-          continue;
-        }
-        
-        if (lastProcessedToolCallRef.current === part.toolCallId) {
-          continue;
-        }
-        
-        if (toolInput?.content) {
-          lastProcessedToolCallRef.current = part.toolCallId;
-          onProposedPolicyChange?.(toolInput.content);
-        }
-      }
-    }
-  }, [messages, onProposedPolicyChange]);
+  const hasActiveTool = messages.some(
+    (m) =>
+      m.role === 'assistant' &&
+      m.parts.some(
+        (p) =>
+          isToolUIPart(p) && (p.state === 'input-streaming' || p.state === 'input-available'),
+      ),
+  );
 
   const handleSubmit = () => {
     if (!input.trim()) return;
@@ -108,10 +93,10 @@ export function PolicyAiAssistant({
                     </div>
                   );
                 }
-                
+
                 if (isToolUIPart(part) && getToolName(part) === 'proposePolicy') {
                   const toolPart = part as ToolUIPart;
-                  const toolInput = part.input as { content: string; summary: string };
+                  const toolInput = toolPart.input as { content?: string; summary?: string };
                   return (
                     <Tool key={`${message.id}-${index}`} className="mt-2">
                       <ToolHeader
@@ -122,20 +107,20 @@ export function PolicyAiAssistant({
                     </Tool>
                   );
                 }
-                
+
                 return null;
               })}
             </div>
           ))
         )}
-        {isLoading && (
+        {isLoading && !hasActiveTool && (
           <div className="text-sm text-muted-foreground">Thinking...</div>
         )}
       </div>
 
-      {error && (
+      {errorMessage && (
         <div className="border-t bg-destructive/10 px-3 py-2">
-          <p className="text-xs text-destructive">{error.message}</p>
+          <p className="text-xs text-destructive">{errorMessage}</p>
         </div>
       )}
 
diff --git a/apps/app/src/app/api/policies/[policyId]/chat/route.ts b/apps/app/src/app/api/policies/[policyId]/chat/route.ts
index 6e8759e86..c7aacd822 100644
--- a/apps/app/src/app/api/policies/[policyId]/chat/route.ts
+++ b/apps/app/src/app/api/policies/[policyId]/chat/route.ts
@@ -9,55 +9,68 @@ import { z } from 'zod';
 export const maxDuration = 60;
 
 export async function POST(req: Request, { params }: { params: Promise<{ policyId: string }> }) {
-  const { policyId } = await params;
-  const session = await auth.api.getSession({
-    headers: await headers(),
-  });
-
-  if (!session?.user) {
-    return NextResponse.json({ message: 'Unauthorized' }, { status: 401 });
-  }
-
-  const organizationId = session.session.activeOrganizationId;
-
-  if (!organizationId) {
-    return NextResponse.json({ message: 'No active organization' }, { status: 400 });
-  }
+  try {
+    const { policyId } = await params;
+    const session = await auth.api.getSession({
+      headers: await headers(),
+    });
+
+    if (!session?.user) {
+      return NextResponse.json(
+        { message: 'You must be signed in to use the AI assistant.' },
+        { status: 401 },
+      );
+    }
 
-  const { messages }: { messages: Array<UIMessage> } = await req.json();
+    const organizationId = session.session.activeOrganizationId;
 
-  const member = await db.member.findFirst({
-    where: {
-      userId: session.user.id,
-      organizationId,
-      deactivated: false,
-    },
-  });
+    if (!organizationId) {
+      return NextResponse.json(
+        { message: 'You need an active organization to use the AI assistant.' },
+        { status: 400 },
+      );
+    }
 
-  if (!member) {
-    return NextResponse.json({ message: 'Not a member of this organization' }, { status: 403 });
-  }
+    const { messages }: { messages: Array<UIMessage> } = await req.json();
+
+    const member = await db.member.findFirst({
+      where: {
+        userId: session.user.id,
+        organizationId,
+        deactivated: false,
+      },
+    });
+
+    if (!member) {
+      return NextResponse.json(
+        { message: "You don't have access to this policy's AI assistant." },
+        { status: 403 },
+      );
+    }
 
-  const policy = await db.policy.findFirst({
-    where: {
-      id: policyId,
-      organizationId,
-    },
-    select: {
-      id: true,
-      name: true,
-      description: true,
-      content: true,
-    },
-  });
-
-  if (!policy) {
-    return NextResponse.json({ message: 'Policy not found' }, { status: 404 });
-  }
+    const policy = await db.policy.findFirst({
+      where: {
+        id: policyId,
+        organizationId,
+      },
+      select: {
+        id: true,
+        name: true,
+        description: true,
+        content: true,
+      },
+    });
+
+    if (!policy) {
+      return NextResponse.json(
+        { message: 'This policy could not be found. It may have been removed.' },
+        { status: 404 },
+      );
+    }
 
-  const policyContentText = convertPolicyContentToText(policy.content);
+    const policyContentText = convertPolicyContentToText(policy.content);
 
-  const systemPrompt = `You are an expert GRC (Governance, Risk, and Compliance) policy editor. You help users edit and improve their organizational policies to meet compliance requirements like SOC 2, ISO 27001, and GDPR.
+    const systemPrompt = `You are an expert GRC (Governance, Risk, and Compliance) policy editor. You help users edit and improve their organizational policies to meet compliance requirements like SOC 2, ISO 27001, and GDPR.
 
 Current Policy Name: ${policy.name}
 ${policy.description ? `Policy Description: ${policy.description}` : ''}
@@ -67,11 +80,16 @@ Current Policy Content:
 ${policyContentText}
 ---
 
+IMPORTANT: This assistant is ONLY for editing policies. You MUST always use one of the available tools.
+
 Your role:
-1. Help users understand and improve their policies
-2. Suggest specific changes when asked
-3. Ensure policies remain compliant with relevant frameworks
-4. Maintain professional, clear language appropriate for official documentation
+1. Edit and improve policies when asked
+2. Ensure policies remain compliant with relevant frameworks
+3. Maintain professional, clear language appropriate for official documentation
+
+TOOL USAGE (MANDATORY):
+- If the user asks you to make changes, edits, or improvements: use the proposePolicy tool
+- If the user asks a question or anything that is NOT an edit request: use the returnQuestion tool
 
 COMMUNICATION STYLE:
 - Be concise and direct. No lengthy explanations or preamble.
@@ -81,6 +99,9 @@ COMMUNICATION STYLE:
 WHEN MAKING POLICY CHANGES:
 Use the proposePolicy tool immediately. State what you'll change in ONE sentence, then call the tool.
 
+WHEN USER ASKS A QUESTION:
+Use the returnQuestion tool immediately. Do not answer the question directly.
+
 CRITICAL MARKDOWN FORMATTING RULES:
 - Every heading MUST have text after the # symbols (e.g., "## Section Title", never just "##")
 - Preserve the original document structure and all sections
@@ -99,30 +120,52 @@ QUALITY CHECKLIST before submitting:
 
 Keep responses helpful and focused on the policy editing task.`;
 
-  const result = streamText({
-    model: openai('gpt-5.1'),
-    system: systemPrompt,
-    messages: convertToModelMessages(messages),
-    tools: {
-      proposePolicy: tool({
-        description:
-          'Propose an updated version of the policy. Use this tool whenever the user asks you to make changes, edits, or improvements to the policy. You must provide the COMPLETE policy content, not just the changes.',
-        inputSchema: z.object({
-          content: z
-            .string()
-            .describe(
-              'The complete updated policy content in markdown format. Must include the entire policy, not just the changed sections.',
-            ),
-          summary: z
-            .string()
-            .describe('One to two sentences summarizing the changes. No bullet points.'),
+    const result = streamText({
+      //  we use 5.1 because it has the best context window for this task
+      model: openai('gpt-5.1'),
+      system: systemPrompt,
+      messages: convertToModelMessages(messages),
+      toolChoice: 'required',
+      tools: {
+        proposePolicy: tool({
+          description:
+            'Propose an updated version of the policy. Use this tool whenever the user asks you to make changes, edits, or improvements to the policy. You must provide the COMPLETE policy content, not just the changes.',
+          inputSchema: z.object({
+            content: z
+              .string()
+              .describe(
+                'The complete updated policy content in markdown format. Must include the entire policy, not just the changed sections.',
+              ),
+            summary: z
+              .string()
+              .describe('One to two sentences summarizing the changes. No bullet points.'),
+          }),
+          execute: async ({ summary }) => ({ success: true, summary }),
         }),
-        execute: async ({ summary }) => ({ success: true, summary }),
-      }),
-    },
-  });
-
-  return result.toUIMessageStreamResponse();
+        returnQuestion: tool({
+          description:
+            'Use this tool when the user asks a question instead of requesting an edit. This assistant is only for editing policies, not answering questions.',
+          inputSchema: z.object({
+            question: z.string().describe('The question the user asked.'),
+            message: z
+              .string()
+              .describe(
+                'A brief message explaining that this assistant is only for editing policies and suggesting they rephrase as an edit request.',
+              ),
+          }),
+          execute: async ({ question, message }) => ({ success: true, question, message }),
+        }),
+      },
+    });
+
+    return result.toUIMessageStreamResponse();
+  } catch (error) {
+    console.error('Policy chat route error:', error);
+    return NextResponse.json(
+      { message: 'The AI assistant is currently unavailable. Please try again.' },
+      { status: 500 },
+    );
+  }
 }
 
 function convertPolicyContentToText(content: unknown): string {
diff --git a/packages/ui/src/components/diff-viewer.tsx b/packages/ui/src/components/diff-viewer.tsx
index 9aa69cda2..b2bf8e756 100644
--- a/packages/ui/src/components/diff-viewer.tsx
+++ b/packages/ui/src/components/diff-viewer.tsx
@@ -1,13 +1,7 @@
-import { Diff, Hunk } from './diff';
+'use client';
 
-import {
-  CollapsibleCard,
-  CollapsibleCardContent,
-  CollapsibleCardHeader,
-  CollapsibleCardTitle,
-} from './collapsible-card';
-
-import { parseDiff, type ParseOptions } from './diff/utils/parse';
+import { cn } from '../utils';
+import { parseDiff, type Hunk, type Line, type ParseOptions } from './diff/utils';
 
 export function DiffViewer({
   patch,
@@ -19,24 +13,103 @@ export function DiffViewer({
   const [file] = parseDiff(patch, options);
   if (!file) return null;
 
+  const hasChanges = file.hunks.some(
+    (hunk) =>
+      hunk.type === 'hunk' && hunk.lines.some((line) => line.type !== 'normal' && hasContent(line)),
+  );
+  if (!hasChanges) return null;
+
+  return (
+    <div className="rounded-sm border bg-card overflow-hidden">
+      <DiffHeader />
+      <div className="divide-y divide-border/50">
+        {file.hunks.map((hunk, i) =>
+          hunk.type === 'hunk' ? (
+            <DiffHunk key={i} hunk={hunk} />
+          ) : (
+            <SkippedSection key={i} count={hunk.count} />
+          ),
+        )}
+      </div>
+    </div>
+  );
+}
+
+function hasContent(line: Line): boolean {
+  const text = line.content
+    .map((seg) => seg.value)
+    .join('')
+    .trim();
+  return text.length > 0;
+}
+
+function DiffHeader() {
+  return (
+    <div className="border-b bg-muted/50 px-4 py-3 space-y-2">
+      <p className="text-sm/6 font-medium">Proposed Policy Updates</p>
+      <div className="flex flex-wrap gap-4 text-xs/5 text-muted-foreground">
+        <span className="inline-flex items-center gap-1.5">
+          <AddBadge />
+          Text will be added
+        </span>
+        <span className="inline-flex items-center gap-1.5">
+          <RemoveBadge />
+          Text will be removed
+        </span>
+      </div>
+    </div>
+  );
+}
+
+function AddBadge() {
+  return (
+    <span className="inline-flex items-center rounded-full bg-green-100 text-green-700 px-2 py-0.5 text-[11px]/4 font-medium">
+      + Add
+    </span>
+  );
+}
+
+function RemoveBadge() {
+  return (
+    <span className="inline-flex items-center rounded-full bg-red-100 text-red-700 px-2 py-0.5 text-[11px]/4 font-medium">
+      − Remove
+    </span>
+  );
+}
+
+function DiffHunk({ hunk }: { hunk: Hunk }) {
+  const visibleLines = hunk.lines.filter((line) => line.type === 'normal' || hasContent(line));
+
+  return (
+    <div className="text-sm/6">
+      {visibleLines.map((line, i) => (
+        <DiffLine key={i} line={line} />
+      ))}
+    </div>
+  );
+}
+
+function DiffLine({ line }: { line: Line }) {
+  const text = line.content.map((seg) => seg.value).join('');
+
+  if (line.type === 'normal') {
+    return <div className="px-4 py-1 text-muted-foreground">{text}</div>;
+  }
+
+  const isAdd = line.type === 'insert';
+
+  return (
+    <div className={cn('flex items-center gap-3 px-4 py-1.5', isAdd ? 'bg-green-50' : 'bg-red-50')}>
+      <span className="shrink-0">{isAdd ? <AddBadge /> : <RemoveBadge />}</span>
+      <span className={cn(!isAdd && 'line-through decoration-red-500')}>{text}</span>
+    </div>
+  );
+}
+
+function SkippedSection({ count }: { count: number }) {
   return (
-    <CollapsibleCard
-      data-section-id="diff-viewer"
-      id="diff-viewer"
-      className="my-4 text-[0.8rem] w-full"
-      title="File Changes"
-      defaultOpen
-    >
-      <CollapsibleCardHeader>
-        <CollapsibleCardTitle title={file.newPath}>{file.newPath}</CollapsibleCardTitle>
-      </CollapsibleCardHeader>
-      <CollapsibleCardContent>
-        <Diff fileName="file-changes.tsx" hunks={file.hunks} type={file.type}>
-          {file.hunks.map((hunk) => (
-            <Hunk key={hunk.content} hunk={hunk} />
-          ))}
-        </Diff>
-      </CollapsibleCardContent>
-    </CollapsibleCard>
+    <div className="px-4 py-2 text-xs/5 text-muted-foreground italic text-center bg-muted/30">
+      {count} unchanged {count === 1 ? 'paragraph' : 'paragraphs'}
+    </div>
   );
 }

From 96e115ed86a3a7c9bb34c9ba24cfbc46e9190445 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 26 Nov 2025 09:00:28 -0500
Subject: [PATCH 2/7] feat(SOA): implement SOA logic and do refactor (#1836)

Co-authored-by: Tofik Hasanov <annexcies@gmail.com>
Co-authored-by: Mariano Fuentes <marfuen98@gmail.com>
---
 .../app/(app)/[orgId]/knowledge-base/page.tsx |  12 +-
 .../components/QuestionnaireBreadcrumb.tsx    |   2 +-
 .../components/QuestionnaireDetailClient.tsx  |   0
 .../[questionnaireId]/data/queries.ts         |   0
 .../[questionnaireId]/page.tsx                |   2 +-
 .../actions/answer-single-question.ts         |   0
 .../actions/create-trigger-token.ts           |   0
 .../actions/delete-questionnaire-answer.ts    |   0
 .../actions/export-questionnaire.ts           |   2 +-
 .../actions/parse-questionnaire-ai.ts         |   0
 .../actions/save-answer.ts                    |   0
 .../actions/save-answers-batch.ts             |   0
 .../actions/update-questionnaire-answer.ts    |   0
 .../actions/upload-questionnaire-file.ts      |   0
 .../vendor-questionnaire-orchestrator.ts      |   0
 .../components/KnowledgeBaseDocumentLink.tsx  |   4 +-
 .../components/ManualAnswerLink.tsx           |   2 +-
 .../components/QuestionnaireParser.tsx        |   0
 .../components/QuestionnaireResults.tsx       |   0
 .../components/QuestionnaireResultsCards.tsx  |   0
 .../components/QuestionnaireResultsHeader.tsx |   0
 .../components/QuestionnaireResultsTable.tsx  |   0
 .../components/QuestionnaireSidebar.tsx       |   0
 .../components/QuestionnaireUpload.tsx        |   0
 .../components/QuestionnaireView.tsx          |   0
 .../components/types.ts                       |   0
 .../hooks/usePersistGeneratedAnswers.ts       |   0
 .../hooks/useQuestionnaireActions.ts          |   0
 .../hooks/useQuestionnaireAutoAnswer.ts       |   2 +-
 .../hooks/useQuestionnaireDetail/index.ts     |   0
 .../hooks/useQuestionnaireDetail/types.ts     |   0
 .../useQuestionnaireDetail.ts                 |   0
 .../useQuestionnaireDetailHandlers.ts         |   0
 .../useQuestionnaireDetailState.ts            |   0
 .../hooks/useQuestionnaireParse.ts            |   2 +-
 .../hooks/useQuestionnaireParser.ts           |   0
 .../hooks/useQuestionnaireSingleAnswer.ts     |   2 +-
 .../hooks/useQuestionnaireState.ts            |   0
 .../actions/delete-document.ts                |   2 +-
 .../actions/download-document.ts              |   0
 .../actions/get-document-view-url.ts          |   0
 .../actions/process-documents.ts              |   0
 .../actions/upload-document.ts                |   2 +-
 .../components/AdditionalDocumentsSection.tsx |   0
 .../additional-documents/components/index.ts  |   0
 .../hooks/useDocumentProcessing.ts            |   0
 .../knowledge-base/components/BackButton.tsx  |   0
 .../components/KnowledgeBaseBreadcrumb.tsx    |   0
 .../components/KnowledgeBaseHeader.tsx        |   0
 .../knowledge-base/components/index.ts        |   0
 .../context/components/ContextSection.tsx     |   0
 .../context/components/index.ts               |   0
 .../knowledge-base/data/queries.ts            |   0
 .../knowledge-base/hooks/usePagination.ts     |   0
 .../actions/delete-all-manual-answers.ts      |   2 +-
 .../actions/delete-manual-answer.ts           |   2 +-
 .../actions/save-manual-answer.ts             |   2 +-
 .../components/ManualAnswersSection.tsx       |   2 +-
 .../manual-answers/components/index.ts        |   0
 .../knowledge-base/page.tsx                   |   0
 .../components/PublishedPoliciesSection.tsx   |   0
 .../published-policies/components/index.ts    |   0
 .../(app)/[orgId]/questionnaire/layout.tsx    |  71 ++
 .../loading.tsx                               |   0
 .../new_questionnaire/page.tsx                |   4 +-
 .../page.tsx                                  |   0
 .../soa/actions/approve-soa-document.ts       |  88 +++
 .../soa/actions/auto-fill-soa.ts              | 328 +++++++++
 .../soa/actions/create-soa-document.ts        |  89 +++
 .../soa/actions/decline-soa-document.ts       |  88 +++
 .../soa/actions/ensure-soa-setup.ts           | 142 ++++
 .../soa/actions/save-soa-answer.ts            | 183 +++++
 .../soa/actions/seed-soa-config.ts            |  55 ++
 .../soa/actions/submit-soa-for-approval.ts    |  81 +++
 .../soa/components/CreateSOADocument.tsx      |  78 ++
 .../soa/components/EditableIsApplicable.tsx   | 150 ++++
 .../soa/components/EditableJustification.tsx  | 158 +++++
 .../soa/components/EditableSOAFields.tsx      | 227 ++++++
 .../soa/components/SOADocumentInfo.tsx        | 133 ++++
 .../soa/components/SOAFrameworkTable.tsx      | 301 ++++++++
 .../soa/components/SOAFrameworkTabs.tsx       | 176 +++++
 .../components/SOAPendingApprovalAlert.tsx    |  88 +++
 .../questionnaire/soa/components/SOATable.tsx | 150 ++++
 .../soa/components/SOATableRow.tsx            | 168 +++++
 .../soa/components/SubmitApprovalDialog.tsx   |  70 ++
 .../[orgId]/questionnaire/soa/data/queries.ts | 344 +++++++++
 .../questionnaire/soa/hooks/useSOAAutoFill.ts | 138 ++++
 .../(app)/[orgId]/questionnaire/soa/page.tsx  | 271 +++++++
 .../soa/seedJson/ISO/config.json              | 671 ++++++++++++++++++
 .../soa/utils/generate-soa-answer.ts          | 205 ++++++
 .../soa/utils/transform-iso-config.ts         | 129 ++++
 .../start_page/README.md                      |   8 +-
 .../actions/delete-questionnaire.ts           |   2 +-
 .../components/QuestionnaireHistory.tsx       |   2 +-
 .../components/QuestionnaireOverview.tsx      |   2 +-
 .../start_page/components/index.ts            |   0
 .../start_page/data/queries.ts                |   0
 .../hooks/useQuestionnaireHistory.ts          |   0
 .../utils/deduplicate-sources.ts              |   0
 .../[orgId]/security-questionnaire/layout.tsx |  29 -
 .../answer-single/route.ts                    |   0
 .../auto-answer/route.ts                      |   0
 .../auto-fill/helpers/check-fully-remote.ts   |  51 ++
 .../soa/auto-fill/helpers/process-question.ts | 254 +++++++
 .../soa/auto-fill/helpers/save-answers.ts     | 131 ++++
 .../api/questionnaire/soa/auto-fill/route.ts  | 228 ++++++
 apps/app/src/components/main-menu.tsx         |   2 +-
 .../tasks/vendors/answer-question-helpers.ts  |   2 +-
 .../migration.sql                             | 117 +++
 .../migration.sql                             |   5 +
 .../migration.sql                             |   9 +
 packages/db/prisma/schema/auth.prisma         |   1 +
 .../db/prisma/schema/framework-editor.prisma  |   2 +
 .../schema/knowledge-base-document.prisma     |  25 +-
 packages/db/prisma/schema/organization.prisma |  43 +-
 .../db/prisma/schema/questionnaire.prisma     |  49 +-
 ...ecurity-questionnaire-manual-answer.prisma |  25 +-
 packages/db/prisma/schema/soa.prisma          | 134 ++++
 packages/ui/src/components/secondary-menu.tsx |   2 +-
 119 files changed, 5617 insertions(+), 134 deletions(-)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/[questionnaireId]/components/QuestionnaireBreadcrumb.tsx (96%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/[questionnaireId]/components/QuestionnaireDetailClient.tsx (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/[questionnaireId]/data/queries.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/[questionnaireId]/page.tsx (94%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/actions/answer-single-question.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/actions/create-trigger-token.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/actions/delete-questionnaire-answer.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/actions/export-questionnaire.ts (99%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/actions/parse-questionnaire-ai.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/actions/save-answer.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/actions/save-answers-batch.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/actions/update-questionnaire-answer.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/actions/upload-questionnaire-file.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/actions/vendor-questionnaire-orchestrator.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/components/KnowledgeBaseDocumentLink.tsx (92%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/components/ManualAnswerLink.tsx (86%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/components/QuestionnaireParser.tsx (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/components/QuestionnaireResults.tsx (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/components/QuestionnaireResultsCards.tsx (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/components/QuestionnaireResultsHeader.tsx (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/components/QuestionnaireResultsTable.tsx (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/components/QuestionnaireSidebar.tsx (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/components/QuestionnaireUpload.tsx (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/components/QuestionnaireView.tsx (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/components/types.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/hooks/usePersistGeneratedAnswers.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/hooks/useQuestionnaireActions.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/hooks/useQuestionnaireAutoAnswer.ts (99%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/hooks/useQuestionnaireDetail/index.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/hooks/useQuestionnaireDetail/types.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/hooks/useQuestionnaireDetail/useQuestionnaireDetail.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/hooks/useQuestionnaireDetail/useQuestionnaireDetailHandlers.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/hooks/useQuestionnaireDetail/useQuestionnaireDetailState.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/hooks/useQuestionnaireParse.ts (98%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/hooks/useQuestionnaireParser.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/hooks/useQuestionnaireSingleAnswer.ts (98%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/hooks/useQuestionnaireState.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/additional-documents/actions/delete-document.ts (97%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/additional-documents/actions/download-document.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/additional-documents/actions/get-document-view-url.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/additional-documents/actions/process-documents.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/additional-documents/actions/upload-document.ts (98%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/additional-documents/components/AdditionalDocumentsSection.tsx (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/additional-documents/components/index.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/additional-documents/hooks/useDocumentProcessing.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/components/BackButton.tsx (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/components/KnowledgeBaseBreadcrumb.tsx (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/components/KnowledgeBaseHeader.tsx (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/components/index.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/context/components/ContextSection.tsx (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/context/components/index.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/data/queries.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/hooks/usePagination.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/manual-answers/actions/delete-all-manual-answers.ts (97%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/manual-answers/actions/delete-manual-answer.ts (96%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/manual-answers/actions/save-manual-answer.ts (98%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/manual-answers/components/ManualAnswersSection.tsx (99%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/manual-answers/components/index.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/page.tsx (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/published-policies/components/PublishedPoliciesSection.tsx (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/knowledge-base/published-policies/components/index.ts (100%)
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/layout.tsx
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/loading.tsx (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/new_questionnaire/page.tsx (96%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/page.tsx (100%)
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/approve-soa-document.ts
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/auto-fill-soa.ts
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/create-soa-document.ts
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/decline-soa-document.ts
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/ensure-soa-setup.ts
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/save-soa-answer.ts
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/seed-soa-config.ts
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/submit-soa-for-approval.ts
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/CreateSOADocument.tsx
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/EditableIsApplicable.tsx
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/EditableJustification.tsx
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/EditableSOAFields.tsx
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOADocumentInfo.tsx
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAFrameworkTable.tsx
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAFrameworkTabs.tsx
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAPendingApprovalAlert.tsx
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOATable.tsx
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOATableRow.tsx
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SubmitApprovalDialog.tsx
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/data/queries.ts
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/hooks/useSOAAutoFill.ts
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/page.tsx
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/seedJson/ISO/config.json
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/utils/generate-soa-answer.ts
 create mode 100644 apps/app/src/app/(app)/[orgId]/questionnaire/soa/utils/transform-iso-config.ts
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/start_page/README.md (66%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/start_page/actions/delete-questionnaire.ts (95%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/start_page/components/QuestionnaireHistory.tsx (99%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/start_page/components/QuestionnaireOverview.tsx (96%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/start_page/components/index.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/start_page/data/queries.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/start_page/hooks/useQuestionnaireHistory.ts (100%)
 rename apps/app/src/app/(app)/[orgId]/{security-questionnaire => questionnaire}/utils/deduplicate-sources.ts (100%)
 delete mode 100644 apps/app/src/app/(app)/[orgId]/security-questionnaire/layout.tsx
 rename apps/app/src/app/api/{security-questionnaire => questionnaire}/answer-single/route.ts (100%)
 rename apps/app/src/app/api/{security-questionnaire => questionnaire}/auto-answer/route.ts (100%)
 create mode 100644 apps/app/src/app/api/questionnaire/soa/auto-fill/helpers/check-fully-remote.ts
 create mode 100644 apps/app/src/app/api/questionnaire/soa/auto-fill/helpers/process-question.ts
 create mode 100644 apps/app/src/app/api/questionnaire/soa/auto-fill/helpers/save-answers.ts
 create mode 100644 apps/app/src/app/api/questionnaire/soa/auto-fill/route.ts
 create mode 100644 packages/db/prisma/migrations/20251125130730_add_soa_tables_with_versioning/migration.sql
 create mode 100644 packages/db/prisma/migrations/20251125182239_add_prepared_by_approved_by_to_soa_document/migration.sql
 create mode 100644 packages/db/prisma/migrations/20251125191143_change_approved_by_to_approver_id/migration.sql
 create mode 100644 packages/db/prisma/schema/soa.prisma

diff --git a/apps/app/src/app/(app)/[orgId]/knowledge-base/page.tsx b/apps/app/src/app/(app)/[orgId]/knowledge-base/page.tsx
index 50e87f488..f2aac3af1 100644
--- a/apps/app/src/app/(app)/[orgId]/knowledge-base/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/knowledge-base/page.tsx
@@ -2,17 +2,17 @@ import PageWithBreadcrumb from '@/components/pages/PageWithBreadcrumb';
 import { auth } from '@/utils/auth';
 import { headers } from 'next/headers';
 import { notFound } from 'next/navigation';
-import { AdditionalDocumentsSection } from '../security-questionnaire/knowledge-base/additional-documents/components';
-import { ContextSection } from '../security-questionnaire/knowledge-base/context/components';
-import { ManualAnswersSection } from '../security-questionnaire/knowledge-base/manual-answers/components';
-import { PublishedPoliciesSection } from '../security-questionnaire/knowledge-base/published-policies/components';
-import { KnowledgeBaseHeader } from '../security-questionnaire/knowledge-base/components/KnowledgeBaseHeader';
+import { AdditionalDocumentsSection } from '../questionnaire/knowledge-base/additional-documents/components';
+import { ContextSection } from '../questionnaire/knowledge-base/context/components';
+import { ManualAnswersSection } from '../questionnaire/knowledge-base/manual-answers/components';
+import { PublishedPoliciesSection } from '../questionnaire/knowledge-base/published-policies/components';
+import { KnowledgeBaseHeader } from '../questionnaire/knowledge-base/components/KnowledgeBaseHeader';
 import {
   getContextEntries,
   getKnowledgeBaseDocuments,
   getManualAnswers,
   getPublishedPolicies,
-} from '../security-questionnaire/knowledge-base/data/queries';
+} from '../questionnaire/knowledge-base/data/queries';
 
 export default async function KnowledgeBasePage() {
   const session = await auth.api.getSession({
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/[questionnaireId]/components/QuestionnaireBreadcrumb.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/[questionnaireId]/components/QuestionnaireBreadcrumb.tsx
similarity index 96%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/[questionnaireId]/components/QuestionnaireBreadcrumb.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/[questionnaireId]/components/QuestionnaireBreadcrumb.tsx
index 763ed0251..13ab01bea 100644
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/[questionnaireId]/components/QuestionnaireBreadcrumb.tsx
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/[questionnaireId]/components/QuestionnaireBreadcrumb.tsx
@@ -19,7 +19,7 @@ export function QuestionnaireBreadcrumb({ filename, organizationId }: Questionna
         {/* Security Questionnaire Link */}
         <li className="flex items-center">
           <Link
-            href={`/${orgId}/security-questionnaire`}
+            href={`/${orgId}/questionnaire`}
             className="group flex items-center gap-2 rounded-md px-3 py-1.5 text-sm font-medium text-muted-foreground transition-all duration-200 hover:bg-muted hover:text-foreground"
           >
             <FileQuestion className="h-4 w-4 shrink-0 transition-colors group-hover:text-primary" />
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/[questionnaireId]/components/QuestionnaireDetailClient.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/[questionnaireId]/components/QuestionnaireDetailClient.tsx
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/[questionnaireId]/components/QuestionnaireDetailClient.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/[questionnaireId]/components/QuestionnaireDetailClient.tsx
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/[questionnaireId]/data/queries.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/[questionnaireId]/data/queries.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/[questionnaireId]/data/queries.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/[questionnaireId]/data/queries.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/[questionnaireId]/page.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/[questionnaireId]/page.tsx
similarity index 94%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/[questionnaireId]/page.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/[questionnaireId]/page.tsx
index 022f57ec7..0b7f2b083 100644
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/[questionnaireId]/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/[questionnaireId]/page.tsx
@@ -35,7 +35,7 @@ export default async function QuestionnaireDetailPage({
   return (
     <PageWithBreadcrumb
       breadcrumbs={[
-        { label: 'Overview', href: `/${organizationId}/security-questionnaire` },
+        { label: 'Overview', href: `/${organizationId}/questionnaire` },
         { label: questionnaire.filename, current: true },
       ]}
     >
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/answer-single-question.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/actions/answer-single-question.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/answer-single-question.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/actions/answer-single-question.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/create-trigger-token.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/actions/create-trigger-token.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/create-trigger-token.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/actions/create-trigger-token.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/delete-questionnaire-answer.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/actions/delete-questionnaire-answer.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/delete-questionnaire-answer.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/actions/delete-questionnaire-answer.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/export-questionnaire.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/actions/export-questionnaire.ts
similarity index 99%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/export-questionnaire.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/actions/export-questionnaire.ts
index e949ee2d8..3a7dba5b6 100644
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/export-questionnaire.ts
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/actions/export-questionnaire.ts
@@ -142,7 +142,7 @@ export const exportQuestionnaire = authActionClient
     const organizationId = session.activeOrganizationId;
     
     try {
-      const vendorName = 'security-questionnaire';
+      const vendorName = 'questionnaire';
       const sanitizedVendorName = vendorName.toLowerCase().replace(/[^a-z0-9]/g, '-');
       const timestamp = new Date().toISOString().split('T')[0];
       
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/parse-questionnaire-ai.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/actions/parse-questionnaire-ai.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/parse-questionnaire-ai.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/actions/parse-questionnaire-ai.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/save-answer.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/actions/save-answer.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/save-answer.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/actions/save-answer.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/save-answers-batch.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/actions/save-answers-batch.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/save-answers-batch.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/actions/save-answers-batch.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/update-questionnaire-answer.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/actions/update-questionnaire-answer.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/update-questionnaire-answer.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/actions/update-questionnaire-answer.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/upload-questionnaire-file.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/actions/upload-questionnaire-file.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/upload-questionnaire-file.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/actions/upload-questionnaire-file.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/vendor-questionnaire-orchestrator.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/actions/vendor-questionnaire-orchestrator.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/actions/vendor-questionnaire-orchestrator.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/actions/vendor-questionnaire-orchestrator.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/components/KnowledgeBaseDocumentLink.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/components/KnowledgeBaseDocumentLink.tsx
similarity index 92%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/components/KnowledgeBaseDocumentLink.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/components/KnowledgeBaseDocumentLink.tsx
index 1fdf1fcdd..9ce4ecb64 100644
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/components/KnowledgeBaseDocumentLink.tsx
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/components/KnowledgeBaseDocumentLink.tsx
@@ -37,14 +37,14 @@ export function KnowledgeBaseDocumentLink({
           window.open(signedUrl, '_blank', 'noopener,noreferrer');
         } else {
           // File cannot be viewed in browser - navigate to knowledge base page
-          const knowledgeBaseUrl = `/${orgId}/security-questionnaire/knowledge-base`;
+          const knowledgeBaseUrl = `/${orgId}/questionnaire/knowledge-base`;
           window.open(knowledgeBaseUrl, '_blank', 'noopener,noreferrer');
         }
       }
     } catch (error) {
       console.error('Error opening knowledge base document:', error);
       // Fallback: navigate to knowledge base page
-      const knowledgeBaseUrl = `/${orgId}/security-questionnaire/knowledge-base`;
+      const knowledgeBaseUrl = `/${orgId}/questionnaire/knowledge-base`;
       window.open(knowledgeBaseUrl, '_blank', 'noopener,noreferrer');
     } finally {
       setIsLoading(false);
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/components/ManualAnswerLink.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/components/ManualAnswerLink.tsx
similarity index 86%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/components/ManualAnswerLink.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/components/ManualAnswerLink.tsx
index 46727807f..b04b07629 100644
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/components/ManualAnswerLink.tsx
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/components/ManualAnswerLink.tsx
@@ -17,7 +17,7 @@ export function ManualAnswerLink({
   className = 'font-medium text-primary hover:underline inline-flex items-center gap-1',
 }: ManualAnswerLinkProps) {
   // Link to knowledge base page with hash anchor to scroll to specific manual answer
-  const knowledgeBaseUrl = `/${orgId}/security-questionnaire/knowledge-base#manual-answer-${manualAnswerId}`;
+  const knowledgeBaseUrl = `/${orgId}/questionnaire/knowledge-base#manual-answer-${manualAnswerId}`;
 
   return (
     <Link
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/components/QuestionnaireParser.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/components/QuestionnaireParser.tsx
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/components/QuestionnaireParser.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/components/QuestionnaireParser.tsx
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/components/QuestionnaireResults.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/components/QuestionnaireResults.tsx
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/components/QuestionnaireResults.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/components/QuestionnaireResults.tsx
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/components/QuestionnaireResultsCards.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/components/QuestionnaireResultsCards.tsx
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/components/QuestionnaireResultsCards.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/components/QuestionnaireResultsCards.tsx
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/components/QuestionnaireResultsHeader.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/components/QuestionnaireResultsHeader.tsx
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/components/QuestionnaireResultsHeader.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/components/QuestionnaireResultsHeader.tsx
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/components/QuestionnaireResultsTable.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/components/QuestionnaireResultsTable.tsx
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/components/QuestionnaireResultsTable.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/components/QuestionnaireResultsTable.tsx
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/components/QuestionnaireSidebar.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/components/QuestionnaireSidebar.tsx
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/components/QuestionnaireSidebar.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/components/QuestionnaireSidebar.tsx
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/components/QuestionnaireUpload.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/components/QuestionnaireUpload.tsx
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/components/QuestionnaireUpload.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/components/QuestionnaireUpload.tsx
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/components/QuestionnaireView.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/components/QuestionnaireView.tsx
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/components/QuestionnaireView.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/components/QuestionnaireView.tsx
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/components/types.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/components/types.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/components/types.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/components/types.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/usePersistGeneratedAnswers.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/hooks/usePersistGeneratedAnswers.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/usePersistGeneratedAnswers.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/hooks/usePersistGeneratedAnswers.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireActions.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireActions.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireActions.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireActions.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireAutoAnswer.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireAutoAnswer.ts
similarity index 99%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireAutoAnswer.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireAutoAnswer.ts
index effcbae74..ab8219965 100644
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireAutoAnswer.ts
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireAutoAnswer.ts
@@ -85,7 +85,7 @@ export function useQuestionnaireAutoAnswer({
     try {
       // Use fetch with ReadableStream for SSE (EventSource only supports GET)
       // credentials: 'include' is required to send cookies for authentication
-      const response = await fetch('/api/security-questionnaire/auto-answer', {
+      const response = await fetch('/api/questionnaire/auto-answer', {
         method: 'POST',
         headers: {
           'Content-Type': 'application/json',
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireDetail/index.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireDetail/index.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireDetail/index.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireDetail/index.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireDetail/types.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireDetail/types.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireDetail/types.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireDetail/types.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireDetail/useQuestionnaireDetail.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireDetail/useQuestionnaireDetail.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireDetail/useQuestionnaireDetail.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireDetail/useQuestionnaireDetail.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireDetail/useQuestionnaireDetailHandlers.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireDetail/useQuestionnaireDetailHandlers.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireDetail/useQuestionnaireDetailHandlers.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireDetail/useQuestionnaireDetailHandlers.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireDetail/useQuestionnaireDetailState.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireDetail/useQuestionnaireDetailState.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireDetail/useQuestionnaireDetailState.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireDetail/useQuestionnaireDetailState.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireParse.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireParse.ts
similarity index 98%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireParse.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireParse.ts
index c350c7bd3..34fcfa671 100644
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireParse.ts
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireParse.ts
@@ -86,7 +86,7 @@ export function useQuestionnaireParse({
               toast.success(
                 `Successfully parsed ${questionsAndAnswers.length} question-answer pairs`,
               );
-              router.push(`/${orgId}/security-questionnaire/${questionnaireId}`);
+              router.push(`/${orgId}/questionnaire/${questionnaireId}`);
             } else {
               // Fallback: if no questionnaireId, set results locally (shouldn't happen)
               const initializedResults = questionsAndAnswers.map((qa) => ({
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireParser.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireParser.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireParser.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireParser.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireSingleAnswer.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireSingleAnswer.ts
similarity index 98%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireSingleAnswer.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireSingleAnswer.ts
index e1fc35435..237611c75 100644
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireSingleAnswer.ts
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireSingleAnswer.ts
@@ -63,7 +63,7 @@ export function useQuestionnaireSingleAnswer({
 
     try {
       // Call server action directly via fetch for parallel processing
-      const response = await fetch('/api/security-questionnaire/answer-single', {
+      const response = await fetch('/api/questionnaire/answer-single', {
         method: 'POST',
         headers: {
           'Content-Type': 'application/json',
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireState.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireState.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireState.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireState.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/additional-documents/actions/delete-document.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/actions/delete-document.ts
similarity index 97%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/additional-documents/actions/delete-document.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/actions/delete-document.ts
index 2fbda7066..63e71e7dd 100644
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/additional-documents/actions/delete-document.ts
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/actions/delete-document.ts
@@ -99,7 +99,7 @@ export const deleteKnowledgeBaseDocumentAction = authActionClient
         },
       });
 
-      revalidatePath(`/${activeOrganizationId}/security-questionnaire/knowledge-base`);
+      revalidatePath(`/${activeOrganizationId}/questionnaire/knowledge-base`);
 
       return {
         success: true,
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/additional-documents/actions/download-document.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/actions/download-document.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/additional-documents/actions/download-document.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/actions/download-document.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/additional-documents/actions/get-document-view-url.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/actions/get-document-view-url.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/additional-documents/actions/get-document-view-url.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/actions/get-document-view-url.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/additional-documents/actions/process-documents.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/actions/process-documents.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/additional-documents/actions/process-documents.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/actions/process-documents.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/additional-documents/actions/upload-document.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/actions/upload-document.ts
similarity index 98%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/additional-documents/actions/upload-document.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/actions/upload-document.ts
index 66108a77a..ae8da911c 100644
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/additional-documents/actions/upload-document.ts
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/actions/upload-document.ts
@@ -111,7 +111,7 @@ export const uploadKnowledgeBaseDocumentAction = authActionClient
       // Note: Processing is triggered by orchestrator in the component
       // when multiple files are uploaded, or individually for single files
 
-      revalidatePath(`/${organizationId}/security-questionnaire/knowledge-base`);
+      revalidatePath(`/${organizationId}/questionnaire/knowledge-base`);
 
       return {
         success: true,
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/additional-documents/components/AdditionalDocumentsSection.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/components/AdditionalDocumentsSection.tsx
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/additional-documents/components/AdditionalDocumentsSection.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/components/AdditionalDocumentsSection.tsx
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/additional-documents/components/index.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/components/index.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/additional-documents/components/index.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/components/index.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/additional-documents/hooks/useDocumentProcessing.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/hooks/useDocumentProcessing.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/additional-documents/hooks/useDocumentProcessing.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/hooks/useDocumentProcessing.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/components/BackButton.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/components/BackButton.tsx
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/components/BackButton.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/components/BackButton.tsx
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/components/KnowledgeBaseBreadcrumb.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/components/KnowledgeBaseBreadcrumb.tsx
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/components/KnowledgeBaseBreadcrumb.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/components/KnowledgeBaseBreadcrumb.tsx
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/components/KnowledgeBaseHeader.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/components/KnowledgeBaseHeader.tsx
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/components/KnowledgeBaseHeader.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/components/KnowledgeBaseHeader.tsx
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/components/index.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/components/index.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/components/index.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/components/index.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/context/components/ContextSection.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/context/components/ContextSection.tsx
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/context/components/ContextSection.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/context/components/ContextSection.tsx
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/context/components/index.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/context/components/index.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/context/components/index.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/context/components/index.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/data/queries.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/data/queries.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/data/queries.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/data/queries.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/hooks/usePagination.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/hooks/usePagination.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/hooks/usePagination.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/hooks/usePagination.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/manual-answers/actions/delete-all-manual-answers.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/manual-answers/actions/delete-all-manual-answers.ts
similarity index 97%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/manual-answers/actions/delete-all-manual-answers.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/manual-answers/actions/delete-all-manual-answers.ts
index c992b61b5..ae3054ac5 100644
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/manual-answers/actions/delete-all-manual-answers.ts
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/manual-answers/actions/delete-all-manual-answers.ts
@@ -89,7 +89,7 @@ export const deleteAllManualAnswers = authActionClient
       path = path.replace(/\/[a-z]{2}\//, '/');
 
       revalidatePath(path);
-      revalidatePath(`/${activeOrganizationId}/security-questionnaire/knowledge-base`);
+      revalidatePath(`/${activeOrganizationId}/questionnaire/knowledge-base`);
 
       return {
         success: true,
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/manual-answers/actions/delete-manual-answer.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/manual-answers/actions/delete-manual-answer.ts
similarity index 96%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/manual-answers/actions/delete-manual-answer.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/manual-answers/actions/delete-manual-answer.ts
index 87e24c27d..6acac9f07 100644
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/manual-answers/actions/delete-manual-answer.ts
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/manual-answers/actions/delete-manual-answer.ts
@@ -82,7 +82,7 @@ export const deleteManualAnswer = authActionClient
       path = path.replace(/\/[a-z]{2}\//, '/');
 
       revalidatePath(path);
-      revalidatePath(`/${activeOrganizationId}/security-questionnaire/knowledge-base`);
+      revalidatePath(`/${activeOrganizationId}/questionnaire/knowledge-base`);
 
       return {
         success: true,
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/manual-answers/actions/save-manual-answer.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/manual-answers/actions/save-manual-answer.ts
similarity index 98%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/manual-answers/actions/save-manual-answer.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/manual-answers/actions/save-manual-answer.ts
index 6611fd2a7..bddcd570f 100644
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/manual-answers/actions/save-manual-answer.ts
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/manual-answers/actions/save-manual-answer.ts
@@ -119,7 +119,7 @@ export const saveManualAnswer = authActionClient
 
       revalidatePath(path);
       // Also revalidate knowledge base page
-      revalidatePath(`/${activeOrganizationId}/security-questionnaire/knowledge-base`);
+      revalidatePath(`/${activeOrganizationId}/questionnaire/knowledge-base`);
 
       // Return embedding ID for verification
       // Use embeddingId from syncResult if available, otherwise construct it
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/manual-answers/components/ManualAnswersSection.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/manual-answers/components/ManualAnswersSection.tsx
similarity index 99%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/manual-answers/components/ManualAnswersSection.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/manual-answers/components/ManualAnswersSection.tsx
index afb59e7b5..35ca233d7 100644
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/manual-answers/components/ManualAnswersSection.tsx
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/manual-answers/components/ManualAnswersSection.tsx
@@ -198,7 +198,7 @@ export function ManualAnswersSection({ manualAnswers }: ManualAnswersSectionProp
                             <div className="flex items-center gap-2">
                               {answer.sourceQuestionnaireId && (
                                 <Link
-                                  href={`/${orgId}/security-questionnaire/${answer.sourceQuestionnaireId}`}
+                                  href={`/${orgId}/questionnaire/${answer.sourceQuestionnaireId}`}
                                   target="_blank"
                                   rel="noopener noreferrer"
                                   className="flex-shrink-0 text-muted-foreground opacity-0 transition-opacity group-hover:opacity-100"
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/manual-answers/components/index.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/manual-answers/components/index.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/manual-answers/components/index.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/manual-answers/components/index.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/page.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/page.tsx
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/page.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/page.tsx
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/published-policies/components/PublishedPoliciesSection.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/published-policies/components/PublishedPoliciesSection.tsx
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/published-policies/components/PublishedPoliciesSection.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/published-policies/components/PublishedPoliciesSection.tsx
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/published-policies/components/index.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/published-policies/components/index.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/knowledge-base/published-policies/components/index.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/published-policies/components/index.ts
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/layout.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/layout.tsx
new file mode 100644
index 000000000..7733e88e7
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/layout.tsx
@@ -0,0 +1,71 @@
+import { getFeatureFlags } from '@/app/posthog';
+import { SecondaryMenu } from '@comp/ui/secondary-menu';
+import { db } from '@db';
+import { auth } from '@/utils/auth';
+import { headers } from 'next/headers';
+
+interface LayoutProps {
+  children: React.ReactNode;
+  params: Promise<{ orgId: string }>;
+}
+
+export default async function Layout({ children, params }: LayoutProps) {
+  const { orgId } = await params;
+
+  // Check if organization has ISO 27001 framework and feature flag
+  const session = await auth.api.getSession({
+    headers: await headers(),
+  });
+
+  let hasISO27001 = false;
+  let isSOAFeatureEnabled = false;
+
+  if (session?.session?.activeOrganizationId === orgId && session?.user?.id) {
+    // Check feature flag
+    const flags = await getFeatureFlags(session.user.id);
+    isSOAFeatureEnabled =
+      flags['is-statement-of-applicability-enabled'] === true ||
+      flags['is-statement-of-applicability-enabled'] === 'true';
+
+    // Check if organization has ISO 27001 framework
+    const isoFrameworkInstance = await db.frameworkInstance.findFirst({
+      where: {
+        organizationId: orgId,
+        framework: {
+          name: {
+            in: ['ISO 27001', 'iso27001', 'ISO27001'],
+          },
+        },
+      },
+    });
+    hasISO27001 = !!isoFrameworkInstance;
+  }
+
+  const menuItems = [
+    {
+      path: `/${orgId}/questionnaire`,
+      label: 'Questionnaires',
+    },
+  ];
+
+  // Only show Statement of Applicability tab if organization has ISO 27001 and feature flag is enabled
+  if (hasISO27001 && isSOAFeatureEnabled) {
+    menuItems.push({
+      path: `/${orgId}/questionnaire/soa`,
+      label: 'Statement of Applicability',
+    });
+  }
+
+  menuItems.push({
+    path: `/${orgId}/questionnaire/knowledge-base`,
+    label: 'Knowledge Base',
+  });
+
+  return (
+    <div className="m-auto flex max-w-[1200px] flex-col py-8">
+      <SecondaryMenu items={menuItems} />
+      <div className="pt-4">{children}</div>
+    </div>
+  );
+}
+
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/loading.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/loading.tsx
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/loading.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/loading.tsx
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/new_questionnaire/page.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/new_questionnaire/page.tsx
similarity index 96%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/new_questionnaire/page.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/new_questionnaire/page.tsx
index 0342b7d7f..cca43ad60 100644
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/new_questionnaire/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/new_questionnaire/page.tsx
@@ -34,7 +34,7 @@ export default async function NewQuestionnairePage() {
     return (
       <PageWithBreadcrumb
         breadcrumbs={[
-          { label: 'Overview', href: `/${organizationId}/security-questionnaire` },
+          { label: 'Overview', href: `/${organizationId}/questionnaire` },
           { label: 'New Questionnaire', current: true },
         ]}
       >
@@ -75,7 +75,7 @@ export default async function NewQuestionnairePage() {
   return (
     <PageWithBreadcrumb
       breadcrumbs={[
-        { label: 'Security Questionnaire', href: `/${organizationId}/security-questionnaire` },
+        { label: 'Security Questionnaire', href: `/${organizationId}/questionnaire` },
         { label: 'New Questionnaire', current: true },
       ]}
     >
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/page.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/page.tsx
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/page.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/page.tsx
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/approve-soa-document.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/approve-soa-document.ts
new file mode 100644
index 000000000..471fa410a
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/approve-soa-document.ts
@@ -0,0 +1,88 @@
+'use server';
+
+import { authActionClient } from '@/actions/safe-action';
+import { db } from '@db';
+import { z } from 'zod';
+import 'server-only';
+
+const approveSOADocumentSchema = z.object({
+  documentId: z.string(),
+});
+
+export const approveSOADocument = authActionClient
+  .inputSchema(approveSOADocumentSchema)
+  .metadata({
+    name: 'approve-soa-document',
+    track: {
+      event: 'approve-soa-document',
+      channel: 'server',
+    },
+  })
+  .action(async ({ parsedInput, ctx }) => {
+    const { documentId } = parsedInput;
+    const { session, user } = ctx;
+
+    if (!session?.activeOrganizationId || !user?.id) {
+      throw new Error('Unauthorized');
+    }
+
+    const organizationId = session.activeOrganizationId;
+    const userId = user.id;
+
+    // Check if user is owner or admin
+    const member = await db.member.findFirst({
+      where: {
+        organizationId,
+        userId,
+        deactivated: false,
+      },
+    });
+
+    if (!member) {
+      throw new Error('Member not found');
+    }
+
+    // Check if user has owner or admin role
+    const isOwnerOrAdmin = member.role.includes('owner') || member.role.includes('admin');
+
+    if (!isOwnerOrAdmin) {
+      throw new Error('Only owners and admins can approve SOA documents');
+    }
+
+    // Get the document
+    const document = await db.sOADocument.findFirst({
+      where: {
+        id: documentId,
+        organizationId,
+      },
+    });
+
+    if (!document) {
+      throw new Error('SOA document not found');
+    }
+
+    // Check if document is pending approval and current member is the approver
+    if (!(document as any).approverId || (document as any).approverId !== member.id) {
+      throw new Error('Document is not pending your approval');
+    }
+
+    if ((document as any).status !== 'needs_review') {
+      throw new Error('Document is not in needs_review status');
+    }
+
+    // Approve the document - keep approverId to track who approved, set status to completed, set approvedAt
+    const updatedDocument = await db.sOADocument.update({
+      where: { id: documentId },
+      data: {
+        // Keep approverId to track who approved it
+        status: 'completed',
+        approvedAt: new Date(),
+      },
+    });
+
+    return {
+      success: true,
+      data: updatedDocument,
+    };
+  });
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/auto-fill-soa.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/auto-fill-soa.ts
new file mode 100644
index 000000000..c4e7b3cdd
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/auto-fill-soa.ts
@@ -0,0 +1,328 @@
+'use server';
+
+import { authActionClient } from '@/actions/safe-action';
+import { syncOrganizationEmbeddings } from '@/lib/vector';
+import { db } from '@db';
+import { logger } from '@/utils/logger';
+import { headers } from 'next/headers';
+import { revalidatePath } from 'next/cache';
+import { z } from 'zod';
+import { generateSOAAnswerWithRAG } from '../utils/generate-soa-answer';
+import 'server-only';
+
+const inputSchema = z.object({
+  documentId: z.string(),
+});
+
+export const autoFillSOA = authActionClient
+  .inputSchema(inputSchema)
+  .metadata({
+    name: 'auto-fill-soa',
+    track: {
+      event: 'auto-fill-soa',
+      channel: 'server',
+    },
+  })
+  .action(async ({ parsedInput, ctx }) => {
+    const { documentId } = parsedInput;
+    const { session, user } = ctx;
+
+    if (!session?.activeOrganizationId) {
+      throw new Error('No active organization');
+    }
+
+    if (!user?.id) {
+      throw new Error('User not authenticated');
+    }
+
+    const organizationId = session.activeOrganizationId;
+    const userId = user.id;
+
+    try {
+      // Fetch SOA document with configuration
+      const document = await db.sOADocument.findFirst({
+        where: {
+          id: documentId,
+          organizationId,
+        },
+        include: {
+          framework: true,
+          configuration: true,
+          answers: {
+            where: {
+              isLatestAnswer: true,
+            },
+          },
+        },
+      });
+
+      if (!document) {
+        throw new Error('SOA document not found');
+      }
+
+      const configuration = document.configuration;
+      const questions = configuration.questions as Array<{
+        id: string;
+        text: string;
+        columnMapping: {
+          title: string;
+          control_objective: string | null;
+          isApplicable: boolean | null;
+        };
+      }>;
+
+      // Process ALL questions - determine applicability for all
+      // If isApplicable is already set, we can still regenerate if needed
+      // For now, process all questions to ensure completeness
+      const questionsToAnswer = questions;
+
+      logger.info('Starting auto-fill SOA', {
+        organizationId,
+        documentId,
+        totalQuestions: questions.length,
+        questionsToAnswer: questionsToAnswer.length,
+      });
+
+      // Sync organization embeddings before generating answers
+      try {
+        await syncOrganizationEmbeddings(organizationId);
+        logger.info('Organization embeddings synced successfully', {
+          organizationId,
+        });
+      } catch (error) {
+        logger.warn('Failed to sync organization embeddings', {
+          organizationId,
+          error: error instanceof Error ? error.message : 'Unknown error',
+        });
+        // Continue with existing embeddings if sync fails
+      }
+
+      // Process questions in batches to avoid overwhelming the system
+      // Process all questions to determine applicability
+      const batchSize = 10;
+      const results: Array<{
+        questionId: string;
+        isApplicable: boolean | null;
+        justification: string | null;
+        sources: unknown;
+        success: boolean;
+        error: string | null;
+      }> = [];
+
+      for (let i = 0; i < questionsToAnswer.length; i += batchSize) {
+        const batch = questionsToAnswer.slice(i, i + batchSize);
+        
+        const batchResults = await Promise.all(
+          batch.map((question, batchIndex) => {
+            const globalIndex = i + batchIndex;
+            
+            // First, determine if the control is applicable based on organization's context
+            const applicabilityQuestion = `Based on our organization's policies, documentation, business context, and operations, is the control "${question.columnMapping.title}" (${question.text}) applicable to our organization? 
+
+Consider:
+- Our business type and industry
+- Our operational scope and scale
+- Our risk profile
+- Our regulatory requirements
+- Our technical infrastructure
+
+Respond with ONLY "YES" or "NO" - no additional explanation.`;
+
+            return generateSOAAnswerWithRAG(
+              applicabilityQuestion,
+              organizationId,
+            ).then(async (applicabilityResult) => {
+              if (!applicabilityResult.answer) {
+                return {
+                  questionId: question.id,
+                  isApplicable: null,
+                  justification: null,
+                  sources: applicabilityResult.sources,
+                  success: false,
+                  error: 'Failed to determine applicability - no answer generated',
+                };
+              }
+
+              // Parse YES/NO from answer
+              const answerText = applicabilityResult.answer.trim().toUpperCase();
+              const isApplicable = answerText.includes('YES') || answerText.includes('APPLICABLE');
+              const isNotApplicable = answerText.includes('NO') || answerText.includes('NOT APPLICABLE') || answerText.includes('NOT APPLICABLE');
+
+              let finalIsApplicable: boolean | null = null;
+              if (isApplicable && !isNotApplicable) {
+                finalIsApplicable = true;
+              } else if (isNotApplicable && !isApplicable) {
+                finalIsApplicable = false;
+              }
+
+              // If not applicable, generate justification
+              let justification: string | null = null;
+              if (finalIsApplicable === false) {
+                const justificationQuestion = `Why is the control "${question.columnMapping.title}" not applicable to our organization? 
+
+Provide a clear, professional justification explaining:
+- Why this control does not apply to our business context
+- Our operational characteristics that make it irrelevant
+- Our risk profile considerations
+- Any other relevant factors
+
+Keep the justification concise (2-3 sentences).`;
+
+                const justificationResult = await generateSOAAnswerWithRAG(
+                  justificationQuestion,
+                  organizationId,
+                );
+
+                if (justificationResult.answer) {
+                  justification = justificationResult.answer;
+                }
+              }
+
+              return {
+                questionId: question.id,
+                isApplicable: finalIsApplicable,
+                justification,
+                sources: applicabilityResult.sources,
+                success: true,
+                error: null,
+              };
+            });
+          }),
+        );
+
+        results.push(...batchResults);
+      }
+
+      // Save answers to database
+      const answersToSave = results
+        .filter((r) => r.success && r.isApplicable !== null)
+        .map((result) => {
+          const question = questionsToAnswer.find((q) => q.id === result.questionId);
+          if (!question) return null;
+
+          // Get existing answer to determine version
+          return db.sOAAnswer.findFirst({
+            where: {
+              documentId,
+              questionId: question.id,
+              isLatestAnswer: true,
+            },
+            orderBy: {
+              answerVersion: 'desc',
+            },
+          }).then(async (existingAnswer: { id: string; answerVersion: number } | null) => {
+            const nextVersion = existingAnswer ? existingAnswer.answerVersion + 1 : 1;
+
+            // Mark existing answer as not latest if it exists
+            if (existingAnswer) {
+              await db.sOAAnswer.update({
+                where: { id: existingAnswer.id },
+                data: { isLatestAnswer: false },
+              });
+            }
+
+            // Store justification in answer field if not applicable
+            // If applicable, answer is null (we don't need justification)
+            const answerValue = result.isApplicable === false ? result.justification : null;
+
+            // Create new answer with justification (if not applicable)
+            const newAnswer = await db.sOAAnswer.create({
+              data: {
+                documentId,
+                questionId: question.id,
+                answer: answerValue, // Store justification here if not applicable
+                status: 'generated',
+                sources: result.sources || undefined,
+                generatedAt: new Date(),
+                answerVersion: nextVersion,
+                isLatestAnswer: true,
+                createdBy: userId,
+              },
+            });
+
+            return newAnswer;
+          });
+        })
+        .filter((promise) => promise !== null);
+
+      await Promise.all(answersToSave);
+
+      // Update the configuration's question mapping with all generated isApplicable values
+      const configQuestions = configuration.questions as Array<{
+        id: string;
+        text: string;
+        columnMapping: {
+          title: string;
+          control_objective: string | null;
+          isApplicable: boolean | null;
+          justification: string | null;
+        };
+      }>;
+
+      // Create a map of results for easy lookup
+      const resultsMap = new Map(
+        results
+          .filter((r) => r.success && r.isApplicable !== null)
+          .map((r) => [r.questionId, r])
+      );
+
+      // Update all questions in the configuration
+      const updatedQuestions = configQuestions.map((q) => {
+        const result = resultsMap.get(q.id);
+        if (result) {
+          return {
+            ...q,
+            columnMapping: {
+              ...q.columnMapping,
+              isApplicable: result.isApplicable,
+              justification: result.justification,
+            },
+          };
+        }
+        return q;
+      });
+
+      // Update configuration with new isApplicable values
+      await db.sOAFrameworkConfiguration.update({
+        where: { id: configuration.id },
+        data: {
+          questions: updatedQuestions,
+        },
+      });
+
+      // Update document answered questions count
+      // Count questions that have isApplicable determined (not null)
+      const answeredCount = results.filter((r) => r.success && r.isApplicable !== null).length;
+
+      await db.sOADocument.update({
+        where: { id: documentId },
+        data: {
+          answeredQuestions: answeredCount,
+          status: answeredCount === document.totalQuestions ? 'completed' : 'in_progress',
+          completedAt: answeredCount === document.totalQuestions ? new Date() : null,
+        },
+      });
+
+      // Revalidate the page
+      const headersList = await headers();
+      let path = headersList.get('x-pathname') || headersList.get('referer') || '';
+      path = path.replace(/\/[a-z]{2}\//, '/');
+      revalidatePath(path);
+
+      return {
+        success: true,
+        data: {
+          answered: results.filter((r) => r.success).length,
+          total: questionsToAnswer.length,
+        },
+      };
+    } catch (error) {
+      logger.error('Failed to auto-fill SOA', {
+        organizationId,
+        documentId,
+        error: error instanceof Error ? error.message : 'Unknown error',
+      });
+      throw error instanceof Error ? error : new Error('Failed to auto-fill SOA');
+    }
+  });
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/create-soa-document.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/create-soa-document.ts
new file mode 100644
index 000000000..a0692f4d5
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/create-soa-document.ts
@@ -0,0 +1,89 @@
+'use server';
+
+import { authActionClient } from '@/actions/safe-action';
+import { db } from '@db';
+import { z } from 'zod';
+import 'server-only';
+
+const createSOADocumentSchema = z.object({
+  frameworkId: z.string(),
+  organizationId: z.string(),
+});
+
+export const createSOADocument = authActionClient
+  .inputSchema(createSOADocumentSchema)
+  .metadata({
+    name: 'create-soa-document',
+    track: {
+      event: 'create-soa-document',
+      channel: 'server',
+    },
+  })
+  .action(async ({ parsedInput, ctx }) => {
+    const { frameworkId, organizationId } = parsedInput;
+    const { session } = ctx;
+
+    if (!session?.activeOrganizationId || session.activeOrganizationId !== organizationId) {
+      throw new Error('Unauthorized');
+    }
+
+    // Get the latest SOA configuration for this framework
+    const configuration = await db.sOAFrameworkConfiguration.findFirst({
+      where: {
+        frameworkId,
+        isLatest: true,
+      },
+    });
+
+    if (!configuration) {
+      throw new Error('No SOA configuration found for this framework');
+    }
+
+    // Check if there's already a latest document for this framework and organization
+    const existingLatestDocument = await db.sOADocument.findFirst({
+      where: {
+        frameworkId,
+        organizationId,
+        isLatest: true,
+      },
+    });
+
+    // Determine the next version number
+    let nextVersion = 1;
+    if (existingLatestDocument) {
+      // Mark existing document as not latest
+      await db.sOADocument.update({
+        where: { id: existingLatestDocument.id },
+        data: { isLatest: false },
+      });
+      nextVersion = existingLatestDocument.version + 1;
+    }
+
+    // Get questions from configuration to calculate totalQuestions
+    const questions = configuration.questions as Array<{ id: string }>;
+    const totalQuestions = Array.isArray(questions) ? questions.length : 0;
+
+    // Create new SOA document
+    const document = await db.sOADocument.create({
+      data: {
+        frameworkId,
+        organizationId,
+        configurationId: configuration.id,
+        version: nextVersion,
+        isLatest: true,
+        status: 'draft',
+        totalQuestions,
+        answeredQuestions: 0,
+      },
+      include: {
+        framework: true,
+        configuration: true,
+      },
+    });
+
+    return {
+      success: true,
+      data: document,
+    };
+  });
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/decline-soa-document.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/decline-soa-document.ts
new file mode 100644
index 000000000..1b50d32dd
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/decline-soa-document.ts
@@ -0,0 +1,88 @@
+'use server';
+
+import { authActionClient } from '@/actions/safe-action';
+import { db } from '@db';
+import { z } from 'zod';
+import 'server-only';
+
+const declineSOADocumentSchema = z.object({
+  documentId: z.string(),
+});
+
+export const declineSOADocument = authActionClient
+  .inputSchema(declineSOADocumentSchema)
+  .metadata({
+    name: 'decline-soa-document',
+    track: {
+      event: 'decline-soa-document',
+      channel: 'server',
+    },
+  })
+  .action(async ({ parsedInput, ctx }) => {
+    const { documentId } = parsedInput;
+    const { session, user } = ctx;
+
+    if (!session?.activeOrganizationId || !user?.id) {
+      throw new Error('Unauthorized');
+    }
+
+    const organizationId = session.activeOrganizationId;
+    const userId = user.id;
+
+    // Check if user is owner or admin
+    const member = await db.member.findFirst({
+      where: {
+        organizationId,
+        userId,
+        deactivated: false,
+      },
+    });
+
+    if (!member) {
+      throw new Error('Member not found');
+    }
+
+    // Check if user has owner or admin role
+    const isOwnerOrAdmin = member.role.includes('owner') || member.role.includes('admin');
+
+    if (!isOwnerOrAdmin) {
+      throw new Error('Only owners and admins can decline SOA documents');
+    }
+
+    // Get the document
+    const document = await db.sOADocument.findFirst({
+      where: {
+        id: documentId,
+        organizationId,
+      },
+    });
+
+    if (!document) {
+      throw new Error('SOA document not found');
+    }
+
+    // Check if document is pending approval and current member is the approver
+    if (!(document as any).approverId || (document as any).approverId !== member.id) {
+      throw new Error('Document is not pending your approval');
+    }
+
+    if ((document as any).status !== 'needs_review') {
+      throw new Error('Document is not in needs_review status');
+    }
+
+    // Decline the document - clear approverId and set status back to completed (or in_progress)
+    const updatedDocument = await db.sOADocument.update({
+      where: { id: documentId },
+      data: {
+        approverId: null, // Clear approver
+        approvedAt: null, // Clear approved date
+        status: 'completed', // Set back to completed so it can be edited and resubmitted
+      },
+    });
+
+    return {
+      success: true,
+      data: updatedDocument,
+    };
+  });
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/ensure-soa-setup.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/ensure-soa-setup.ts
new file mode 100644
index 000000000..9b8235c85
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/ensure-soa-setup.ts
@@ -0,0 +1,142 @@
+'use server';
+
+import { db } from '@db';
+import { seedISO27001SOAConfig } from './seed-soa-config';
+import 'server-only';
+
+/**
+ * Direct server function to create SOA document without revalidation
+ * Used during page render, so cannot use server actions with revalidatePath
+ */
+async function createSOADocumentDirect(frameworkId: string, organizationId: string, configurationId: string) {
+  // Check if there's already a latest document for this framework and organization
+  const existingLatestDocument = await db.sOADocument.findFirst({
+    where: {
+      frameworkId,
+      organizationId,
+      isLatest: true,
+    },
+  });
+
+  // Determine the next version number
+  let nextVersion = 1;
+  if (existingLatestDocument) {
+    // Mark existing document as not latest
+    await db.sOADocument.update({
+      where: { id: existingLatestDocument.id },
+      data: { isLatest: false },
+    });
+    nextVersion = existingLatestDocument.version + 1;
+  }
+
+  // Get questions from configuration to calculate totalQuestions
+  const configuration = await db.sOAFrameworkConfiguration.findUnique({
+    where: { id: configurationId },
+  });
+
+  if (!configuration) {
+    throw new Error('Configuration not found');
+  }
+
+  const questions = configuration.questions as Array<{ id: string }>;
+  const totalQuestions = Array.isArray(questions) ? questions.length : 0;
+
+  // Create new SOA document
+  const document = await db.sOADocument.create({
+    data: {
+      frameworkId,
+      organizationId,
+      configurationId: configuration.id,
+      version: nextVersion,
+      isLatest: true,
+      status: 'draft',
+      totalQuestions,
+      answeredQuestions: 0,
+    },
+    include: {
+      answers: {
+        where: {
+          isLatestAnswer: true,
+        },
+      },
+    },
+  });
+
+  return document;
+}
+
+/**
+ * Ensures SOA configuration and document exist for a framework
+ * Currently only supports ISO 27001
+ */
+export async function ensureSOASetup(frameworkId: string, organizationId: string) {
+  // Get framework to check if it's ISO
+  const framework = await db.frameworkEditorFramework.findUnique({
+    where: { id: frameworkId },
+  });
+
+  if (!framework) {
+    throw new Error('Framework not found');
+  }
+
+  // Check if framework is ISO 27001 (currently only supported framework)
+  const isISO27001 = ['ISO 27001', 'iso27001', 'ISO27001'].includes(framework.name);
+
+  if (!isISO27001) {
+    return {
+      success: false,
+      error: 'Only ISO 27001 framework is currently supported',
+      configuration: null,
+      document: null,
+    };
+  }
+
+  // Check if configuration exists
+  let configuration = await db.sOAFrameworkConfiguration.findFirst({
+    where: {
+      frameworkId,
+      isLatest: true,
+    },
+  });
+
+  // Create configuration if it doesn't exist
+  if (!configuration) {
+    try {
+      configuration = await seedISO27001SOAConfig();
+    } catch (error) {
+      throw new Error(`Failed to create SOA configuration: ${error instanceof Error ? error.message : 'Unknown error'}`);
+    }
+  }
+
+  // Check if document exists
+  let document = await db.sOADocument.findFirst({
+    where: {
+      frameworkId,
+      organizationId,
+      isLatest: true,
+    },
+    include: {
+      answers: {
+        where: {
+          isLatestAnswer: true,
+        },
+      },
+    },
+  });
+
+  // Create document if it doesn't exist (using direct function to avoid revalidation during render)
+  if (!document && configuration) {
+    try {
+      document = await createSOADocumentDirect(frameworkId, organizationId, configuration.id);
+    } catch (error) {
+      throw new Error(`Failed to create SOA document: ${error instanceof Error ? error.message : 'Unknown error'}`);
+    }
+  }
+
+  return {
+    success: true,
+    configuration,
+    document,
+  };
+}
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/save-soa-answer.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/save-soa-answer.ts
new file mode 100644
index 000000000..97b2942fe
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/save-soa-answer.ts
@@ -0,0 +1,183 @@
+'use server';
+
+import { authActionClient } from '@/actions/safe-action';
+import { db } from '@db';
+import { headers } from 'next/headers';
+import { revalidatePath } from 'next/cache';
+import { z } from 'zod';
+import 'server-only';
+
+const saveAnswerSchema = z.object({
+  documentId: z.string(),
+  questionId: z.string(),
+  answer: z.string().nullable(),
+  isApplicable: z.boolean().nullable().optional(),
+  justification: z.string().nullable().optional(),
+});
+
+export const saveSOAAnswer = authActionClient
+  .inputSchema(saveAnswerSchema)
+  .metadata({
+    name: 'save-soa-answer',
+    track: {
+      event: 'save-soa-answer',
+      channel: 'server',
+    },
+  })
+  .action(async ({ parsedInput, ctx }) => {
+    const { documentId, questionId, answer, isApplicable, justification } = parsedInput;
+    const { session, user } = ctx;
+
+    if (!session?.activeOrganizationId) {
+      throw new Error('No active organization');
+    }
+
+    if (!user?.id) {
+      throw new Error('User not authenticated');
+    }
+
+    const organizationId = session.activeOrganizationId;
+    const userId = user.id;
+
+    try {
+      // Verify document exists and belongs to organization
+      const document = await db.sOADocument.findFirst({
+        where: {
+          id: documentId,
+          organizationId,
+        },
+        include: {
+          configuration: true,
+        },
+      });
+
+      if (!document) {
+        throw new Error('SOA document not found');
+      }
+
+      // Get existing answer to determine version
+      const existingAnswer = await db.sOAAnswer.findFirst({
+        where: {
+          documentId,
+          questionId,
+          isLatestAnswer: true,
+        },
+        orderBy: {
+          answerVersion: 'desc',
+        },
+      });
+
+      const nextVersion = existingAnswer ? existingAnswer.answerVersion + 1 : 1;
+
+      // Mark existing answer as not latest if it exists
+      if (existingAnswer) {
+        await db.sOAAnswer.update({
+          where: { id: existingAnswer.id },
+          data: { isLatestAnswer: false },
+        });
+      }
+
+      // Determine answer value: if isApplicable is NO, use justification; otherwise use provided answer or null
+      let finalAnswer: string | null = null;
+      if (isApplicable !== undefined) {
+        // If isApplicable is provided, use justification if NO, otherwise null
+        finalAnswer = isApplicable === false ? (justification || answer || null) : null;
+      } else {
+        // Fallback to provided answer
+        finalAnswer = answer || null;
+      }
+
+      // Create or update answer
+      await db.sOAAnswer.create({
+        data: {
+          documentId,
+          questionId,
+          answer: finalAnswer,
+          status: finalAnswer && finalAnswer.trim().length > 0 ? 'manual' : 'untouched',
+          answerVersion: nextVersion,
+          isLatestAnswer: true,
+          createdBy: existingAnswer ? undefined : userId,
+          updatedBy: userId,
+        },
+      });
+
+      // Update configuration's question mapping if isApplicable or justification provided
+      // This needs to happen before counting answered questions
+      if (isApplicable !== undefined || justification !== undefined) {
+        const configuration = document.configuration;
+        const questions = configuration.questions as Array<{
+          id: string;
+          text: string;
+          columnMapping: {
+            closure: string;
+            title: string;
+            control_objective: string | null;
+            isApplicable: boolean | null;
+            justification: string | null;
+          };
+        }>;
+
+        const updatedQuestions = questions.map((q) => {
+          if (q.id === questionId) {
+            return {
+              ...q,
+              columnMapping: {
+                ...q.columnMapping,
+                isApplicable: isApplicable !== undefined ? isApplicable : q.columnMapping.isApplicable,
+                justification: justification !== undefined ? justification : q.columnMapping.justification,
+              },
+            };
+          }
+          return q;
+        });
+
+        await db.sOAFrameworkConfiguration.update({
+          where: { id: configuration.id },
+          data: {
+            questions: updatedQuestions,
+          },
+        });
+      }
+
+      // Update document answered questions count (count questions with isApplicable set in configuration)
+      const updatedConfiguration = await db.sOAFrameworkConfiguration.findUnique({
+        where: { id: document.configurationId },
+      });
+      
+      let answeredCount = 0;
+      if (updatedConfiguration) {
+        const configQuestions = updatedConfiguration.questions as Array<{
+          id: string;
+          columnMapping: {
+            isApplicable: boolean | null;
+          };
+        }>;
+        answeredCount = configQuestions.filter(q => q.columnMapping.isApplicable !== null).length;
+      }
+
+      await db.sOADocument.update({
+        where: { id: documentId },
+        data: {
+          answeredQuestions: answeredCount,
+          status: answeredCount === document.totalQuestions ? 'completed' : 'in_progress',
+          completedAt: answeredCount === document.totalQuestions ? new Date() : null,
+          // Clear approval when answers are edited
+          approverId: null,
+          approvedAt: null,
+        },
+      });
+
+      // Revalidate the page
+      const headersList = await headers();
+      let path = headersList.get('x-pathname') || headersList.get('referer') || '';
+      path = path.replace(/\/[a-z]{2}\//, '/');
+      revalidatePath(path);
+
+      return {
+        success: true,
+      };
+    } catch (error) {
+      throw error instanceof Error ? error : new Error('Failed to save SOA answer');
+    }
+  });
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/seed-soa-config.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/seed-soa-config.ts
new file mode 100644
index 000000000..da425e372
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/seed-soa-config.ts
@@ -0,0 +1,55 @@
+'use server';
+
+import { db } from '@db';
+import { loadISOConfig } from '../utils/transform-iso-config';
+import 'server-only';
+
+/**
+ * Seeds SOA configuration for ISO 27001 framework
+ * This creates the initial configuration if it doesn't exist
+ */
+export async function seedISO27001SOAConfig() {
+  // Find ISO 27001 framework by name
+  const iso27001Framework = await db.frameworkEditorFramework.findFirst({
+    where: {
+      OR: [
+        { name: 'ISO 27001' },
+        { name: 'iso27001' },
+        { name: 'ISO27001' },
+      ],
+    },
+  });
+
+  if (!iso27001Framework) {
+    throw new Error('ISO 27001 framework not found');
+  }
+
+  // Check if configuration already exists
+  const existingConfig = await db.sOAFrameworkConfiguration.findFirst({
+    where: {
+      frameworkId: iso27001Framework.id,
+      isLatest: true,
+    },
+  });
+
+  if (existingConfig) {
+    return existingConfig; // Return existing config
+  }
+
+  // Load and transform ISO config
+  const soaConfig = await loadISOConfig();
+
+  // Create new SOA configuration
+  const newConfig = await db.sOAFrameworkConfiguration.create({
+    data: {
+      frameworkId: iso27001Framework.id,
+      version: 1,
+      isLatest: true,
+      columns: soaConfig.columns,
+      questions: soaConfig.questions,
+    },
+  });
+
+  return newConfig;
+}
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/submit-soa-for-approval.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/submit-soa-for-approval.ts
new file mode 100644
index 000000000..1f806eb41
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/actions/submit-soa-for-approval.ts
@@ -0,0 +1,81 @@
+'use server';
+
+import { authActionClient } from '@/actions/safe-action';
+import { db } from '@db';
+import { z } from 'zod';
+import 'server-only';
+
+const submitSOAForApprovalSchema = z.object({
+  documentId: z.string(),
+  approverId: z.string(),
+});
+
+export const submitSOAForApproval = authActionClient
+  .inputSchema(submitSOAForApprovalSchema)
+  .metadata({
+    name: 'submit-soa-for-approval',
+    track: {
+      event: 'submit-soa-for-approval',
+      channel: 'server',
+    },
+  })
+  .action(async ({ parsedInput, ctx }) => {
+    const { documentId, approverId } = parsedInput;
+    const { session, user } = ctx;
+
+    if (!session?.activeOrganizationId || !user?.id) {
+      throw new Error('Unauthorized');
+    }
+
+    const organizationId = session.activeOrganizationId;
+
+    // Verify approver is a member of the organization
+    const approverMember = await db.member.findFirst({
+      where: {
+        id: approverId,
+        organizationId,
+        deactivated: false,
+      },
+    });
+
+    if (!approverMember) {
+      throw new Error('Approver not found in organization');
+    }
+
+    // Check if approver is owner or admin
+    const isOwnerOrAdmin = approverMember.role.includes('owner') || approverMember.role.includes('admin');
+    if (!isOwnerOrAdmin) {
+      throw new Error('Approver must be an owner or admin');
+    }
+
+    // Get the document
+    const document = await db.sOADocument.findFirst({
+      where: {
+        id: documentId,
+        organizationId,
+      },
+    });
+
+    if (!document) {
+      throw new Error('SOA document not found');
+    }
+
+    if ((document as any).status === 'needs_review') {
+      throw new Error('Document is already pending approval');
+    }
+
+    // Submit for approval - set approverId and status to needs_review
+    const updatedDocument = await db.sOADocument.update({
+      where: { id: documentId },
+      data: {
+        approverId,
+        status: 'needs_review',
+      },
+    });
+
+    return {
+      success: true,
+      data: updatedDocument,
+    };
+  });
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/CreateSOADocument.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/CreateSOADocument.tsx
new file mode 100644
index 000000000..1b0898286
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/CreateSOADocument.tsx
@@ -0,0 +1,78 @@
+'use client';
+
+import { Button } from '@comp/ui/button';
+import { Card } from '@comp/ui';
+import { Plus, Loader2 } from 'lucide-react';
+import { useRouter } from 'next/navigation';
+import { useState } from 'react';
+import { toast } from 'sonner';
+import { createSOADocument } from '../actions/create-soa-document';
+
+interface CreateSOADocumentProps {
+  frameworkId: string;
+  frameworkName: string;
+  organizationId: string;
+}
+
+export function CreateSOADocument({
+  frameworkId,
+  frameworkName,
+  organizationId,
+}: CreateSOADocumentProps) {
+  const router = useRouter();
+  const [isCreating, setIsCreating] = useState(false);
+
+  const handleCreate = async () => {
+    setIsCreating(true);
+
+    try {
+      const result = await createSOADocument({
+        frameworkId,
+        organizationId,
+      });
+
+      if (result?.data?.success && result?.data?.data) {
+        toast.success('SOA document created successfully');
+        router.push(`/${organizationId}/questionnaire/soa/${result.data.data.id}`);
+        router.refresh();
+      } else {
+        toast.error(result?.serverError || 'Failed to create SOA document');
+      }
+    } catch (error) {
+      toast.error('An error occurred while creating the SOA document');
+    } finally {
+      setIsCreating(false);
+    }
+  };
+
+  return (
+    <Card className="p-4">
+      <div className="flex items-center justify-between">
+        <div className="flex-1">
+          <h3 className="font-semibold text-foreground">{frameworkName}</h3>
+          <p className="text-sm text-muted-foreground mt-1">
+            Create a new SOA document for this framework
+          </p>
+        </div>
+        <Button
+          onClick={handleCreate}
+          disabled={isCreating}
+          className="shrink-0"
+        >
+          {isCreating ? (
+            <>
+              <Loader2 className="mr-2 h-4 w-4 animate-spin" />
+              Creating...
+            </>
+          ) : (
+            <>
+              <Plus className="mr-2 h-4 w-4" />
+              Create Document
+            </>
+          )}
+        </Button>
+      </div>
+    </Card>
+  );
+}
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/EditableIsApplicable.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/EditableIsApplicable.tsx
new file mode 100644
index 000000000..63f610591
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/EditableIsApplicable.tsx
@@ -0,0 +1,150 @@
+'use client';
+
+import { useState } from 'react';
+import { Button } from '@comp/ui/button';
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from '@comp/ui/select';
+import { Edit2, Loader2 } from 'lucide-react';
+import { useAction } from 'next-safe-action/hooks';
+import { saveSOAAnswer } from '../actions/save-soa-answer';
+import { toast } from 'sonner';
+
+interface EditableIsApplicableProps {
+  documentId: string;
+  questionId: string;
+  isApplicable: boolean | null;
+  isPendingApproval: boolean;
+  isControl7?: boolean;
+  isFullyRemote?: boolean;
+  onUpdate?: () => void;
+}
+
+export function EditableIsApplicable({
+  documentId,
+  questionId,
+  isApplicable: initialIsApplicable,
+  isPendingApproval,
+  isControl7 = false,
+  isFullyRemote = false,
+  onUpdate,
+}: EditableIsApplicableProps) {
+  const [isEditing, setIsEditing] = useState(false);
+  const [isApplicable, setIsApplicable] = useState<boolean | null>(initialIsApplicable);
+
+  const saveAction = useAction(saveSOAAnswer, {
+    onSuccess: () => {
+      setIsEditing(false);
+      toast.success('Answer saved successfully');
+      // Refresh page to update configuration
+      if (typeof window !== 'undefined') {
+        window.location.reload();
+      }
+      onUpdate?.();
+    },
+    onError: ({ error }) => {
+      toast.error(error.serverError || 'Failed to save answer');
+    },
+  });
+
+  // If control 7.* and fully remote, disable editing
+  const isDisabled = isPendingApproval || (isControl7 && isFullyRemote);
+
+  const handleSave = async () => {
+    await saveAction.execute({
+      documentId,
+      questionId,
+      answer: null, // Answer is stored in justification field when NO
+      isApplicable,
+      justification: null, // Justification is handled separately in EditableJustification
+    });
+  };
+
+  const handleCancel = () => {
+    setIsApplicable(initialIsApplicable);
+    setIsEditing(false);
+  };
+
+  if (isDisabled && !isEditing) {
+    return (
+      <span className={`inline-flex items-center justify-center px-3 py-1.5 rounded-md text-xs font-semibold ${
+        isApplicable === true
+          ? 'bg-emerald-500 text-white shadow-sm'
+          : isApplicable === false
+            ? 'bg-rose-500 text-white shadow-sm'
+            : 'bg-muted text-muted-foreground'
+      }`}>
+        {isApplicable === true ? 'YES' : isApplicable === false ? 'NO' : '—'}
+      </span>
+    );
+  }
+
+  if (!isEditing) {
+    return (
+      <div className="flex items-center gap-2">
+        <span className={`inline-flex items-center justify-center px-3 py-1.5 rounded-md text-xs font-semibold ${
+          isApplicable === true
+            ? 'bg-emerald-500 text-white shadow-sm'
+            : isApplicable === false
+              ? 'bg-rose-500 text-white shadow-sm'
+              : 'bg-muted text-muted-foreground'
+        }`}>
+          {isApplicable === true ? 'YES' : isApplicable === false ? 'NO' : '—'}
+        </span>
+        <Button
+          variant="ghost"
+          size="sm"
+          onClick={() => setIsEditing(true)}
+          className="h-6 px-2 text-xs"
+        >
+          <Edit2 className="h-3 w-3" />
+        </Button>
+      </div>
+    );
+  }
+
+  return (
+    <div className="flex items-center gap-2">
+      <Select
+        value={isApplicable === null ? 'null' : isApplicable ? 'yes' : 'no'}
+        onValueChange={(value) => {
+          setIsApplicable(value === 'yes' ? true : value === 'no' ? false : null);
+        }}
+      >
+        <SelectTrigger className="w-32">
+          <SelectValue />
+        </SelectTrigger>
+        <SelectContent>
+          <SelectItem value="yes">YES</SelectItem>
+          <SelectItem value="no">NO</SelectItem>
+        </SelectContent>
+      </Select>
+      <Button
+        size="sm"
+        onClick={handleSave}
+        disabled={saveAction.status === 'executing'}
+        className="h-7"
+      >
+        {saveAction.status === 'executing' ? (
+          <Loader2 className="h-3 w-3 animate-spin" />
+        ) : (
+          'Save'
+        )}
+      </Button>
+      <Button
+        size="sm"
+        variant="ghost"
+        onClick={handleCancel}
+        disabled={saveAction.status === 'executing'}
+        className="h-7"
+      >
+        Cancel
+      </Button>
+    </div>
+  );
+}
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/EditableJustification.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/EditableJustification.tsx
new file mode 100644
index 000000000..2d8af4833
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/EditableJustification.tsx
@@ -0,0 +1,158 @@
+'use client';
+
+import { useState } from 'react';
+import { Button } from '@comp/ui/button';
+import { Textarea } from '@comp/ui/textarea';
+import { Check, X, Loader2, Edit2 } from 'lucide-react';
+import { useAction } from 'next-safe-action/hooks';
+import { saveSOAAnswer } from '../actions/save-soa-answer';
+import { toast } from 'sonner';
+
+interface EditableJustificationProps {
+  documentId: string;
+  questionId: string;
+  isApplicable: boolean | null;
+  justification: string | null;
+  isPendingApproval: boolean;
+  isControl7?: boolean;
+  isFullyRemote?: boolean;
+  onUpdate?: () => void;
+}
+
+export function EditableJustification({
+  documentId,
+  questionId,
+  isApplicable,
+  justification: initialJustification,
+  isPendingApproval,
+  isControl7 = false,
+  isFullyRemote = false,
+  onUpdate,
+}: EditableJustificationProps) {
+  const [isEditing, setIsEditing] = useState(false);
+  const [justification, setJustification] = useState<string | null>(initialJustification);
+  const [error, setError] = useState<string | null>(null);
+
+  const saveAction = useAction(saveSOAAnswer, {
+    onSuccess: () => {
+      setIsEditing(false);
+      setError(null);
+      toast.success('Answer saved successfully');
+      // Refresh page to update configuration
+      if (typeof window !== 'undefined') {
+        window.location.reload();
+      }
+      onUpdate?.();
+    },
+    onError: ({ error }) => {
+      setError(error.serverError || 'Failed to save answer');
+      toast.error(error.serverError || 'Failed to save answer');
+    },
+  });
+
+  // If control 7.* and fully remote, disable editing
+  const isDisabled = isPendingApproval || (isControl7 && isFullyRemote);
+
+  const handleSave = async () => {
+    // Validate: if NO, justification is required
+    if (isApplicable === false && (!justification || justification.trim().length === 0)) {
+      setError('Justification is required when Applicable is NO');
+      return;
+    }
+
+    const answerValue = isApplicable === false ? justification : null;
+
+    await saveAction.execute({
+      documentId,
+      questionId,
+      answer: answerValue,
+      isApplicable,
+      justification: isApplicable === false ? justification : null,
+    });
+  };
+
+  const handleCancel = () => {
+    setJustification(initialJustification);
+    setIsEditing(false);
+    setError(null);
+  };
+
+  // Only show if isApplicable is NO
+  if (isApplicable !== false) {
+    return <span className="text-muted-foreground">—</span>;
+  }
+
+  if (isDisabled && !isEditing) {
+    return (
+      <p className="text-sm leading-relaxed text-foreground whitespace-pre-wrap break-words">
+        {justification || '—'}
+      </p>
+    );
+  }
+
+  if (!isEditing) {
+    return (
+      <div className="flex flex-col gap-2">
+        <div className="flex items-start gap-2">
+          <p className="text-sm leading-relaxed text-foreground whitespace-pre-wrap break-words flex-1">
+            {justification || '—'}
+          </p>
+          <Button
+            variant="ghost"
+            size="sm"
+            onClick={() => setIsEditing(true)}
+            className="h-6 px-2 text-xs"
+          >
+            <Edit2 className="h-3 w-3" />
+          </Button>
+        </div>
+      </div>
+    );
+  }
+
+  return (
+    <div className="flex flex-col gap-2">
+      <Textarea
+        value={justification || ''}
+        onChange={(e) => setJustification(e.target.value)}
+        placeholder="Enter justification (required)"
+        className="min-h-[80px]"
+        required
+      />
+      {error && (
+        <p className="text-xs text-destructive">{error}</p>
+      )}
+      <div className="flex items-center gap-2">
+        <Button
+          size="sm"
+          onClick={handleSave}
+          disabled={saveAction.status === 'executing'}
+          className="h-7"
+        >
+          {saveAction.status === 'executing' ? (
+            <>
+              <Loader2 className="mr-1 h-3 w-3 animate-spin" />
+              Saving...
+            </>
+          ) : (
+            <>
+              <Check className="mr-1 h-3 w-3" />
+              Save
+            </>
+          )}
+        </Button>
+        <Button
+          size="sm"
+          variant="ghost"
+          onClick={handleCancel}
+          disabled={saveAction.status === 'executing'}
+          className="h-7"
+        >
+          <X className="mr-1 h-3 w-3" />
+          Cancel
+        </Button>
+      </div>
+    </div>
+  );
+}
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/EditableSOAFields.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/EditableSOAFields.tsx
new file mode 100644
index 000000000..2b302bbd8
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/EditableSOAFields.tsx
@@ -0,0 +1,227 @@
+'use client';
+
+import { useState, useEffect, useRef } from 'react';
+import { Button } from '@comp/ui/button';
+import { Textarea } from '@comp/ui/textarea';
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from '@comp/ui/select';
+import { Check, X, Loader2, Edit2 } from 'lucide-react';
+import { useAction } from 'next-safe-action/hooks';
+import { saveSOAAnswer } from '../actions/save-soa-answer';
+import { toast } from 'sonner';
+
+interface EditableSOAFieldsProps {
+  documentId: string;
+  questionId: string;
+  isApplicable: boolean | null;
+  justification: string | null;
+  isPendingApproval: boolean;
+  isControl7?: boolean;
+  isFullyRemote?: boolean;
+  onUpdate?: () => void;
+}
+
+export function EditableSOAFields({
+  documentId,
+  questionId,
+  isApplicable: initialIsApplicable,
+  justification: initialJustification,
+  isPendingApproval,
+  isControl7 = false,
+  isFullyRemote = false,
+  onUpdate,
+}: EditableSOAFieldsProps) {
+  const [isEditing, setIsEditing] = useState(false);
+  const [isApplicable, setIsApplicable] = useState<boolean | null>(initialIsApplicable);
+  const [justification, setJustification] = useState<string | null>(initialJustification);
+  const [error, setError] = useState<string | null>(null);
+  const justificationTextareaRef = useRef<HTMLTextAreaElement>(null);
+
+  const saveAction = useAction(saveSOAAnswer, {
+    onSuccess: () => {
+      setIsEditing(false);
+      setError(null);
+      toast.success('Answer saved successfully');
+      // Refresh page to update configuration
+      if (typeof window !== 'undefined') {
+        window.location.reload();
+      }
+      onUpdate?.();
+    },
+    onError: ({ error }) => {
+      setError(error.serverError || 'Failed to save answer');
+      toast.error(error.serverError || 'Failed to save answer');
+    },
+  });
+
+  // If control 7.* and fully remote, disable editing
+  const isDisabled = isPendingApproval || (isControl7 && isFullyRemote);
+
+  // Auto-focus justification field when NO is selected
+  useEffect(() => {
+    if (isEditing && isApplicable === false && justificationTextareaRef.current) {
+      // Small delay to ensure the textarea is rendered
+      setTimeout(() => {
+        justificationTextareaRef.current?.focus();
+      }, 100);
+    }
+  }, [isEditing, isApplicable]);
+
+  const handleSave = async () => {
+    // Validate: if NO, justification is required
+    if (isApplicable === false && (!justification || justification.trim().length === 0)) {
+      setError('Justification is required when Applicable is NO');
+      if (justificationTextareaRef.current) {
+        justificationTextareaRef.current.focus();
+      }
+      return;
+    }
+
+    const answerValue = isApplicable === false ? justification : null;
+
+    await saveAction.execute({
+      documentId,
+      questionId,
+      answer: answerValue,
+      isApplicable,
+      justification: isApplicable === false ? justification : null,
+    });
+  };
+
+  const handleCancel = () => {
+    setIsApplicable(initialIsApplicable);
+    setJustification(initialJustification);
+    setIsEditing(false);
+    setError(null);
+  };
+
+  if (isDisabled && !isEditing) {
+    // Display mode
+    return (
+      <div className="flex flex-col gap-2">
+        <span className={`inline-flex items-center justify-center px-3 py-1.5 rounded-md text-xs font-semibold w-fit ${
+          isApplicable === true
+            ? 'bg-emerald-500 text-white shadow-sm'
+            : isApplicable === false
+              ? 'bg-rose-500 text-white shadow-sm'
+              : 'bg-muted text-muted-foreground'
+        }`}>
+          {isApplicable === true ? 'YES' : isApplicable === false ? 'NO' : '—'}
+        </span>
+        {isApplicable === false && justification && (
+          <p className="text-sm leading-relaxed text-foreground whitespace-pre-wrap break-words">
+            {justification}
+          </p>
+        )}
+      </div>
+    );
+  }
+
+  if (!isEditing) {
+    return (
+      <div className="flex items-center gap-2">
+        <span className={`inline-flex items-center justify-center px-3 py-1.5 rounded-md text-xs font-semibold w-fit ${
+          isApplicable === true
+            ? 'bg-emerald-500 text-white shadow-sm'
+            : isApplicable === false
+              ? 'bg-rose-500 text-white shadow-sm'
+              : 'bg-muted text-muted-foreground'
+        }`}>
+          {isApplicable === true ? 'YES' : isApplicable === false ? 'NO' : '—'}
+        </span>
+        <Button
+          variant="ghost"
+          size="sm"
+          onClick={() => setIsEditing(true)}
+          className="h-6 px-2 text-xs"
+        >
+          <Edit2 className="h-3 w-3" />
+        </Button>
+      </div>
+    );
+  }
+
+  return (
+    <div className="flex flex-col gap-3">
+      <div className="flex items-center gap-2">
+        <Select
+          value={isApplicable === null ? 'null' : isApplicable ? 'yes' : 'no'}
+          onValueChange={(value) => {
+            const newValue = value === 'yes' ? true : value === 'no' ? false : null;
+            setIsApplicable(newValue);
+            // Clear justification if switching to YES
+            if (newValue === true) {
+              setJustification(null);
+            }
+            // Clear error when changing selection
+            setError(null);
+          }}
+        >
+          <SelectTrigger className="w-32">
+            <SelectValue />
+          </SelectTrigger>
+          <SelectContent>
+            <SelectItem value="yes">YES</SelectItem>
+            <SelectItem value="no">NO</SelectItem>
+          </SelectContent>
+        </Select>
+      </div>
+
+      {isApplicable === false && (
+        <div className="flex flex-col gap-2">
+          <Textarea
+            ref={justificationTextareaRef}
+            value={justification || ''}
+            onChange={(e) => {
+              setJustification(e.target.value);
+              setError(null); // Clear error when typing
+            }}
+            placeholder="Enter justification (required)"
+            className="min-h-[80px]"
+            required
+          />
+          {error && (
+            <p className="text-xs text-destructive">{error}</p>
+          )}
+        </div>
+      )}
+
+      <div className="flex items-center gap-2">
+        <Button
+          size="sm"
+          onClick={handleSave}
+          disabled={saveAction.status === 'executing'}
+          className="h-7"
+        >
+          {saveAction.status === 'executing' ? (
+            <>
+              <Loader2 className="mr-1 h-3 w-3 animate-spin" />
+              Saving...
+            </>
+          ) : (
+            <>
+              <Check className="mr-1 h-3 w-3" />
+              Save
+            </>
+          )}
+        </Button>
+        <Button
+          size="sm"
+          variant="ghost"
+          onClick={handleCancel}
+          disabled={saveAction.status === 'executing'}
+          className="h-7"
+        >
+          <X className="mr-1 h-3 w-3" />
+          Cancel
+        </Button>
+      </div>
+    </div>
+  );
+}
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOADocumentInfo.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOADocumentInfo.tsx
new file mode 100644
index 000000000..e72b9b383
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOADocumentInfo.tsx
@@ -0,0 +1,133 @@
+'use client';
+
+import { Card } from '@comp/ui';
+import { Button } from '@comp/ui/button';
+import { Zap, Loader2, ShieldX } from 'lucide-react';
+import { Member, User } from '@db';
+
+type Document = {
+  id: string;
+  version: number;
+  totalQuestions: number;
+  answeredQuestions: number;
+  status: string;
+  preparedBy: string | null;
+  approverId?: string | null;
+  approvedAt?: Date | null;
+};
+
+interface SOADocumentInfoProps {
+  document: Document;
+  approver?: (Member & { user: User }) | null;
+  isPendingApproval: boolean;
+  canApprove: boolean;
+  isAutoFillingSSE: boolean;
+  onAutoFill: () => void;
+  onSubmitForApproval: () => void;
+}
+
+export function SOADocumentInfo({
+  document,
+  approver,
+  isPendingApproval,
+  canApprove,
+  isAutoFillingSSE,
+  onAutoFill,
+  onSubmitForApproval,
+}: SOADocumentInfoProps) {
+  const progressPercentage = document.totalQuestions > 0 
+    ? Math.round((document.answeredQuestions / document.totalQuestions) * 100) 
+    : 0;
+
+  return (
+    <Card className="p-4">
+      <div className="flex items-center justify-between">
+        <div className="flex items-center gap-6">
+          <div className="flex flex-col gap-1">
+            <p className="text-xs font-medium text-muted-foreground uppercase tracking-wide">Version</p>
+            <p className="text-sm font-semibold text-foreground tabular-nums">v{document.version}</p>
+          </div>
+          <div className="h-8 w-px bg-border" />
+          <div className="flex flex-col gap-1">
+            <p className="text-xs font-medium text-muted-foreground uppercase tracking-wide">Progress</p>
+            <div className="flex items-center gap-2">
+              <span className="text-sm font-semibold text-foreground tabular-nums">
+                {document.answeredQuestions} / {document.totalQuestions}
+              </span>
+              <span className="text-xs text-muted-foreground">({progressPercentage}%)</span>
+            </div>
+          </div>
+          <div className="h-8 w-px bg-border" />
+          <div className="flex flex-col gap-1">
+            <p className="text-xs font-medium text-muted-foreground uppercase tracking-wide">Prepared by</p>
+            <p className="text-sm font-semibold text-foreground">{document.preparedBy || 'Comp AI'}</p>
+          </div>
+          <div className="h-8 w-px bg-border" />
+          <div className="flex flex-col gap-1">
+            <p className="text-xs font-medium text-muted-foreground uppercase tracking-wide">Approved</p>
+            <p className="text-sm font-semibold text-foreground">
+              {document.approvedAt
+                ? new Date(document.approvedAt).toLocaleDateString()
+                : approver
+                  ? 'Pending approval'
+                  : 'Not approved'}
+            </p>
+          </div>
+          {approver && document.approvedAt && (
+            <>
+              <div className="h-8 w-px bg-border" />
+              <div className="flex flex-col gap-1">
+                <p className="text-xs font-medium text-muted-foreground uppercase tracking-wide">Approved by</p>
+                <p className="text-sm font-semibold text-foreground">
+                  {approver.user.name || approver.user.email || 'Unknown'}
+                </p>
+              </div>
+            </>
+          )}
+          {approver && !document.approvedAt && (
+            <>
+              <div className="h-8 w-px bg-border" />
+              <div className="flex flex-col gap-1">
+                <p className="text-xs font-medium text-muted-foreground uppercase tracking-wide">Pending approval by</p>
+                <p className="text-sm font-semibold text-foreground">
+                  {approver.user.name || approver.user.email || 'Unknown'}
+                </p>
+              </div>
+            </>
+          )}
+        </div>
+        <div className="flex items-center gap-2">
+          {!isPendingApproval && canApprove && document.status !== 'needs_review' && (
+            <Button
+              onClick={onSubmitForApproval}
+              size="sm"
+              variant="outline"
+              disabled={!!document.approvedAt}
+            >
+              <ShieldX className="mr-2 h-4 w-4" />
+              Submit for Approval
+            </Button>
+          )}
+          <Button
+            onClick={onAutoFill}
+            disabled={isAutoFillingSSE}
+            size="sm"
+          >
+            {isAutoFillingSSE ? (
+              <>
+                <Loader2 className="mr-2 h-4 w-4 animate-spin" />
+                Auto-Filling...
+              </>
+            ) : (
+              <>
+                <Zap className="mr-2 h-4 w-4" />
+                Auto-Fill All
+              </>
+            )}
+          </Button>
+        </div>
+      </div>
+    </Card>
+  );
+}
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAFrameworkTable.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAFrameworkTable.tsx
new file mode 100644
index 000000000..0981d2804
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAFrameworkTable.tsx
@@ -0,0 +1,301 @@
+'use client';
+
+import { Card } from '@comp/ui';
+import { Button } from '@comp/ui/button';
+import { ChevronUp, ChevronDown } from 'lucide-react';
+import { useState, useMemo } from 'react';
+import { useRouter } from 'next/navigation';
+import { toast } from 'sonner';
+import { getFrameworksWithLatestDocuments } from '../data/queries';
+import { approveSOADocument } from '../actions/approve-soa-document';
+import { declineSOADocument } from '../actions/decline-soa-document';
+import { submitSOAForApproval } from '../actions/submit-soa-for-approval';
+import { useAction } from 'next-safe-action/hooks';
+import { useSOAAutoFill } from '../hooks/useSOAAutoFill';
+import { Member, User } from '@db';
+import { SOADocumentInfo } from './SOADocumentInfo';
+import { SOAPendingApprovalAlert } from './SOAPendingApprovalAlert';
+import { SubmitApprovalDialog } from './SubmitApprovalDialog';
+import { SOATable } from './SOATable';
+
+type Framework = Awaited<ReturnType<typeof getFrameworksWithLatestDocuments>>[number]['framework'];
+type Configuration = Awaited<ReturnType<typeof getFrameworksWithLatestDocuments>>[number]['configuration'];
+type Document = Awaited<ReturnType<typeof getFrameworksWithLatestDocuments>>[number]['document'];
+
+// More flexible configuration type that doesn't require framework property
+type FlexibleConfiguration = Omit<Configuration, 'framework'> & {
+  framework?: Configuration['framework'];
+};
+
+interface SOAFrameworkTableProps {
+  framework: Framework;
+  configuration: FlexibleConfiguration;
+  document: Document | null;
+  organizationId: string;
+  isFullyRemote?: boolean;
+  canApprove?: boolean;
+  approver?: (Member & { user: User }) | null;
+  isPendingApproval?: boolean;
+  canCurrentUserApprove?: boolean;
+  currentMemberId?: string | null;
+  ownerAdminMembers?: (Member & { user: User })[];
+}
+
+type SOAColumn = {
+  name: string;
+  type: 'string' | 'boolean' | 'text';
+};
+
+type SOAQuestion = {
+  id: string;
+  text: string;
+  columnMapping: {
+    closure: string;
+    title: string;
+    control_objective: string | null;
+    isApplicable: boolean | null;
+    justification?: string | null;
+  };
+};
+
+export function SOAFrameworkTable({
+  framework,
+  configuration,
+  document,
+  organizationId,
+  isFullyRemote = false,
+  canApprove = false,
+  approver = null,
+  isPendingApproval = false,
+  canCurrentUserApprove = false,
+  currentMemberId = null,
+  ownerAdminMembers = [],
+}: SOAFrameworkTableProps) {
+  const router = useRouter();
+  const [isExpanded, setIsExpanded] = useState(false);
+
+  // Log isFullyRemote prop on mount
+  console.log('[SOA Table] Component initialized:', {
+    organizationId,
+    isFullyRemote,
+    questionsCount: (configuration.questions as Array<any>)?.length || 0,
+  });
+
+  const columns = configuration.columns as SOAColumn[];
+  const questions = configuration.questions as SOAQuestion[];
+  
+  // Log all controls with closure starting with "7." for debugging
+  useMemo(() => {
+    const controls7 = questions.filter((q) => {
+      const closure = q.columnMapping.closure || '';
+      return closure.startsWith('7.');
+    });
+    
+    console.log('[SOA Table] Controls with closure starting with "7.":', {
+      isFullyRemote,
+      controls7Count: controls7.length,
+      controls7Details: controls7.map((q) => ({
+        id: q.id,
+        closure: q.columnMapping.closure,
+        title: q.columnMapping.title,
+        currentIsApplicable: q.columnMapping.isApplicable,
+      })),
+    });
+    
+    return controls7;
+  }, [questions, isFullyRemote]);
+  
+  // Create answers map from document answers (for justification and to check if answer exists)
+  // Memoize to prevent hydration mismatches
+  const answersMap = useMemo<Map<string, { answer: string | null; answerVersion: number }>>(() => {
+    return new Map(
+      (document?.answers || []).map((answer: { questionId: string; answer: string | null; answerVersion: number }) => [
+        answer.questionId,
+        { answer: answer.answer, answerVersion: answer.answerVersion },
+      ])
+    );
+  }, [document?.answers]);
+  
+  // Create a map to check if question has a latest answer
+  const hasAnswerMap = useMemo(() => {
+    return new Map(
+      (document?.answers || []).map((answer: { questionId: string; answerVersion: number }) => [
+        answer.questionId,
+        answer.answerVersion,
+      ])
+    );
+  }, [document?.answers]);
+
+
+  const [isSubmitApprovalDialogOpen, setIsSubmitApprovalDialogOpen] = useState(false);
+  const [selectedApproverId, setSelectedApproverId] = useState<string | null>(null);
+
+  const approveAction = useAction(approveSOADocument, {
+    onSuccess: () => {
+      toast.success('SOA document approved successfully');
+      router.refresh();
+    },
+    onError: ({ error }) => {
+      toast.error(error.serverError || 'Failed to approve SOA document');
+    },
+  });
+
+  const declineAction = useAction(declineSOADocument, {
+    onSuccess: () => {
+      toast.success('SOA document declined successfully');
+      router.refresh();
+    },
+    onError: ({ error }) => {
+      toast.error(error.serverError || 'Failed to decline SOA document');
+    },
+  });
+
+  const submitForApprovalAction = useAction(submitSOAForApproval, {
+    onSuccess: () => {
+      toast.success('SOA document submitted for approval successfully');
+      setIsSubmitApprovalDialogOpen(false);
+      setSelectedApproverId(null);
+      router.refresh();
+    },
+    onError: ({ error }) => {
+      toast.error(error.serverError || 'Failed to submit SOA document for approval');
+    },
+  });
+
+  // Use SSE hook for real-time updates
+  // Map questions to match hook's expected type
+  const questionsForHook = useMemo(() => {
+    return questions.map((q) => ({
+      ...q,
+      columnMapping: {
+        ...q.columnMapping,
+        justification: q.columnMapping.justification ?? null,
+      },
+    }));
+  }, [questions]);
+
+  const { isAutoFilling: isAutoFillingSSE, questionStatuses, processedResults, triggerAutoFill } = useSOAAutoFill({
+    questions: questionsForHook,
+    documentId: document?.id || '',
+    onUpdate: () => {
+      window.location.reload();
+    },
+  });
+
+  // Merge processed results into questions for display (only during auto-fill)
+  // Use useMemo to prevent hydration mismatches
+  const questionsWithResults = useMemo(() => {
+    // Only merge if we have processed results (during auto-fill)
+    if (processedResults.size === 0) {
+      return questions;
+    }
+    
+    return questions.map((q) => {
+      const result = processedResults.get(q.id);
+      if (result && 'success' in result && result.success === true) {
+        // Only merge if generation was successful
+        return {
+          ...q,
+          columnMapping: {
+            ...q.columnMapping,
+            isApplicable: result.isApplicable,
+            justification: result.justification,
+          },
+        };
+      }
+      // If failed or not successful, keep original (don't show YES/NO)
+      return q;
+    });
+  }, [questions, processedResults]);
+
+
+  // Document should always exist at this point (created server-side)
+  // If it doesn't exist, show loading state
+  if (!document) {
+    return (
+      <Card className="p-8">
+        <div className="flex items-center justify-center py-12">
+          <div className="h-6 w-6 animate-spin rounded-full border-2 border-muted-foreground border-t-transparent" />
+        </div>
+      </Card>
+    );
+  }
+
+  const handleAutoFill = async () => {
+    if (!document) return;
+    triggerAutoFill();
+  };
+
+  const handleApprove = async () => {
+    if (!document) return;
+    approveAction.execute({ documentId: document.id });
+  };
+
+  const handleDecline = async () => {
+    if (!document) return;
+    declineAction.execute({ documentId: document.id });
+  };
+
+  const handleSubmitForApproval = () => {
+    if (!document || !selectedApproverId) return;
+    submitForApprovalAction.execute({
+      documentId: document.id,
+      approverId: selectedApproverId,
+    });
+  };
+
+  return (
+    <div className="flex flex-col gap-6">
+      {/* Pending Approval Alert */}
+      {isPendingApproval && (
+        <SOAPendingApprovalAlert
+          approver={approver}
+          currentMemberId={currentMemberId}
+          approverId={(document as any).approverId}
+          canCurrentUserApprove={canCurrentUserApprove}
+          isApproving={approveAction.status === 'executing'}
+          isDeclining={declineAction.status === 'executing'}
+          onApprove={handleApprove}
+          onDecline={handleDecline}
+        />
+      )}
+
+      {/* Document Info */}
+      <SOADocumentInfo
+        document={document as any}
+        approver={approver}
+        isPendingApproval={isPendingApproval}
+        canApprove={canApprove}
+        isAutoFillingSSE={isAutoFillingSSE}
+        onAutoFill={handleAutoFill}
+        onSubmitForApproval={() => setIsSubmitApprovalDialogOpen(true)}
+      />
+
+      {/* Table */}
+      <SOATable
+        columns={columns}
+        questions={questionsWithResults}
+        answersMap={answersMap}
+        questionStatuses={questionStatuses}
+        processedResults={processedResults}
+        isFullyRemote={isFullyRemote}
+        isExpanded={isExpanded}
+        onToggleExpand={() => setIsExpanded(!isExpanded)}
+        documentId={document.id}
+        isPendingApproval={isPendingApproval}
+      />
+
+      {/* Submit for Approval Dialog */}
+      <SubmitApprovalDialog
+        open={isSubmitApprovalDialogOpen}
+        onOpenChange={setIsSubmitApprovalDialogOpen}
+        ownerAdminMembers={ownerAdminMembers}
+        selectedApproverId={selectedApproverId}
+        onApproverChange={setSelectedApproverId}
+        onSubmit={handleSubmitForApproval}
+        isSubmitting={submitForApprovalAction.status === 'executing'}
+      />
+    </div>
+  );
+}
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAFrameworkTabs.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAFrameworkTabs.tsx
new file mode 100644
index 000000000..7cefd38b9
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAFrameworkTabs.tsx
@@ -0,0 +1,176 @@
+'use client';
+
+import { Tabs, TabsContent, TabsList, TabsTrigger } from '@comp/ui/tabs';
+import { useState, useTransition } from 'react';
+import { useRouter } from 'next/navigation';
+import { toast } from 'sonner';
+import { Loader2, ShieldCheck } from 'lucide-react';
+import { SOAFrameworkTable } from './SOAFrameworkTable';
+import { getOrganizationFrameworksWithSOAData } from '../data/queries';
+import { ensureSOASetup } from '../actions/ensure-soa-setup';
+
+interface SOAFrameworkTabsProps {
+  frameworksWithSOAData: Awaited<ReturnType<typeof getOrganizationFrameworksWithSOAData>>;
+  organizationId: string;
+}
+
+const isFrameworkSupported = (frameworkName: string) => {
+  return ['ISO 27001', 'iso27001', 'ISO27001'].includes(frameworkName);
+};
+
+export function SOAFrameworkTabs({ frameworksWithSOAData, organizationId }: SOAFrameworkTabsProps) {
+  const router = useRouter();
+  const [isPending, startTransition] = useTransition();
+  const [loadingTab, setLoadingTab] = useState<string | null>(null);
+  const [frameworkData, setFrameworkData] = useState<Map<string, typeof frameworksWithSOAData[0]>>(
+    new Map(frameworksWithSOAData.map((fw) => [fw.frameworkId, fw]))
+  );
+
+  // Set active tab to first supported framework with data, or first framework
+  const getInitialTab = () => {
+    const firstSupportedWithData = frameworksWithSOAData.find((fw) => {
+      if (!fw.framework) return false;
+      const isSupported = isFrameworkSupported(fw.framework.name);
+      return isSupported && fw.configuration && fw.document;
+    });
+    
+    if (firstSupportedWithData) {
+      return firstSupportedWithData.frameworkId;
+    }
+    
+    return frameworksWithSOAData[0]?.frameworkId || '';
+  };
+
+  const [activeTab, setActiveTab] = useState(getInitialTab());
+
+  const handleTabChange = async (frameworkId: string) => {
+    const currentData = frameworkData.get(frameworkId);
+    
+    // If we already have configuration and document, just switch tabs
+    if (currentData?.configuration && currentData?.document) {
+      setActiveTab(frameworkId);
+      return;
+    }
+
+    setActiveTab(frameworkId);
+    setLoadingTab(frameworkId);
+
+    startTransition(async () => {
+      try {
+        const result = await ensureSOASetup(frameworkId, organizationId);
+
+        if (result.success && result.configuration) {
+          // Update framework data
+          const existingData = frameworkData.get(frameworkId);
+          if (existingData) {
+            setFrameworkData((prev) => {
+              const newMap = new Map(prev);
+              newMap.set(frameworkId, {
+                ...existingData,
+                configuration: result.configuration,
+                document: result.document,
+              });
+              return newMap;
+            });
+          }
+        } else if (result.error) {
+          toast.error(result.error);
+        }
+      } catch (error) {
+        toast.error(error instanceof Error ? error.message : 'Failed to setup SOA');
+      } finally {
+        setLoadingTab(null);
+        router.refresh();
+      }
+    });
+  };
+
+  if (frameworksWithSOAData.length === 0) {
+    return (
+      <div className="flex flex-col items-center justify-center gap-4 py-12 text-center rounded-lg border">
+        <p className="text-muted-foreground">
+          No frameworks found. Add ISO 27001 framework to get started.
+        </p>
+      </div>
+    );
+  }
+
+  return (
+    <Tabs value={activeTab} onValueChange={handleTabChange} className="w-full">
+      <TabsList className="inline-flex h-10 items-center justify-start rounded-lg bg-muted p-1 text-muted-foreground w-full gap-1">
+        {frameworksWithSOAData.map((fw) => {
+          if (!fw.framework) return null;
+          const isSupported = isFrameworkSupported(fw.framework.name);
+          const isLoading = loadingTab === fw.frameworkId;
+          
+          return (
+            <TabsTrigger 
+              key={fw.frameworkId} 
+              value={fw.frameworkId} 
+              disabled={isLoading}
+              className={`inline-flex items-center justify-center gap-2 whitespace-nowrap rounded-md px-3 py-1.5 text-sm font-medium ring-offset-background transition-all focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 disabled:pointer-events-none disabled:opacity-50 ${
+                isSupported 
+                  ? 'data-[state=active]:bg-background data-[state=active]:text-foreground data-[state=active]:shadow-sm border border-green-200 dark:border-green-900/30' 
+                  : 'data-[state=active]:bg-background data-[state=active]:text-foreground data-[state=active]:shadow-sm'
+              }`}
+            >
+              {isLoading ? (
+                <>
+                  <Loader2 className="h-3.5 w-3.5 animate-spin" />
+                  <span>{fw.framework.name}</span>
+                </>
+              ) : (
+                <>
+                  {isSupported && (
+                    <ShieldCheck className="h-3.5 w-3.5 text-green-600 dark:text-green-400" />
+                  )}
+                  <span>{fw.framework.name}</span>
+                  {isSupported && (
+                    <span className="ml-1 inline-flex items-center rounded-full bg-green-100 dark:bg-green-900/30 px-2 py-0.5 text-[10px] font-semibold text-green-700 dark:text-green-400">
+                      SOA
+                    </span>
+                  )}
+                </>
+              )}
+            </TabsTrigger>
+          );
+        })}
+      </TabsList>
+      {frameworksWithSOAData.map((fw) => {
+        if (!fw.framework) return null;
+        const data = frameworkData.get(fw.frameworkId);
+        const isSupported = isFrameworkSupported(fw.framework.name);
+
+        return (
+          <TabsContent key={fw.frameworkId} value={fw.frameworkId} className="mt-4">
+            {loadingTab === fw.frameworkId ? (
+              <div className="flex items-center justify-center py-12">
+                <Loader2 className="h-6 w-6 animate-spin text-muted-foreground" />
+              </div>
+            ) : !isSupported ? (
+              <div className="flex flex-col items-center justify-center gap-4 py-12 text-center rounded-lg border">
+                <p className="text-muted-foreground">
+                  SOA is currently only supported for ISO 27001 framework.
+                </p>
+                <p className="text-xs text-muted-foreground">
+                  Support for {fw.framework.name} will be available soon.
+                </p>
+              </div>
+            ) : data?.configuration ? (
+              <SOAFrameworkTable
+                framework={data.framework}
+                configuration={data.configuration}
+                document={data.document}
+                organizationId={organizationId}
+              />
+            ) : (
+              <div className="flex items-center justify-center py-12">
+                <Loader2 className="h-6 w-6 animate-spin text-muted-foreground" />
+              </div>
+            )}
+          </TabsContent>
+        );
+      })}
+    </Tabs>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAPendingApprovalAlert.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAPendingApprovalAlert.tsx
new file mode 100644
index 000000000..4ead27f2e
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAPendingApprovalAlert.tsx
@@ -0,0 +1,88 @@
+'use client';
+
+import { Button } from '@comp/ui/button';
+import { Alert, AlertDescription, AlertTitle } from '@comp/ui/alert';
+import { ShieldX, ShieldCheck, Loader2, XCircle } from 'lucide-react';
+import { Member, User } from '@db';
+
+interface SOAPendingApprovalAlertProps {
+  approver?: (Member & { user: User }) | null;
+  currentMemberId?: string | null;
+  approverId?: string | null;
+  canCurrentUserApprove: boolean;
+  isApproving: boolean;
+  isDeclining: boolean;
+  onApprove: () => void;
+  onDecline: () => void;
+}
+
+export function SOAPendingApprovalAlert({
+  approver,
+  currentMemberId,
+  approverId,
+  canCurrentUserApprove,
+  isApproving,
+  isDeclining,
+  onApprove,
+  onDecline,
+}: SOAPendingApprovalAlertProps) {
+  return (
+    <Alert variant="default">
+      <ShieldX className="h-4 w-4" />
+      <AlertTitle>
+        {canCurrentUserApprove ? 'Action Required by You' : 'Pending Approval'}
+      </AlertTitle>
+      <AlertDescription className="flex flex-col gap-2">
+        <div>
+          This SOA document is awaiting approval from{' '}
+          <span className="font-semibold">
+            {approverId === currentMemberId
+              ? 'you'
+              : approver
+                ? `${approver.user.name} (${approver.user.email})`
+                : 'an approver'}
+          </span>
+          .
+        </div>
+        {canCurrentUserApprove &&
+          ' Please review the details and approve the document.'}
+        {!canCurrentUserApprove && ' All fields are disabled until the document is approved.'}
+        {canCurrentUserApprove && (
+          <div className="flex items-center gap-2 mt-2">
+            <Button onClick={onApprove} disabled={isApproving || isDeclining}>
+              {isApproving ? (
+                <>
+                  <Loader2 className="mr-2 h-4 w-4 animate-spin" />
+                  Approving...
+                </>
+              ) : (
+                <>
+                  <ShieldCheck className="mr-2 h-4 w-4" />
+                  Approve
+                </>
+              )}
+            </Button>
+            <Button 
+              onClick={onDecline} 
+              disabled={isApproving || isDeclining}
+              variant="destructive"
+            >
+              {isDeclining ? (
+                <>
+                  <Loader2 className="mr-2 h-4 w-4 animate-spin" />
+                  Declining...
+                </>
+              ) : (
+                <>
+                  <XCircle className="mr-2 h-4 w-4" />
+                  Decline
+                </>
+              )}
+            </Button>
+          </div>
+        )}
+      </AlertDescription>
+    </Alert>
+  );
+}
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOATable.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOATable.tsx
new file mode 100644
index 000000000..af713b1fc
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOATable.tsx
@@ -0,0 +1,150 @@
+'use client';
+
+import { Card } from '@comp/ui';
+import { Button } from '@comp/ui/button';
+import { ChevronUp, ChevronDown } from 'lucide-react';
+import { SOATableRow } from './SOATableRow';
+
+type SOAColumn = {
+  name: string;
+  type: 'string' | 'boolean' | 'text';
+};
+
+type SOAQuestion = {
+  id: string;
+  text: string;
+  columnMapping: {
+    closure: string;
+    title: string;
+    control_objective: string | null;
+    isApplicable: boolean | null;
+    justification?: string | null;
+  };
+};
+
+type ProcessedResult = {
+  success: boolean;
+  isApplicable: boolean | null;
+  justification?: string | null;
+  insufficientData?: boolean;
+};
+
+interface SOATableProps {
+  columns: SOAColumn[];
+  questions: SOAQuestion[];
+  answersMap: Map<string, { answer: string | null; answerVersion: number }>;
+  questionStatuses: Map<string, string>;
+  processedResults: Map<string, ProcessedResult>;
+  isFullyRemote: boolean;
+  isExpanded: boolean;
+  onToggleExpand: () => void;
+  documentId: string;
+  isPendingApproval: boolean;
+}
+
+export function SOATable({
+  columns,
+  questions,
+  answersMap,
+  questionStatuses,
+  processedResults,
+  isFullyRemote,
+  isExpanded,
+  onToggleExpand,
+  documentId,
+  isPendingApproval,
+}: SOATableProps) {
+  const displayedQuestions = isExpanded ? questions : questions.slice(0, 5);
+  const hasMoreQuestions = questions.length > 5;
+
+  return (
+    <Card className="overflow-hidden">
+      <div className="overflow-x-auto">
+        <table className="w-full border-separate border-spacing-0 table-fixed">
+          <colgroup>
+            {columns.map((column) => {
+              const getColumnWidth = (colName: string) => {
+                if (colName === 'isApplicable') {
+                  return '15%';
+                }
+                if (colName === 'title') {
+                  return '20%';
+                }
+                if (colName === 'control_objective') {
+                  return '35%';
+                }
+                if (colName === 'justification') {
+                  return '30%';
+                }
+                return '20%';
+              };
+
+              return (
+                <col key={column.name} style={{ width: getColumnWidth(column.name) }} />
+              );
+            })}
+          </colgroup>
+          <thead>
+            <tr className="border-b bg-muted/30">
+              {columns.map((column, index) => {
+                return (
+                  <th
+                    key={column.name}
+                    className={`py-4 text-left text-xs font-semibold uppercase tracking-wider text-muted-foreground ${
+                      index === 0 ? 'pl-6 pr-6' : index === columns.length - 1 ? 'px-6 pr-6' : 'px-6'
+                    }`}
+                  >
+                    {column.name.replace(/_/g, ' ')}
+                  </th>
+                );
+              })}
+            </tr>
+          </thead>
+          <tbody>
+            {displayedQuestions.map((question) => {
+              const answerData = answersMap.get(question.id);
+              const questionStatus = questionStatuses.get(question.id);
+              const processedResult = processedResults.get(question.id);
+              
+              return (
+                <SOATableRow
+                  key={question.id}
+                  question={question}
+                  columns={columns}
+                  answerData={answerData}
+                  questionStatus={questionStatus}
+                  processedResult={processedResult}
+                  isFullyRemote={isFullyRemote}
+                  documentId={documentId}
+                  isPendingApproval={isPendingApproval}
+                />
+              );
+            })}
+          </tbody>
+        </table>
+      </div>
+      {hasMoreQuestions && (
+        <div className="border-t p-4 flex items-center justify-center">
+          <Button
+            variant="ghost"
+            onClick={onToggleExpand}
+            className="gap-2"
+          >
+            {isExpanded ? (
+              <>
+                <ChevronUp className="h-4 w-4" />
+                Show Less
+              </>
+            ) : (
+              <>
+                Show All ({questions.length} total)
+                <ChevronDown className="h-4 w-4" />
+              </>
+            )}
+          </Button>
+        </div>
+      )}
+    </Card>
+  );
+}
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOATableRow.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOATableRow.tsx
new file mode 100644
index 000000000..efe0573ed
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOATableRow.tsx
@@ -0,0 +1,168 @@
+'use client';
+
+import { Loader2 } from 'lucide-react';
+import { EditableSOAFields } from './EditableSOAFields';
+
+type SOAColumn = {
+  name: string;
+  type: 'string' | 'boolean' | 'text';
+};
+
+type SOAQuestion = {
+  id: string;
+  text: string;
+  columnMapping: {
+    closure: string;
+    title: string;
+    control_objective: string | null;
+    isApplicable: boolean | null;
+    justification?: string | null;
+  };
+};
+
+type ProcessedResult = {
+  success: boolean;
+  isApplicable: boolean | null;
+  justification?: string | null;
+  insufficientData?: boolean;
+};
+
+interface SOATableRowProps {
+  question: SOAQuestion;
+  columns: SOAColumn[];
+  answerData?: { answer: string | null; answerVersion: number };
+  questionStatus?: string;
+  processedResult?: ProcessedResult;
+  isFullyRemote: boolean;
+  documentId: string;
+  isPendingApproval: boolean;
+}
+
+export function SOATableRow({
+  question,
+  columns,
+  answerData,
+  questionStatus,
+  processedResult,
+  isFullyRemote,
+  documentId,
+  isPendingApproval,
+}: SOATableRowProps) {
+  const isProcessing = questionStatus === 'processing';
+  const isInsufficientData = questionStatus === 'insufficient_data' as any;
+  const hasInsufficientData = processedResult && 'insufficientData' in processedResult && processedResult.insufficientData === true;
+  
+  // For controls with closure starting with "7." and fully remote org, always show NO
+  const controlClosure = question.columnMapping.closure || '';
+  const isControl7 = controlClosure.startsWith('7.');
+  
+  // Determine displayIsApplicable and justificationValue based on fully remote logic
+  let displayIsApplicable: boolean;
+  let justificationValue: string | null;
+  
+  // If fully remote and control starts with "7.", always show NO (override any other value)
+  if (isFullyRemote && isControl7) {
+    displayIsApplicable = false;
+    justificationValue = processedResult?.justification 
+      || answerData?.answer
+      || question.columnMapping.justification
+      || 'This control is not applicable as our organization operates fully remotely.';
+  } else {
+    // Normal logic for other controls
+    const isApplicableValue = processedResult?.isApplicable !== null && processedResult?.isApplicable !== undefined
+      ? processedResult.isApplicable
+      : (question.columnMapping.isApplicable ?? true); // Default to YES
+    
+    // For justification: only show if isApplicable is NO
+    justificationValue = (isApplicableValue === false && processedResult?.justification) 
+      || (isApplicableValue === false && answerData?.answer)
+      || (isApplicableValue === false && question.columnMapping.justification)
+      || null;
+    
+    displayIsApplicable = processedResult?.isApplicable !== null && processedResult?.isApplicable !== undefined
+      ? processedResult.isApplicable
+      : (question.columnMapping.isApplicable ?? true); // Default to YES
+  }
+
+  return (
+    <tr className="border-b transition-colors hover:bg-muted/30 last:border-b-0">
+      {columns.map((column, colIndex) => {
+        const columnKey = column.name as keyof typeof question.columnMapping;
+        let value = question.columnMapping[columnKey];
+        
+        // For isApplicable column, use displayIsApplicable
+        if (column.name === 'isApplicable') {
+          value = displayIsApplicable;
+        }
+        
+        // For justification column, use justificationValue
+        if (column.name === 'justification') {
+          value = justificationValue;
+        }
+        
+        // Show spinner for isApplicable and justification columns if processing
+        const showSpinner = (column.name === 'isApplicable' || column.name === 'justification') && isProcessing;
+        
+        return (
+          <td
+            key={column.name}
+            className={`py-4 text-sm ${
+              colIndex === 0 ? 'pl-6 pr-6' : colIndex === columns.length - 1 ? 'px-6 pr-6' : 'px-6'
+            } ${column.name === 'isApplicable' ? 'bg-muted/10' : ''}`}
+          >
+            {showSpinner ? (
+              <div className="flex items-center gap-2">
+                <Loader2 className="h-4 w-4 animate-spin text-muted-foreground" />
+                <span className="text-xs text-muted-foreground">Processing...</span>
+              </div>
+            ) : column.name === 'isApplicable' ? (
+              isProcessing ? (
+                <div className="flex items-center gap-2">
+                  <Loader2 className="h-4 w-4 animate-spin text-muted-foreground" />
+                  <span className="text-xs text-muted-foreground">Processing...</span>
+                </div>
+              ) : (
+                <EditableSOAFields
+                  documentId={documentId}
+                  questionId={question.id}
+                  isApplicable={displayIsApplicable}
+                  justification={justificationValue}
+                  isPendingApproval={isPendingApproval}
+                  isControl7={isControl7}
+                  isFullyRemote={isFullyRemote}
+                />
+              )
+            ) : column.name === 'justification' ? (
+              // Justification is handled within EditableSOAFields when isApplicable is NO
+              isProcessing ? (
+                <div className="flex items-center gap-2">
+                  <Loader2 className="h-4 w-4 animate-spin text-muted-foreground" />
+                  <span className="text-xs text-muted-foreground">Processing...</span>
+                </div>
+              ) : displayIsApplicable === false ? (
+                // Show justification text in this column when not editing
+                <p className="text-sm leading-relaxed text-foreground whitespace-pre-wrap break-words">
+                  {justificationValue || '—'}
+                </p>
+              ) : (
+                <span className="text-muted-foreground">—</span>
+              )
+            ) : (
+              // For other columns (title, control_objective), show "Insufficient data" if question has insufficient data
+              (isInsufficientData || hasInsufficientData) && column.name !== 'title' && column.name !== 'control_objective' ? (
+                <span className="text-xs text-muted-foreground italic">Insufficient data</span>
+              ) : (
+                <span className={`leading-relaxed whitespace-pre-wrap ${
+                  value ? 'text-foreground' : 'text-muted-foreground'
+                }`}>
+                  {value || '—'}
+                </span>
+              )
+            )}
+          </td>
+        );
+      })}
+    </tr>
+  );
+}
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SubmitApprovalDialog.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SubmitApprovalDialog.tsx
new file mode 100644
index 000000000..3cf80e438
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SubmitApprovalDialog.tsx
@@ -0,0 +1,70 @@
+'use client';
+
+import { Button } from '@comp/ui/button';
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from '@comp/ui/dialog';
+import { SelectAssignee } from '@/components/SelectAssignee';
+import { Loader2 } from 'lucide-react';
+import { Member, User } from '@db';
+
+interface SubmitApprovalDialogProps {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  ownerAdminMembers: (Member & { user: User })[];
+  selectedApproverId: string | null;
+  onApproverChange: (id: string | null) => void;
+  onSubmit: () => void;
+  isSubmitting: boolean;
+}
+
+export function SubmitApprovalDialog({
+  open,
+  onOpenChange,
+  ownerAdminMembers,
+  selectedApproverId,
+  onApproverChange,
+  onSubmit,
+  isSubmitting,
+}: SubmitApprovalDialogProps) {
+  return (
+    <Dialog open={open} onOpenChange={onOpenChange}>
+      <DialogContent>
+        <DialogHeader>
+          <DialogTitle>Submit for Approval</DialogTitle>
+          <DialogDescription>Please select an approver for this SOA document.</DialogDescription>
+        </DialogHeader>
+        <SelectAssignee
+          assignees={ownerAdminMembers}
+          assigneeId={selectedApproverId}
+          onAssigneeChange={onApproverChange}
+          withTitle={false}
+        />
+        <DialogFooter>
+          <Button variant="outline" onClick={() => onOpenChange(false)}>
+            Cancel
+          </Button>
+          <Button
+            onClick={onSubmit}
+            disabled={isSubmitting || !selectedApproverId}
+          >
+            {isSubmitting ? (
+              <>
+                <Loader2 className="mr-2 h-4 w-4 animate-spin" />
+                Submitting...
+              </>
+            ) : (
+              'Confirm & Submit'
+            )}
+          </Button>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+}
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/data/queries.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/data/queries.ts
new file mode 100644
index 000000000..8bc82e220
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/data/queries.ts
@@ -0,0 +1,344 @@
+'use server';
+
+import { auth } from '@/utils/auth';
+import { db } from '@db';
+import { headers } from 'next/headers';
+import 'server-only';
+
+/**
+ * Get SOA documents for an organization
+ */
+export const getSOADocuments = async (organizationId: string) => {
+  const session = await auth.api.getSession({
+    headers: await headers(),
+  });
+
+  if (!session?.session?.activeOrganizationId || session.session.activeOrganizationId !== organizationId) {
+    return [];
+  }
+
+  const documents = await db.sOADocument.findMany({
+    where: {
+      organizationId,
+    },
+    include: {
+      framework: true,
+      configuration: true,
+      answers: {
+        where: {
+          isLatestAnswer: true,
+        },
+      },
+    },
+    orderBy: {
+      createdAt: 'desc',
+    },
+  });
+
+  // Fetch approver members for documents pending approval
+  const approverMemberIds = documents
+    .map((doc: { approverId: string | null | undefined }) => doc.approverId)
+    .filter((id: string | null | undefined): id is string => id !== null && id !== undefined && typeof id === 'string');
+
+  const approvers = approverMemberIds.length > 0
+    ? await db.member.findMany({
+        where: { id: { in: approverMemberIds } },
+        include: {
+          user: {
+            select: {
+              id: true,
+              name: true,
+              email: true,
+            },
+          },
+        },
+      })
+    : [];
+
+  const approversMap = new Map(approvers.map((m) => [m.id, m]));
+
+  // Attach approver data to documents
+  return documents.map((doc: { approverId: string | null }) => ({
+    ...doc,
+    approver: doc.approverId ? approversMap.get(doc.approverId) || null : null,
+  }));
+};
+
+/**
+ * Get frameworks that have SOA configurations
+ */
+export const getFrameworksWithSOAConfig = async () => {
+  // Get all visible frameworks
+  const allFrameworks = await db.frameworkEditorFramework.findMany({
+    where: {
+      visible: true,
+    },
+  });
+
+  // Check which ones have SOA configurations
+  const frameworksWithSOA = await Promise.all(
+    allFrameworks.map(async (framework) => {
+      const config = await db.sOAFrameworkConfiguration.findFirst({
+        where: {
+          frameworkId: framework.id,
+          isLatest: true,
+        },
+      });
+
+      if (!config) return null;
+
+      return {
+        ...framework,
+        soaConfiguration: config,
+      };
+    }),
+  );
+
+  return frameworksWithSOA.filter((f) => f !== null);
+};
+
+/**
+ * Check if a framework has SOA configuration
+ */
+export const hasSOAConfiguration = async (frameworkId: string): Promise<boolean> => {
+  const config = await db.sOAFrameworkConfiguration.findFirst({
+    where: {
+      frameworkId,
+      isLatest: true,
+    },
+  });
+
+  return !!config;
+};
+
+/**
+ * Get the latest SOA configuration for a framework
+ */
+export const getLatestSOAConfiguration = async (frameworkId: string) => {
+  const config = await db.sOAFrameworkConfiguration.findFirst({
+    where: {
+      frameworkId,
+      isLatest: true,
+    },
+  });
+
+  return config;
+};
+
+/**
+ * Get organization's framework instances that support SOA
+ */
+export const getOrganizationFrameworksWithSOA = async (organizationId: string) => {
+  // Get organization's framework instances
+  const frameworkInstances = await db.frameworkInstance.findMany({
+    where: {
+      organizationId,
+    },
+    include: {
+      framework: true,
+    },
+  });
+
+  // Check which frameworks have SOA configurations
+  const frameworksWithSOA = await Promise.all(
+    frameworkInstances.map(async (instance) => {
+      const config = await db.sOAFrameworkConfiguration.findFirst({
+        where: {
+          frameworkId: instance.frameworkId,
+          isLatest: true,
+        },
+      });
+
+      if (!config) return null;
+
+      return {
+        ...instance,
+        soaConfiguration: config,
+      };
+    }),
+  );
+
+  return frameworksWithSOA.filter((f) => f !== null);
+};
+
+/**
+ * Get frameworks with their latest SOA documents for an organization
+ * Returns all frameworks that have SOA configurations, whether or not the org has instances
+ */
+export const getFrameworksWithLatestDocuments = async (organizationId: string) => {
+  const session = await auth.api.getSession({
+    headers: await headers(),
+  });
+
+  if (!session?.session?.activeOrganizationId || session.session.activeOrganizationId !== organizationId) {
+    return [];
+  }
+
+  // Get all frameworks that have SOA configurations (not just org's instances)
+  const frameworksWithConfigs = await db.sOAFrameworkConfiguration.findMany({
+    where: {
+      isLatest: true,
+    },
+    include: {
+      framework: true,
+    },
+  });
+
+  // Filter out configs without frameworks or with invisible frameworks, and get documents for each
+  const frameworksWithData = await Promise.all(
+    frameworksWithConfigs
+      .filter((config: { framework: { visible: boolean } | null }) => config.framework && config.framework.visible)
+      .map(async (config: { frameworkId: string; framework: { id: string; name: string; description: string | null } | null; id: string; columns: unknown; questions: unknown }) => {
+        // Get the latest document for this framework and organization
+        const latestDocument = await db.sOADocument.findFirst({
+          where: {
+            frameworkId: config.frameworkId,
+            organizationId,
+            isLatest: true,
+          },
+          include: {
+            answers: {
+              where: {
+                isLatestAnswer: true,
+              },
+            },
+          },
+          orderBy: {
+            createdAt: 'desc',
+          },
+        });
+
+        return {
+          framework: config.framework!,
+          frameworkId: config.frameworkId,
+          configuration: config,
+          document: latestDocument,
+        };
+      }),
+  );
+
+  return frameworksWithData;
+};
+
+/**
+ * Get all organization's framework instances with their SOA data
+ */
+export const getOrganizationFrameworksWithSOAData = async (organizationId: string) => {
+  const session = await auth.api.getSession({
+    headers: await headers(),
+  });
+
+  if (!session?.session?.activeOrganizationId || session.session.activeOrganizationId !== organizationId) {
+    return [];
+  }
+
+  const frameworkInstances = await db.frameworkInstance.findMany({
+    where: {
+      organizationId,
+    },
+    include: {
+      framework: true,
+    },
+  });
+
+  const validInstances = frameworkInstances.filter((fi) => fi.framework !== null);
+  
+  // Sort: supported frameworks first (ISO 27001), then others
+  const supportedFrameworkNames = ['ISO 27001', 'iso27001', 'ISO27001'];
+  
+  const sortedInstances = validInstances.sort((a, b) => {
+    const aName = (a as { framework: { name: string } | null }).framework?.name || '';
+    const bName = (b as { framework: { name: string } | null }).framework?.name || '';
+    
+    const aIsSupported = supportedFrameworkNames.includes(aName);
+    const bIsSupported = supportedFrameworkNames.includes(bName);
+    
+    if (aIsSupported && !bIsSupported) return -1;
+    if (!aIsSupported && bIsSupported) return 1;
+    return 0;
+  });
+
+  // Get SOA configurations and documents for each framework
+  const frameworksWithData = await Promise.all(
+    sortedInstances.map(async (instance) => {
+      const framework = (instance as { framework: { id: string; name: string; description: string | null } | null }).framework;
+      if (!framework) return null;
+
+      const configuration = await db.sOAFrameworkConfiguration.findFirst({
+        where: {
+          frameworkId: framework.id,
+          isLatest: true,
+        },
+      });
+
+      const document = await db.sOADocument.findFirst({
+        where: {
+          frameworkId: framework.id,
+          organizationId,
+          isLatest: true,
+        },
+        include: {
+          answers: {
+            where: {
+              isLatestAnswer: true,
+            },
+          },
+        },
+        orderBy: {
+          createdAt: 'desc',
+        },
+      });
+
+      return {
+        frameworkId: instance.frameworkId,
+        framework,
+        configuration,
+        document,
+      };
+    }),
+  );
+
+  return frameworksWithData.filter((f) => f !== null);
+};
+
+/**
+ * Get all organization's framework instances
+ */
+export const getOrganizationFrameworks = async (organizationId: string) => {
+  const session = await auth.api.getSession({
+    headers: await headers(),
+  });
+
+  if (!session?.session?.activeOrganizationId || session.session.activeOrganizationId !== organizationId) {
+    return [];
+  }
+
+  const frameworkInstances = await db.frameworkInstance.findMany({
+    where: {
+      organizationId,
+    },
+    include: {
+      framework: true,
+    },
+    orderBy: {
+      id: 'desc',
+    },
+  });
+
+  const validInstances = frameworkInstances.filter((fi) => fi.framework !== null);
+  
+  // Sort: supported frameworks first (ISO 27001), then others
+  const supportedFrameworkNames = ['ISO 27001', 'iso27001', 'ISO27001'];
+  
+  return validInstances.sort((a, b) => {
+    const aName = (a as { framework: { name: string } | null }).framework?.name || '';
+    const bName = (b as { framework: { name: string } | null }).framework?.name || '';
+    
+    const aIsSupported = supportedFrameworkNames.includes(aName);
+    const bIsSupported = supportedFrameworkNames.includes(bName);
+    
+    if (aIsSupported && !bIsSupported) return -1;
+    if (!aIsSupported && bIsSupported) return 1;
+    return 0;
+  });
+};
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/hooks/useSOAAutoFill.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/hooks/useSOAAutoFill.ts
new file mode 100644
index 000000000..e705ba4d9
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/hooks/useSOAAutoFill.ts
@@ -0,0 +1,138 @@
+'use client';
+
+import { useState, useRef } from 'react';
+import { toast } from 'sonner';
+
+interface UseSOAAutoFillProps {
+  questions: Array<{
+    id: string;
+    text: string;
+    columnMapping: {
+      title: string;
+      control_objective: string | null;
+      isApplicable: boolean | null;
+      justification: string | null;
+    };
+  }>;
+  documentId: string;
+  onUpdate: () => void;
+}
+
+export function useSOAAutoFill({ questions, documentId, onUpdate }: UseSOAAutoFillProps) {
+  const [isAutoFilling, setIsAutoFilling] = useState(false);
+  const [questionStatuses, setQuestionStatuses] = useState<Map<string, 'pending' | 'processing' | 'completed' | 'failed' | 'insufficient_data'>>(new Map());
+  const [processedResults, setProcessedResults] = useState<Map<string, { isApplicable: boolean | null; justification: string | null; success: boolean; insufficientData?: boolean }>>(new Map());
+  const isAutoFillProcessStartedRef = useRef(false);
+
+  const triggerAutoFill = async () => {
+    setIsAutoFilling(true);
+    isAutoFillProcessStartedRef.current = true;
+    // Set all questions to 'processing' immediately for instant spinner feedback
+    setQuestionStatuses(new Map(questions.map((q) => [q.id, 'processing'])));
+    setProcessedResults(new Map());
+
+    try {
+      // Use fetch with ReadableStream for SSE
+      const response = await fetch('/api/questionnaire/soa/auto-fill', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        credentials: 'include',
+        body: JSON.stringify({
+          documentId,
+        }),
+      });
+
+      if (!response.ok) {
+        throw new Error(`HTTP error! status: ${response.status}`);
+      }
+
+      const reader = response.body?.getReader();
+      const decoder = new TextDecoder();
+
+      if (!reader) {
+        throw new Error('No response body');
+      }
+
+      while (true) {
+        const { done, value } = await reader.read();
+
+        if (done) {
+          break;
+        }
+
+        const chunk = decoder.decode(value);
+        const lines = chunk.split('\n');
+
+        for (const line of lines) {
+          if (line.startsWith('data: ')) {
+            try {
+              const data = JSON.parse(line.slice(6));
+
+              if (data.type === 'progress') {
+                // Progress update
+                // Could show overall progress if needed
+              } else if (data.type === 'processing') {
+                // Question is being processed
+                setQuestionStatuses((prev) => {
+                  const newStatuses = new Map(prev);
+                  newStatuses.set(data.questionId, 'processing');
+                  return newStatuses;
+                });
+              } else if (data.type === 'answer') {
+                // Answer received for a question
+                const isSuccess = data.success && data.isApplicable !== null;
+                const isInsufficientData = data.insufficientData === true;
+                
+                setQuestionStatuses((prev) => {
+                  const newStatuses = new Map(prev);
+                  if (isInsufficientData) {
+                    newStatuses.set(data.questionId, 'insufficient_data');
+                  } else {
+                    newStatuses.set(data.questionId, isSuccess ? 'completed' : 'failed');
+                  }
+                  return newStatuses;
+                });
+
+                // Store result regardless of success to track failed attempts
+                setProcessedResults((prev) => {
+                  const newMap = new Map(prev);
+                  newMap.set(data.questionId, {
+                    isApplicable: data.isApplicable,
+                    justification: data.justification,
+                    success: data.success || false,
+                    insufficientData: data.insufficientData || false,
+                  });
+                  return newMap;
+                });
+              } else if (data.type === 'complete') {
+                // All questions completed
+                toast.success(`Auto-filled ${data.answered} questions`);
+                setIsAutoFilling(false);
+                onUpdate();
+              } else if (data.type === 'error') {
+                toast.error(data.error || 'Failed to auto-fill SOA');
+                setIsAutoFilling(false);
+              }
+            } catch (error) {
+              console.error('Error parsing SSE data:', error);
+            }
+          }
+        }
+      }
+    } catch (error) {
+      console.error('Error in auto-fill SOA:', error);
+      toast.error(error instanceof Error ? error.message : 'Failed to auto-fill SOA');
+      setIsAutoFilling(false);
+    }
+  };
+
+  return {
+    isAutoFilling,
+    questionStatuses,
+    processedResults,
+    triggerAutoFill,
+  };
+}
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/page.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/page.tsx
new file mode 100644
index 000000000..4a0665464
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/page.tsx
@@ -0,0 +1,271 @@
+import { getFeatureFlags } from '@/app/posthog';
+import PageWithBreadcrumb from '@/components/pages/PageWithBreadcrumb';
+import { auth } from '@/utils/auth';
+import { headers } from 'next/headers';
+import { notFound } from 'next/navigation';
+import { db } from '@db';
+import { ensureSOASetup } from './actions/ensure-soa-setup';
+import { SOAFrameworkTable } from './components/SOAFrameworkTable';
+
+export default async function SOAPage() {
+  const session = await auth.api.getSession({
+    headers: await headers(),
+  });
+
+  if (!session?.user?.id || !session?.session?.activeOrganizationId) {
+    return notFound();
+  }
+
+  // Check feature flag on server
+  const flags = await getFeatureFlags(session.user.id);
+  const isSOAFeatureEnabled =
+    flags['is-statement-of-applicability-enabled'] === true ||
+    flags['is-statement-of-applicability-enabled'] === 'true';
+
+  if (!isSOAFeatureEnabled) {
+    return notFound();
+  }
+
+  const organizationId = session.session.activeOrganizationId;
+
+  // Find ISO 27001 framework instance for this organization
+  const isoFrameworkInstance = await db.frameworkInstance.findFirst({
+    where: {
+      organizationId,
+      framework: {
+        name: {
+          in: ['ISO 27001', 'iso27001', 'ISO27001'],
+        },
+      },
+    },
+    include: {
+      framework: true,
+    },
+  });
+
+  if (!isoFrameworkInstance?.framework) {
+    return (
+      <PageWithBreadcrumb
+        breadcrumbs={[
+          { label: 'SOA', current: true },
+        ]}
+      >
+        <div className="flex flex-col gap-8">
+          <div className="flex flex-col gap-2">
+            <h1 className="text-xl lg:text-2xl font-semibold text-foreground">
+              Statement of Applicability
+            </h1>
+            <p className="text-xs lg:text-sm text-muted-foreground leading-relaxed max-w-3xl">
+              Auto-complete Statement of Applicability for ISO 27001. Generate answers based on
+              your organization's policies and documentation.
+            </p>
+          </div>
+          <div className="flex flex-col items-center justify-center gap-4 py-12 text-center rounded-lg border">
+            <p className="text-muted-foreground">
+              ISO 27001 framework not found. Please add ISO 27001 framework to your organization to get started.
+            </p>
+          </div>
+        </div>
+      </PageWithBreadcrumb>
+    );
+  }
+
+  const frameworkId = isoFrameworkInstance.frameworkId;
+  const framework = isoFrameworkInstance.framework;
+
+  // Ensure SOA setup exists (creates both configuration and document if missing)
+  let setupResult;
+  try {
+    setupResult = await ensureSOASetup(frameworkId, organizationId);
+  } catch (error) {
+    console.error('Failed to setup SOA:', error);
+    return (
+      <PageWithBreadcrumb
+        breadcrumbs={[
+          { label: 'SOA', current: true },
+        ]}
+      >
+        <div className="flex flex-col gap-8">
+          <div className="flex flex-col gap-2">
+            <h1 className="text-xl lg:text-2xl font-semibold text-foreground">
+              Statement of Applicability
+            </h1>
+            <p className="text-xs lg:text-sm text-muted-foreground leading-relaxed max-w-3xl">
+              Auto-complete Statement of Applicability for ISO 27001. Generate answers based on
+              your organization's policies and documentation.
+            </p>
+          </div>
+          <div className="flex items-center justify-center py-12">
+            <p className="text-muted-foreground">Failed to setup SOA. Please try again later.</p>
+          </div>
+        </div>
+      </PageWithBreadcrumb>
+    );
+  }
+
+  // Get configuration and document from setup result
+  const configuration = setupResult?.configuration;
+  const document = setupResult?.document;
+
+  // Fetch approver member (for pending approval or approved documents)
+  let approver: Awaited<ReturnType<typeof db.member.findUnique<{
+    where: { id: string };
+    include: { user: { select: { id: true; name: true; email: true } } };
+  }>>> | null = null;
+  if (document?.approverId) {
+    approver = await db.member.findUnique({
+      where: { id: document.approverId },
+      include: {
+        user: {
+          select: {
+            id: true,
+            name: true,
+            email: true,
+          },
+        },
+      },
+    });
+  }
+
+  // Get current user member and check permissions
+  let currentMember = null;
+  let canApprove = false;
+  let isPendingApproval = false;
+  let canCurrentUserApprove = false;
+  
+  if (session?.user?.id) {
+    currentMember = await db.member.findFirst({
+      where: {
+        organizationId,
+        userId: session.user.id,
+        deactivated: false,
+      },
+    });
+    canApprove = currentMember ? (currentMember.role.includes('owner') || currentMember.role.includes('admin')) : false;
+    
+    // Check if document is pending approval and current member is the approver
+    isPendingApproval = (document as any)?.status === 'needs_review';
+    canCurrentUserApprove = isPendingApproval && (document as any)?.approverId === currentMember?.id;
+  }
+
+  // Get owner/admin members for approval selection
+  const ownerAdminMembers = await db.member.findMany({
+    where: {
+      organizationId,
+      deactivated: false,
+      OR: [
+        { role: { contains: 'owner' } },
+        { role: { contains: 'admin' } },
+      ],
+    },
+    include: {
+      user: true,
+    },
+    orderBy: {
+      user: {
+        name: 'asc',
+      },
+    },
+  });
+
+  // Check if organization is fully remote by querying Context table directly
+  let isFullyRemote = false;
+  try {
+    const teamWorkContext = await db.context.findFirst({
+      where: {
+        organizationId,
+        question: {
+          contains: 'How does your team work',
+          mode: 'insensitive',
+        },
+      },
+    });
+
+    console.log('[SOA Page] Team work context check:', {
+      organizationId,
+      found: !!teamWorkContext,
+      question: teamWorkContext?.question,
+      answer: teamWorkContext?.answer,
+    });
+
+    if (teamWorkContext?.answer) {
+      const answerLower = teamWorkContext.answer.toLowerCase();
+      isFullyRemote = answerLower.includes('fully remote') || answerLower.includes('fully-remote');
+      
+      console.log('[SOA Page] Fully remote check result:', {
+        organizationId,
+        answer: teamWorkContext.answer,
+        answerLower,
+        isFullyRemote,
+        containsFullyRemote: answerLower.includes('fully remote'),
+        containsFullyRemoteHyphen: answerLower.includes('fully-remote'),
+      });
+    } else {
+      console.log('[SOA Page] No team work context found for organization:', organizationId);
+    }
+  } catch (error) {
+    // If check fails, default to false
+    console.error('[SOA Page] Failed to check team work mode:', error);
+  }
+
+  if (!configuration || !document) {
+    return (
+      <PageWithBreadcrumb
+        breadcrumbs={[
+          { label: 'SOA', current: true },
+        ]}
+      >
+        <div className="flex flex-col gap-8">
+          <div className="flex flex-col gap-2">
+            <h1 className="text-xl lg:text-2xl font-semibold text-foreground">
+              Statement of Applicability
+            </h1>
+            <p className="text-xs lg:text-sm text-muted-foreground leading-relaxed max-w-3xl">
+              Auto-complete Statement of Applicability for ISO 27001. Generate answers based on
+              your organization's policies and documentation.
+            </p>
+          </div>
+          <div className="flex items-center justify-center py-12">
+            <div className="h-6 w-6 animate-spin rounded-full border-2 border-muted-foreground border-t-transparent" />
+          </div>
+        </div>
+      </PageWithBreadcrumb>
+    );
+  }
+
+  return (
+    <PageWithBreadcrumb
+      breadcrumbs={[
+        { label: '', current: true },
+      ]}
+    >
+      <div className="flex flex-col gap-8">
+        {/* Header */}
+        <div className="flex flex-col gap-2">
+          <h1 className="text-xl lg:text-2xl font-semibold text-foreground">
+            Statement of Applicability
+          </h1>
+          <p className="text-xs lg:text-sm text-muted-foreground leading-relaxed max-w-3xl">
+            Auto-complete Statement of Applicability for ISO 27001. Generate answers based on
+            your organization's policies and documentation.
+          </p>
+        </div>
+
+        {/* Main SOA Content */}
+        <SOAFrameworkTable
+          framework={framework}
+          configuration={configuration}
+          document={document}
+          organizationId={organizationId}
+          isFullyRemote={isFullyRemote}
+          canApprove={canApprove}
+          approver={approver as any}
+          isPendingApproval={isPendingApproval}
+          canCurrentUserApprove={canCurrentUserApprove}
+          currentMemberId={currentMember?.id || null}
+          ownerAdminMembers={ownerAdminMembers as any}
+        />
+      </div>
+    </PageWithBreadcrumb>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/seedJson/ISO/config.json b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/seedJson/ISO/config.json
new file mode 100644
index 000000000..60ed02480
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/seedJson/ISO/config.json
@@ -0,0 +1,671 @@
+[
+  {
+    "title": "Policies for information security",
+    "control_objective": "Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.",
+    "closure": "5.1",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Information security roles and responsibilities",
+    "control_objective": "Information security roles and responsibilities shall be defined and allocated according to the organization needs",
+    "closure": "5.2",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Segregation of duties",
+    "control_objective": "Conflicting duties and conflicting areas of responsibility shall be segregated.",
+    "closure": "5.3",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Management Responsibilities",
+    "control_objective": "Management shall require all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures of the organization.",
+    "closure": "5.4",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Contact with Authorities",
+    "control_objective": "The organization shall establish and maintain contact with relevant authorities.",
+    "closure": "5.5",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Contact with special interest groups",
+    "control_objective": "The organization shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.",
+    "closure": "5.6",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Threat intelligence",
+    "control_objective": "Information relating to information security threats shall be collected and analysed to produce threat intelligence.",
+    "closure": "5.7",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Information security in project management",
+    "control_objective": "Information security shall be integrated into project management.",
+    "closure": "5.8",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Inventory of information and other associated assets",
+    "control_objective": "An inventory of information and other associated assets, including owners, shall be developed and maintained.",
+    "closure": "5.9",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Acceptable use of information and other associated assets",
+    "control_objective": "Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.",
+    "closure": "5.10",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Return of Assets",
+    "control_objective": "Personnel and other interested parties as appropriate shall return all the organization's assets in their possession upon change or termination of their employment, contract or agreement.",
+    "closure": "5.11",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Classification Of Information",
+    "control_objective": "Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.",
+    "closure": "5.12",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Labelling of Information",
+    "control_objective": "An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.",
+    "closure": "5.13",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Information Transfer",
+    "control_objective": "Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.",
+    "closure": "5.14",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Access Control",
+    "control_objective": "Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.",
+    "closure": "5.15",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Identity Management",
+    "control_objective": "The full life cycle of identities shall be managed.",
+    "closure": "5.16",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Authentication information",
+    "control_objective": "Allocation and management of authentication information shall be controlled by a management process, including advising personnel on the appropriate handling of authentication information.",
+    "closure": "5.17",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Access rights",
+    "control_objective": "Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization's topic-specific policy on and rules for access control.",
+    "closure": "5.18",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Information security in supplier relationships",
+    "control_objective": "Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier's products or services.",
+    "closure": "5.19",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Addressing information security within supplier agreements",
+    "control_objective": "Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.",
+    "closure": "5.20",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Managing information security in the ICT supply chain",
+    "control_objective": "Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.",
+    "closure": "5.21",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Monitoring, review and change management of supplier services",
+    "control_objective": "The organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.",
+    "closure": "5.22",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Information security for use of cloud services",
+    "control_objective": "Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization's information security requirements.",
+    "closure": "5.23",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Information security incident management planning and preparation",
+    "control_objective": "The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities",
+    "closure": "5.24",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Assessment and decision on information security events",
+    "control_objective": "The organization shall assess information security events and decide if they are to be categorized as information security incidents.",
+    "closure": "5.25",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Response to information security incidents",
+    "control_objective": "Information security incidents shall be responded to in accordance with the documented procedures.",
+    "closure": "5.26",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Learning from information security incidents",
+    "control_objective": "Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.",
+    "closure": "5.27",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Collection of evidence",
+    "control_objective": "The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.",
+    "closure": "5.28",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Information security during disruption",
+    "control_objective": "The organization shall plan how to maintain information security at an appropriate level during disruption.",
+    "closure": "5.29",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "ICT readiness for business continuity",
+    "control_objective": "ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.",
+    "closure": "5.30",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Legal, statutory, regulatory and contractual requirements",
+    "control_objective": "Legal, statutory, regulatory and contractual requirements relevant to information security and the organization's approach to meet these requirements shall be identified, documented and kept up to date.",
+    "closure": "5.31",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Intellectual property rights",
+    "control_objective": "The organization shall implement appropriate procedures to protect intellectual property rights.",
+    "closure": "5.32",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Protection of records",
+    "control_objective": "Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.",
+    "closure": "5.33",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Privacy and protection of PII",
+    "control_objective": "The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.",
+    "closure": "5.34",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Independent review of information security",
+    "control_objective": "The organization's approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.",
+    "closure": "5.35",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Compliance with policies, rules and standards for information security",
+    "control_objective": "Compliance with the organization's information security policy, topic-specific policies, rules and standards shall be regularly reviewed.",
+    "closure": "5.36",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Documented operating procedures",
+    "control_objective": "Operating procedures for information processing facilities shall be documented and made available to personnel who need them.",
+    "closure": "5.37",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "People Controls",
+    "control_objective": null,
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Screening",
+    "control_objective": "Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.",
+    "closure": "6.1",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Terms and conditions of employment",
+    "control_objective": "The employment contractual agreements shall state the personnel's and the organization's responsibilities for information security.",
+    "closure": "6.2",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Information security awareness, education and training",
+    "control_objective": "Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function.",
+    "closure": "6.3",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Disciplinary process",
+    "control_objective": "A disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.",
+    "closure": "6.4",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Responsibilities after termination or change of employment",
+    "control_objective": "Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.",
+    "closure": "6.5",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Confidentiality or non-disclosure agreements",
+    "control_objective": "Confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information shall be identified, documented, regularly reviewed and signed by personnel and other relevant interested parties.",
+    "closure": "6.6",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Remote working",
+    "control_objective": "Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization's premises.",
+    "closure": "6.7",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Information security event reporting",
+    "control_objective": "The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.",
+    "closure": "6.8",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Physical Controls",
+    "control_objective": null,
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Physical security perimeters",
+    "control_objective": "Security perimeters shall be defined and used to protect areas that contain information and other associated assets.",
+    "closure": "7.1",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Physical entry",
+    "control_objective": "Secure areas shall be protected by appropriate entry controls and access points.",
+    "closure": "7.2",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Securing offices, rooms and facilities",
+    "control_objective": "Physical security for offices, rooms and facilities shall be designed and implemented.",
+    "closure": "7.3",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Physical security monitoring",
+    "control_objective": "Premises shall be continuously monitored for unauthorized physical access.",
+    "closure": "7.4",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Protecting against physical and environmental threats",
+    "control_objective": "Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.",
+    "closure": "7.5",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Working in secure areas",
+    "control_objective": "Security measures for working in secure areas shall be designed and implemented.",
+    "closure": "7.6",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Clear desk and clear screen",
+    "control_objective": "Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.",
+    "closure": "7.7",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Equipment siting and protection",
+    "control_objective": "Equipment shall be sited securely and protected.",
+    "closure": "7.8",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Security of assets off-premises",
+    "control_objective": "Off-site assets shall be protected.",
+    "closure": "7.9",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Storage media",
+    "control_objective": "Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization's classification scheme and handling requirements.",
+    "closure": "7.10",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Supporting utilities",
+    "control_objective": "Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.",
+    "closure": "7.11",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Cabling security",
+    "control_objective": "Cables carrying power, data or supporting information services shall be protected from interception, interference or damage.",
+    "closure": "7.12",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Equipment maintenance",
+    "control_objective": "Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.",
+    "closure": "7.13",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Secure disposal or re-use of equipment",
+    "control_objective": "Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.",
+    "closure": "7.14",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Technological Controls",
+    "control_objective": null,
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "User endpoint devices",
+    "control_objective": "Information stored on, processed by or accessible via user endpoint devices shall be protected.",
+    "closure": "8.1",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Privileged access rights",
+    "control_objective": "The allocation and use of privileged access rights shall be restricted and managed.",
+    "closure": "8.2",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Information access restriction",
+    "control_objective": "Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.",
+    "closure": "8.3",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Access to source code",
+    "control_objective": "Read and write access to source code, development tools and software libraries shall be appropriately managed.",
+    "closure": "8.4",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Secure authentication",
+    "control_objective": "Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.",
+    "closure": "8.5",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Capacity management",
+    "control_objective": "The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.",
+    "closure": "8.6",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Protection against malware",
+    "control_objective": "Protection against malware shall be implemented and supported by appropriate user awareness.",
+    "closure": "8.7",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Management of technical vulnerabilities",
+    "control_objective": "Information about technical vulnerabilities of information systems in use shall be obtained, the organization's exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.",
+    "closure": "8.8",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Configuration management",
+    "control_objective": "Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.",
+    "closure": "8.9",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Information deletion",
+    "control_objective": "Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.",
+    "closure": "8.10",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Data masking",
+    "control_objective": "Data masking shall be used in accordance with the organization's topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.",
+    "closure": "8.11",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Data leakage prevention",
+    "control_objective": "Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.",
+    "closure": "8.12",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Information backup",
+    "control_objective": "Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.",
+    "closure": "8.13",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Redundancy of information processing facilities",
+    "control_objective": "Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.",
+    "closure": "8.14",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Logging",
+    "control_objective": "Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.",
+    "closure": "8.15",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Monitoring activities",
+    "control_objective": "Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.",
+    "closure": "8.16",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Clock synchronization",
+    "control_objective": "The clocks of information processing systems used by the organization shall be synchronized to approved time sources.",
+    "closure": "8.17",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Use of privileged utility programs",
+    "control_objective": "The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled.",
+    "closure": "8.18",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Installation of software on operational systems",
+    "control_objective": "Procedures and measures shall be implemented to securely manage software installation on operational systems.",
+    "closure": "8.19",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Networks security",
+    "control_objective": "Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.",
+    "closure": "8.20",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Security of network services",
+    "control_objective": "Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.",
+    "closure": "8.21",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Segregation of networks",
+    "control_objective": "Groups of information services, users and information systems shall be segregated in the organization's networks.",
+    "closure": "8.22",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Web filtering",
+    "control_objective": "Access to external websites shall be managed to reduce exposure to malicious content.",
+    "closure": "8.23",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Use of cryptography",
+    "control_objective": "Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.",
+    "closure": "8.24",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Secure development life cycle",
+    "control_objective": "Rules for the secure development of software and systems shall be established and applied.",
+    "closure": "8.25",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Application security requirements",
+    "control_objective": "Information security requirements shall be identified, specified and approved when developing or acquiring applications.",
+    "closure": "8.26",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Secure system architecture and engineering principles",
+    "control_objective": "Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.",
+    "closure": "8.27",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Secure coding",
+    "control_objective": "Secure coding principles shall be applied to software development.",
+    "closure": "8.28",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Security testing in development and acceptance",
+    "control_objective": "Security testing processes shall be defined and implemented in the development life cycle.",
+    "closure": "8.29",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Outsourced development",
+    "control_objective": "The organization shall direct, monitor and review the activities related to outsourced system development.",
+    "closure": "8.30",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Separation of development, test and production environments",
+    "control_objective": "Development, testing and production environments shall be separated and secured.",
+    "closure": "8.31",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Change management",
+    "control_objective": "Changes to information processing facilities and information systems shall be subject to change management procedures.",
+    "closure": "8.32",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Test information",
+    "control_objective": "Test information shall be appropriately selected, protected and managed.",
+    "closure": "8.33",
+    "isApplicable": null,
+    "justification": null
+  },
+  {
+    "title": "Protection of information systems during audit testing",
+    "control_objective": "Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and appropriate management.",
+    "closure": "8.34",
+    "isApplicable": null,
+    "justification": null
+  }
+]
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/utils/generate-soa-answer.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/utils/generate-soa-answer.ts
new file mode 100644
index 000000000..affb3a9ce
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/utils/generate-soa-answer.ts
@@ -0,0 +1,205 @@
+import { generateText } from 'ai';
+import { openai } from '@ai-sdk/openai';
+import { findSimilarContent } from '@/lib/vector';
+import { logger } from '@/utils/logger';
+import type { SimilarContentResult } from '@/lib/vector';
+import { deduplicateSources } from '@/app/(app)/[orgId]/questionnaire/utils/deduplicate-sources';
+
+export interface SOAAnswerWithSources {
+  answer: string | null;
+  sources: Array<{
+    sourceType: string;
+    sourceName?: string;
+    sourceId?: string;
+    policyName?: string;
+    documentName?: string;
+    score: number;
+  }>;
+}
+
+/**
+ * Generates an answer for SOA questions using RAG with ISO 27001 compliance analysis prompt
+ */
+export async function generateSOAAnswerWithRAG(
+  question: string,
+  organizationId: string,
+): Promise<SOAAnswerWithSources> {
+  try {
+    // Find similar content from vector database
+    const similarContent = await findSimilarContent(question, organizationId, 5) as SimilarContentResult[];
+
+    logger.info('Vector search results for SOA', {
+      question: question.substring(0, 100),
+      organizationId,
+      resultCount: similarContent.length,
+      results: similarContent.map((r) => ({
+        sourceType: r.sourceType,
+        score: r.score,
+        sourceId: r.sourceId.substring(0, 50),
+      })),
+    });
+
+    // If no relevant content found, return null
+    if (similarContent.length === 0) {
+      logger.warn('No similar content found in vector database for SOA', {
+        question: question.substring(0, 100),
+        organizationId,
+      });
+      return { answer: null, sources: [] };
+    }
+
+    // Extract sources information and deduplicate using universal utility
+    const sourcesBeforeDedup = similarContent.map((result) => {
+      const r = result as any as SimilarContentResult;
+      let sourceName: string | undefined;
+      if (r.policyName) {
+        sourceName = `Policy: ${r.policyName}`;
+      } else if (r.vendorName && r.questionnaireQuestion) {
+        sourceName = `Questionnaire: ${r.vendorName}`;
+      } else if (r.contextQuestion) {
+        sourceName = 'Context Q&A';
+      } else if ((r.sourceType as string) === 'manual_answer') {
+        sourceName = undefined;
+      }
+
+      return {
+        sourceType: r.sourceType,
+        sourceName,
+        sourceId: r.sourceId,
+        policyName: r.policyName,
+        documentName: r.documentName,
+        manualAnswerQuestion: r.manualAnswerQuestion,
+        score: r.score,
+      };
+    });
+
+    const sources = deduplicateSources(sourcesBeforeDedup);
+
+    // Build context from retrieved content
+    const contextParts = similarContent.map((result, index) => {
+      const r = result as any as SimilarContentResult;
+      let sourceInfo = '';
+      if (r.policyName) {
+        sourceInfo = `Source: Policy "${r.policyName}"`;
+      } else if (r.vendorName && r.questionnaireQuestion) {
+        sourceInfo = `Source: Questionnaire from "${r.vendorName}"`;
+      } else if (r.contextQuestion) {
+        sourceInfo = `Source: Context Q&A`;
+      } else if ((r.sourceType as string) === 'knowledge_base_document') {
+        const docName = r.documentName;
+        if (docName) {
+          sourceInfo = `Source: Knowledge Base Document "${docName}"`;
+        } else {
+          sourceInfo = `Source: Knowledge Base Document`;
+        }
+      } else if ((r.sourceType as string) === 'manual_answer') {
+        sourceInfo = `Source: Manual Answer`;
+      } else {
+        sourceInfo = `Source: ${r.sourceType}`;
+      }
+
+      return `[${index + 1}] ${sourceInfo}\n${r.content}`;
+    });
+
+    const context = contextParts.join('\n\n');
+
+    // Generate answer using LLM with ISO 27001 compliance analysis prompt
+    const { text } = await generateText({
+      model: openai('gpt-5-mini'),
+      system: `You are an expert organizational analyst conducting a comprehensive assessment of a company for ISO 27001 compliance.
+
+Your task is to analyze the provided context entries and create a structured organizational profile.
+
+ANALYSIS FRAMEWORK:
+
+Extract and categorize information about the organization across these dimensions:
+- Business type and industry
+- Operational scope and scale
+- Risk profile and risk management approach
+- Regulatory requirements and compliance posture
+- Technical infrastructure and security controls
+- Organizational policies and procedures
+- Governance structure
+
+CRITICAL RULES - YOU MUST FOLLOW THESE STRICTLY:
+1. Answer based EXCLUSIVELY on the provided context from the organization's policies and documentation.
+2. DO NOT use general knowledge, assumptions, or information not present in the context.
+3. DO NOT hallucinate or invent facts that are not explicitly stated in the context.
+4. If the context does not contain enough information to answer the question, respond with exactly: "INSUFFICIENT_DATA"
+5. For applicability questions, respond with ONLY "YES" or "NO" - no additional explanation.
+6. For justification questions, provide clear, professional explanations (2 sentences) based ONLY on the context provided.
+7. Use enterprise-ready language appropriate for ISO 27001 compliance documentation.
+8. Always write in first person plural (we, our, us) as if speaking on behalf of the organization.
+9. Be precise and factual - base conclusions strictly on the provided evidence.
+10. If you cannot find relevant information in the context to answer the question, you MUST respond with "INSUFFICIENT_DATA".`,
+      prompt: `Based EXCLUSIVELY on the following context from our organization's policies and documentation, answer this question:
+
+Question: ${question}
+
+Context:
+${context}
+
+IMPORTANT: Answer the question based ONLY on the provided context above. DO NOT use any general knowledge or assumptions. If the context does not contain enough information to answer the question, respond with exactly "INSUFFICIENT_DATA". Use first person plural (we, our, us) when answering.`,
+    });
+
+    const trimmedAnswer = text.trim();
+    
+    // Check if the answer indicates insufficient data (check both JSON and text formats)
+    const upperAnswer = trimmedAnswer.toUpperCase();
+    if (
+      upperAnswer.includes('INSUFFICIENT_DATA') ||
+      upperAnswer.includes('N/A') ||
+      upperAnswer.includes('NO EVIDENCE FOUND') ||
+      upperAnswer.includes('NOT ENOUGH INFORMATION') ||
+      upperAnswer.includes('INSUFFICIENT') ||
+      upperAnswer.includes('NOT FOUND IN THE CONTEXT') ||
+      upperAnswer.includes('NO INFORMATION AVAILABLE')
+    ) {
+      // Check if it's a JSON response with INSUFFICIENT_DATA
+      try {
+        const parsed = JSON.parse(trimmedAnswer);
+        const isApplicableUpper = parsed.isApplicable?.toUpperCase();
+        if (parsed.isApplicable === 'INSUFFICIENT_DATA' || (isApplicableUpper && isApplicableUpper.includes('INSUFFICIENT'))) {
+          logger.info('SOA answer indicates insufficient data (JSON format)', {
+            question: question.substring(0, 100),
+            answer: trimmedAnswer,
+            sourcesCount: sources.length,
+          });
+          return {
+            answer: null,
+            sources,
+          };
+        }
+      } catch {
+        // Not JSON, check as text
+        logger.info('SOA answer indicates insufficient data (text format)', {
+          question: question.substring(0, 100),
+          answer: trimmedAnswer,
+          sourcesCount: sources.length,
+        });
+        return {
+          answer: null,
+          sources,
+        };
+      }
+    }
+
+    // Return the answer as-is (preserve JSON format if present)
+    return {
+      answer: trimmedAnswer,
+      sources,
+    };
+  } catch (error) {
+    logger.error('Failed to generate SOA answer with RAG', {
+      question: question.substring(0, 100),
+      organizationId,
+      error: error instanceof Error ? error.message : 'Unknown error',
+    });
+
+    return {
+      answer: null,
+      sources: [],
+    };
+  }
+}
+
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/utils/transform-iso-config.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/utils/transform-iso-config.ts
new file mode 100644
index 000000000..dcc61f0d9
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/utils/transform-iso-config.ts
@@ -0,0 +1,129 @@
+/**
+ * Transforms ISO control JSON into SOA configuration format
+ * 
+ * Input format:
+ * [
+ *   {
+ *     "title": "Control Title",
+ *     "control_objective": "Control objective text",
+ *     "isApplicable": null
+ *   },
+ *   ...
+ * ]
+ * 
+ * Output format:
+ * {
+ *   columns: [
+ *     { name: "title", type: "string" },
+ *     { name: "control_objective", type: "string" },
+ *     { name: "isApplicable", type: "boolean" }
+ *   ],
+ *   questions: [
+ *     {
+ *       id: "control-0",
+ *       text: "Control objective text", // This is the question text
+ *       columnMapping: {
+ *         title: "Control Title",
+ *         control_objective: "Control objective text",
+ *         isApplicable: null
+ *       }
+ *     },
+ *     ...
+ *   ]
+ * }
+ */
+
+type ISOControl = {
+  title: string;
+  control_objective: string | null;
+  closure: string;
+  isApplicable: boolean | null;
+};
+
+type SOAColumn = {
+  name: string;
+  type: 'string' | 'boolean' | 'text';
+};
+
+type SOAQuestion = {
+  id: string;
+  text: string; // Question text (from control_objective)
+  columnMapping: {
+    title: string;
+    closure: string;
+    control_objective: string | null;
+    isApplicable: boolean | null;
+    justification: string | null;
+  };
+};
+
+type SOAConfiguration = {
+  columns: SOAColumn[];
+  questions: SOAQuestion[];
+};
+
+export function transformISOConfigToSOA(controls: ISOControl[]): SOAConfiguration {
+  // Define columns based on the JSON structure
+  // Keys are columns, types: title (string), control_objective (string), isApplicable (boolean)
+  const columns: SOAColumn[] = [
+    { name: 'closure', type: 'string' },
+    { name: 'title', type: 'string' },
+    { name: 'control_objective', type: 'string' },
+    { name: 'isApplicable', type: 'boolean' },
+    { name: 'justification', type: 'string' },
+  ];
+
+  // Transform each control into a question
+  // Filter out entries that don't have a control_objective (category headers)
+  const questions: SOAQuestion[] = controls
+    .filter((control) => {
+      // Only include entries that have both title and control_objective
+      return control.title && control.control_objective !== null && control.control_objective.trim() !== '';
+    })
+    .map((control, index) => {
+      // Use a stable ID based on index and title slug
+      const id = `iso-control-${index}-${control.title.toLowerCase().replace(/\s+/g, '-').slice(0, 30)}`;
+      
+      return {
+        id,
+        text: control.control_objective || control.title, // Question text is the control_objective
+        columnMapping: {
+          closure: control.closure,
+          title: control.title,
+          control_objective: control.control_objective,
+          isApplicable: control.isApplicable ?? null,
+          justification: null,
+        },
+      };
+    });
+
+  return {
+    columns,
+    questions,
+  };
+}
+
+/**
+ * Loads and transforms ISO config JSON file
+ * This function reads the JSON file and transforms it into SOA configuration format
+ */
+export async function loadISOConfig(): Promise<SOAConfiguration> {
+  // Use dynamic import for JSON (works with resolveJsonModule: true in tsconfig)
+  const isoControls: ISOControl[] = await import(
+    '../seedJson/ISO/config.json'
+  ).then((module) => module.default as ISOControl[]);
+
+  return transformISOConfigToSOA(isoControls);
+}
+
+/**
+ * Alternative: Load ISO config synchronously (for server-side use)
+ * Use this if you need synchronous loading
+ */
+export function loadISOConfigSync(): SOAConfiguration {
+  // For synchronous loading, you'd use fs.readFileSync
+  // But since we're in Next.js, dynamic import is preferred
+  // This is a placeholder - implement with fs if needed
+  throw new Error('Use loadISOConfig() for async loading');
+}
+
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/start_page/README.md b/apps/app/src/app/(app)/[orgId]/questionnaire/start_page/README.md
similarity index 66%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/start_page/README.md
rename to apps/app/src/app/(app)/[orgId]/questionnaire/start_page/README.md
index a5238a241..ff2d9d41f 100644
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/start_page/README.md
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/start_page/README.md
@@ -15,14 +15,14 @@ start_page/
 
 ## Purpose
 
-The start page (`/security-questionnaire`) displays:
+The start page (`/questionnaire`) displays:
 - Header with navigation buttons (Questionnaires, Knowledge Base)
 - "New Questionnaire" card with button to create a new questionnaire
 - History of previously parsed questionnaires
 
 ## Flow
 
-1. **First Step (Start Page)**: `/security-questionnaire` - Shows overview and history
-2. **Second Step (Create)**: `/security-questionnaire/new_questionnaire` - File upload and parsing
-3. **View Details**: `/security-questionnaire/[questionnaireId]` - View individual questionnaire
+1. **First Step (Start Page)**: `/questionnaire` - Shows overview and history
+2. **Second Step (Create)**: `/questionnaire/new_questionnaire` - File upload and parsing
+3. **View Details**: `/questionnaire/[questionnaireId]` - View individual questionnaire
 
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/start_page/actions/delete-questionnaire.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/start_page/actions/delete-questionnaire.ts
similarity index 95%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/start_page/actions/delete-questionnaire.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/start_page/actions/delete-questionnaire.ts
index 88cf20f56..947530940 100644
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/start_page/actions/delete-questionnaire.ts
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/start_page/actions/delete-questionnaire.ts
@@ -49,7 +49,7 @@ export const deleteQuestionnaireAction = authActionClient
         where: { id: questionnaireId },
       });
 
-      revalidatePath(`/${activeOrganizationId}/security-questionnaire`);
+      revalidatePath(`/${activeOrganizationId}/questionnaire`);
 
       return {
         success: true,
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/start_page/components/QuestionnaireHistory.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/start_page/components/QuestionnaireHistory.tsx
similarity index 99%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/start_page/components/QuestionnaireHistory.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/start_page/components/QuestionnaireHistory.tsx
index 108e38e02..790fc2a00 100644
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/start_page/components/QuestionnaireHistory.tsx
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/start_page/components/QuestionnaireHistory.tsx
@@ -199,7 +199,7 @@ function QuestionnaireHistoryItem({
 
   const handleItemClick = () => {
     if (!isParsing) {
-      router.push(`/${orgId}/security-questionnaire/${questionnaire.id}`);
+      router.push(`/${orgId}/questionnaire/${questionnaire.id}`);
     }
   };
 
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/start_page/components/QuestionnaireOverview.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/start_page/components/QuestionnaireOverview.tsx
similarity index 96%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/start_page/components/QuestionnaireOverview.tsx
rename to apps/app/src/app/(app)/[orgId]/questionnaire/start_page/components/QuestionnaireOverview.tsx
index e41c4d684..7079e2ed3 100644
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/start_page/components/QuestionnaireOverview.tsx
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/start_page/components/QuestionnaireOverview.tsx
@@ -45,7 +45,7 @@ export function QuestionnaireOverview({ questionnaires }: QuestionnaireOverviewP
               </div>
             </div>
             <Button size="lg" asChild>
-              <Link href={`/${orgId}/security-questionnaire/new_questionnaire`}>
+              <Link href={`/${orgId}/questionnaire/new_questionnaire`}>
                 <Plus className="mr-2 h-4 w-4" />
                 New Questionnaire
               </Link>
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/start_page/components/index.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/start_page/components/index.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/start_page/components/index.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/start_page/components/index.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/start_page/data/queries.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/start_page/data/queries.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/start_page/data/queries.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/start_page/data/queries.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/start_page/hooks/useQuestionnaireHistory.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/start_page/hooks/useQuestionnaireHistory.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/start_page/hooks/useQuestionnaireHistory.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/start_page/hooks/useQuestionnaireHistory.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/utils/deduplicate-sources.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/utils/deduplicate-sources.ts
similarity index 100%
rename from apps/app/src/app/(app)/[orgId]/security-questionnaire/utils/deduplicate-sources.ts
rename to apps/app/src/app/(app)/[orgId]/questionnaire/utils/deduplicate-sources.ts
diff --git a/apps/app/src/app/(app)/[orgId]/security-questionnaire/layout.tsx b/apps/app/src/app/(app)/[orgId]/security-questionnaire/layout.tsx
deleted file mode 100644
index fe856c89d..000000000
--- a/apps/app/src/app/(app)/[orgId]/security-questionnaire/layout.tsx
+++ /dev/null
@@ -1,29 +0,0 @@
-import { SecondaryMenu } from '@comp/ui/secondary-menu';
-
-interface LayoutProps {
-  children: React.ReactNode;
-  params: Promise<{ orgId: string }>;
-}
-
-export default async function Layout({ children, params }: LayoutProps) {
-  const { orgId } = await params;
-
-  return (
-    <div className="m-auto flex max-w-[1200px] flex-col py-8">
-      <SecondaryMenu
-        items={[
-          {
-            path: `/${orgId}/security-questionnaire`,
-            label: 'Questionnaires',
-          },
-          {
-            path: `/${orgId}/security-questionnaire/knowledge-base`,
-            label: 'Knowledge Base',
-          },
-        ]}
-      />
-      <div className="pt-4">{children}</div>
-    </div>
-  );
-}
-
diff --git a/apps/app/src/app/api/security-questionnaire/answer-single/route.ts b/apps/app/src/app/api/questionnaire/answer-single/route.ts
similarity index 100%
rename from apps/app/src/app/api/security-questionnaire/answer-single/route.ts
rename to apps/app/src/app/api/questionnaire/answer-single/route.ts
diff --git a/apps/app/src/app/api/security-questionnaire/auto-answer/route.ts b/apps/app/src/app/api/questionnaire/auto-answer/route.ts
similarity index 100%
rename from apps/app/src/app/api/security-questionnaire/auto-answer/route.ts
rename to apps/app/src/app/api/questionnaire/auto-answer/route.ts
diff --git a/apps/app/src/app/api/questionnaire/soa/auto-fill/helpers/check-fully-remote.ts b/apps/app/src/app/api/questionnaire/soa/auto-fill/helpers/check-fully-remote.ts
new file mode 100644
index 000000000..3db0e10c2
--- /dev/null
+++ b/apps/app/src/app/api/questionnaire/soa/auto-fill/helpers/check-fully-remote.ts
@@ -0,0 +1,51 @@
+import { db } from '@db';
+import { logger } from '@/utils/logger';
+
+export async function checkIfFullyRemote(organizationId: string): Promise<boolean> {
+  try {
+    const teamWorkContext = await db.context.findFirst({
+      where: {
+        organizationId,
+        question: {
+          contains: 'How does your team work',
+          mode: 'insensitive',
+        },
+      },
+    });
+
+    logger.info('Team work context check for SOA auto-fill', {
+      organizationId,
+      found: !!teamWorkContext,
+      question: teamWorkContext?.question,
+      answer: teamWorkContext?.answer,
+    });
+
+    if (teamWorkContext?.answer) {
+      const answerLower = teamWorkContext.answer.toLowerCase();
+      const isFullyRemote = answerLower.includes('fully remote') || answerLower.includes('fully-remote');
+      
+      logger.info('Fully remote check result for SOA auto-fill', {
+        organizationId,
+        answer: teamWorkContext.answer,
+        answerLower,
+        isFullyRemote,
+        containsFullyRemote: answerLower.includes('fully remote'),
+        containsFullyRemoteHyphen: answerLower.includes('fully-remote'),
+      });
+      
+      return isFullyRemote;
+    } else {
+      logger.info('No team work context found for SOA auto-fill', {
+        organizationId,
+      });
+      return false;
+    }
+  } catch (error) {
+    logger.warn('Failed to check team work mode for SOA', {
+      organizationId,
+      error: error instanceof Error ? error.message : 'Unknown error',
+    });
+    return false;
+  }
+}
+
diff --git a/apps/app/src/app/api/questionnaire/soa/auto-fill/helpers/process-question.ts b/apps/app/src/app/api/questionnaire/soa/auto-fill/helpers/process-question.ts
new file mode 100644
index 000000000..9ec0108a3
--- /dev/null
+++ b/apps/app/src/app/api/questionnaire/soa/auto-fill/helpers/process-question.ts
@@ -0,0 +1,254 @@
+import { generateSOAAnswerWithRAG } from '@/app/(app)/[orgId]/questionnaire/soa/utils/generate-soa-answer';
+import { logger } from '@/utils/logger';
+
+type Question = {
+  id: string;
+  text: string;
+  columnMapping: {
+    closure: string;
+    title: string;
+    control_objective: string | null;
+    isApplicable: boolean | null;
+    justification: string | null;
+  };
+};
+
+type ProcessResult = {
+  questionId: string;
+  isApplicable: boolean | null;
+  justification: string | null;
+  success: boolean;
+  insufficientData: boolean;
+};
+
+type SendFunction = (data: {
+  type: string;
+  questionId?: string;
+  questionIndex?: number;
+  isApplicable?: boolean | null;
+  justification?: string | null;
+  success?: boolean;
+  insufficientData?: boolean;
+}) => void;
+
+export async function processQuestion(
+  question: Question,
+  index: number,
+  organizationId: string,
+  isFullyRemote: boolean,
+  send: SendFunction,
+): Promise<ProcessResult> {
+  const controlClosure = question.columnMapping.closure || '';
+  const isControl7 = controlClosure.startsWith('7.');
+
+  // If fully remote and control starts with "7.", skip generation and return NO
+  if (isFullyRemote && isControl7) {
+    send({
+      type: 'answer',
+      questionId: question.id,
+      questionIndex: index,
+      isApplicable: false,
+      justification: 'This control is not applicable as our organization operates fully remotely.',
+      success: true,
+      insufficientData: false,
+    });
+
+    return {
+      questionId: question.id,
+      isApplicable: false,
+      justification: 'This control is not applicable as our organization operates fully remotely.',
+      success: true,
+      insufficientData: false,
+    };
+  }
+
+  // Single generation request that returns both isApplicable and justification
+  const soaQuestion = `Analyze the control "${question.columnMapping.title}" (${question.text}) for our organization.
+
+Based EXCLUSIVELY on our organization's policies, documentation, business context, and operations, determine:
+
+1. Is this control applicable to our organization? Consider:
+   - Our business type and industry
+   - Our operational scope and scale
+   - Our risk profile
+   - Our regulatory requirements
+   - Our technical infrastructure
+   - Our existing policies and governance structure
+
+2. Provide a justification:
+   - If applicable: Explain how this control is currently implemented in our organization, including our policies, procedures, or technical measures that address this control.
+   - If not applicable: Explain why this control does not apply to our business context, our operational characteristics that make it irrelevant, and our risk profile considerations.
+
+Respond in the following JSON format:
+{
+  "isApplicable": "YES" or "NO",
+  "justification": "Your justification text here (2-3 sentences)"
+}
+
+If you cannot find sufficient information in the provided context to answer either question, respond with:
+{
+  "isApplicable": "INSUFFICIENT_DATA",
+  "justification": null
+}
+
+IMPORTANT: Base your answer ONLY on information found in our organization's documentation. Do NOT use general knowledge or make assumptions.`;
+
+  const soaResult = await generateSOAAnswerWithRAG(
+    soaQuestion,
+    organizationId,
+  );
+
+  // If no answer or insufficient data, default to YES (no justification needed)
+  if (!soaResult.answer) {
+    send({
+      type: 'answer',
+      questionId: question.id,
+      questionIndex: index,
+      isApplicable: true,
+      justification: null,
+      success: true,
+      insufficientData: false,
+    });
+
+    return {
+      questionId: question.id,
+      isApplicable: true,
+      justification: null,
+      success: true,
+      insufficientData: false,
+    };
+  }
+
+  return parseAndProcessAnswer(question.id, index, soaResult.answer, send);
+}
+
+function parseAndProcessAnswer(
+  questionId: string,
+  index: number,
+  answerText: string,
+  send: SendFunction,
+): ProcessResult {
+  // Parse JSON response
+  let parsedAnswer: { isApplicable?: string; justification?: string | null } | null = null;
+  try {
+    parsedAnswer = JSON.parse(answerText);
+  } catch {
+    const trimmedAnswer = answerText.trim();
+    
+    // Check for insufficient data indicators - if insufficient, default to YES
+    if (
+      trimmedAnswer.toUpperCase().includes('INSUFFICIENT_DATA') ||
+      trimmedAnswer.toUpperCase().includes('N/A') ||
+      trimmedAnswer.toUpperCase().includes('NO EVIDENCE FOUND') ||
+      trimmedAnswer.toUpperCase().includes('NOT ENOUGH INFORMATION')
+    ) {
+      send({
+        type: 'answer',
+        questionId,
+        questionIndex: index,
+        isApplicable: true,
+        justification: null,
+        success: true,
+        insufficientData: false,
+      });
+
+      return {
+        questionId,
+        isApplicable: true,
+        justification: null,
+        success: true,
+        insufficientData: false,
+      };
+    }
+
+    // Try to extract YES/NO and justification from text
+    const isApplicableMatch = trimmedAnswer.match(/(?:isApplicable|applicable)[:\s]*["']?(YES|NO|INSUFFICIENT_DATA)["']?/i);
+    const justificationMatch = trimmedAnswer.match(/(?:justification)[:\s]*["']?([^"']{20,})["']?/i);
+    
+    parsedAnswer = {
+      isApplicable: isApplicableMatch ? isApplicableMatch[1].toUpperCase() : undefined,
+      justification: justificationMatch ? justificationMatch[1].trim() : null,
+    };
+  }
+
+  // Check for insufficient data - if insufficient, default to YES
+  if (
+    !parsedAnswer ||
+    !parsedAnswer.isApplicable ||
+    parsedAnswer.isApplicable === 'INSUFFICIENT_DATA' ||
+    parsedAnswer.isApplicable.toUpperCase().includes('INSUFFICIENT')
+  ) {
+    send({
+      type: 'answer',
+      questionId,
+      questionIndex: index,
+      isApplicable: true,
+      justification: null,
+      success: true,
+      insufficientData: false,
+    });
+
+    return {
+      questionId,
+      isApplicable: true,
+      justification: null,
+      success: true,
+      insufficientData: false,
+    };
+  }
+
+  // Parse isApplicable
+  const isApplicableText = parsedAnswer.isApplicable.toUpperCase();
+  const isApplicable = isApplicableText.includes('YES') || isApplicableText.includes('APPLICABLE');
+  const isNotApplicable = isApplicableText.includes('NO') || isApplicableText.includes('NOT APPLICABLE');
+
+  let finalIsApplicable: boolean | null = null;
+  if (isApplicable && !isNotApplicable) {
+    finalIsApplicable = true;
+  } else if (isNotApplicable && !isApplicable) {
+    finalIsApplicable = false;
+  } else {
+    // Can't determine YES/NO - default to YES
+    send({
+      type: 'answer',
+      questionId,
+      questionIndex: index,
+      isApplicable: true,
+      justification: null,
+      success: true,
+      insufficientData: false,
+    });
+
+    return {
+      questionId,
+      isApplicable: true,
+      justification: null,
+      success: true,
+      insufficientData: false,
+    };
+  }
+
+  // Get justification (only if NO)
+  const justification = finalIsApplicable === false
+    ? (parsedAnswer.justification || null)
+    : null;
+
+  send({
+    type: 'answer',
+    questionId,
+    questionIndex: index,
+    isApplicable: finalIsApplicable,
+    justification,
+    success: true,
+    insufficientData: false,
+  });
+
+  return {
+    questionId,
+    isApplicable: finalIsApplicable,
+    justification,
+    success: true,
+    insufficientData: false,
+  };
+}
+
diff --git a/apps/app/src/app/api/questionnaire/soa/auto-fill/helpers/save-answers.ts b/apps/app/src/app/api/questionnaire/soa/auto-fill/helpers/save-answers.ts
new file mode 100644
index 000000000..b0b9b2723
--- /dev/null
+++ b/apps/app/src/app/api/questionnaire/soa/auto-fill/helpers/save-answers.ts
@@ -0,0 +1,131 @@
+import { db } from '@db';
+import { logger } from '@/utils/logger';
+
+type ProcessResult = {
+  questionId: string;
+  isApplicable: boolean | null;
+  justification: string | null;
+  success: boolean;
+};
+
+type Question = {
+  id: string;
+  text: string;
+  columnMapping: {
+    closure: string;
+    title: string;
+    control_objective: string | null;
+    isApplicable: boolean | null;
+    justification: string | null;
+  };
+};
+
+export async function saveAnswersToDatabase(
+  documentId: string,
+  questions: Question[],
+  results: ProcessResult[],
+  userId: string,
+): Promise<void> {
+  const successfulResults = results.filter((r) => r.success && r.isApplicable !== null);
+
+  for (const result of successfulResults) {
+    const question = questions.find((q) => q.id === result.questionId);
+    if (!question) continue;
+
+    try {
+      // Get existing answer to determine version
+      const existingAnswer = await db.sOAAnswer.findFirst({
+        where: {
+          documentId,
+          questionId: question.id,
+          isLatestAnswer: true,
+        },
+        orderBy: {
+          answerVersion: 'desc',
+        },
+      });
+
+      const nextVersion = existingAnswer ? existingAnswer.answerVersion + 1 : 1;
+
+      // Mark existing answer as not latest if it exists
+      if (existingAnswer) {
+        await db.sOAAnswer.update({
+          where: { id: existingAnswer.id },
+          data: { isLatestAnswer: false },
+        });
+      }
+
+      // Store justification in answer field only if isApplicable is NO
+      const answerValue = result.isApplicable === false ? result.justification : null;
+
+      // Create new answer
+      await db.sOAAnswer.create({
+        data: {
+          documentId,
+          questionId: question.id,
+          answer: answerValue,
+          status: 'generated',
+          generatedAt: new Date(),
+          answerVersion: nextVersion,
+          isLatestAnswer: true,
+          createdBy: userId,
+        },
+      });
+    } catch (error) {
+      logger.error('Failed to save SOA answer', {
+        questionId: question.id,
+        error: error instanceof Error ? error.message : 'Unknown error',
+      });
+    }
+  }
+}
+
+export async function updateConfigurationWithResults(
+  configurationId: string,
+  configurationQuestions: Question[],
+  results: ProcessResult[],
+): Promise<void> {
+  const resultsMap = new Map(
+    results.filter((r) => r.success && r.isApplicable !== null).map((r) => [r.questionId, r])
+  );
+
+  const updatedQuestions = configurationQuestions.map((q) => {
+    const result = resultsMap.get(q.id);
+    if (result) {
+      return {
+        ...q,
+        columnMapping: {
+          ...q.columnMapping,
+          isApplicable: result.isApplicable,
+          justification: result.justification,
+        },
+      };
+    }
+    return q;
+  });
+
+  await db.sOAFrameworkConfiguration.update({
+    where: { id: configurationId },
+    data: {
+      questions: updatedQuestions,
+    },
+  });
+}
+
+export async function updateDocumentAfterAutoFill(
+  documentId: string,
+  totalQuestions: number,
+  answeredCount: number,
+): Promise<void> {
+  await db.sOADocument.update({
+    where: { id: documentId },
+    data: {
+      answeredQuestions: answeredCount,
+      status: answeredCount === totalQuestions ? 'completed' : 'in_progress',
+      completedAt: answeredCount === totalQuestions ? new Date() : null,
+      approverId: null, // Clear approver when answers are regenerated
+      approvedAt: null, // Clear approval date when answers are regenerated
+    },
+  });
+}
+
diff --git a/apps/app/src/app/api/questionnaire/soa/auto-fill/route.ts b/apps/app/src/app/api/questionnaire/soa/auto-fill/route.ts
new file mode 100644
index 000000000..ac4da09ff
--- /dev/null
+++ b/apps/app/src/app/api/questionnaire/soa/auto-fill/route.ts
@@ -0,0 +1,228 @@
+import { auth } from '@/utils/auth';
+import { syncOrganizationEmbeddings } from '@/lib/vector';
+import { logger } from '@/utils/logger';
+import { NextRequest } from 'next/server';
+import { headers } from 'next/headers';
+import { db } from '@db';
+import { checkIfFullyRemote } from './helpers/check-fully-remote';
+import { processQuestion } from './helpers/process-question';
+import {
+  saveAnswersToDatabase,
+  updateConfigurationWithResults,
+  updateDocumentAfterAutoFill,
+} from './helpers/save-answers';
+
+export async function POST(req: NextRequest) {
+  const sessionResponse = await auth.api.getSession({
+    headers: await headers(),
+  });
+
+  if (!sessionResponse?.session?.activeOrganizationId) {
+    return new Response('Unauthorized', { status: 401 });
+  }
+
+  const organizationId = sessionResponse.session.activeOrganizationId;
+  const userId = sessionResponse.user?.id;
+
+  if (!userId) {
+    return new Response('Unauthorized', { status: 401 });
+  }
+
+  // Set up SSE headers
+  const encoder = new TextEncoder();
+  const stream = new ReadableStream({
+    async start(controller) {
+      const send = (data: object) => {
+        controller.enqueue(encoder.encode(`data: ${JSON.stringify(data)}\n\n`));
+      };
+
+      try {
+        const body = await req.json();
+        const { documentId } = body;
+
+        logger.info('Starting auto-fill SOA via SSE', {
+          organizationId,
+          documentId,
+        });
+
+        // Fetch SOA document with configuration
+        const document = await db.sOADocument.findFirst({
+          where: {
+            id: documentId,
+            organizationId,
+          },
+          include: {
+            framework: true,
+            configuration: true,
+            answers: {
+              where: {
+                isLatestAnswer: true,
+              },
+            },
+          },
+        });
+
+        if (!document) {
+          send({
+            type: 'error',
+            error: 'SOA document not found',
+          });
+          controller.close();
+          return;
+        }
+
+        const configuration = document.configuration;
+        const questions = configuration.questions as Array<{
+          id: string;
+          text: string;
+          columnMapping: {
+            closure: string;
+            title: string;
+            control_objective: string | null;
+            isApplicable: boolean | null;
+            justification: string | null;
+          };
+        }>;
+
+        // Sync organization embeddings before generating answers
+        try {
+          await syncOrganizationEmbeddings(organizationId);
+          logger.info('Organization embeddings synced successfully', {
+            organizationId,
+          });
+        } catch (error) {
+          logger.warn('Failed to sync organization embeddings', {
+            organizationId,
+            error: error instanceof Error ? error.message : 'Unknown error',
+          });
+        }
+
+        // Send initial progress
+        send({
+          type: 'progress',
+          total: questions.length,
+          completed: 0,
+          remaining: questions.length,
+        });
+
+        // Check if organization is fully remote
+        const isFullyRemote = await checkIfFullyRemote(organizationId);
+
+        // Send 'processing' status for all questions immediately for instant UI feedback
+        questions.forEach((question, index) => {
+          send({
+            type: 'processing',
+            questionId: question.id,
+            questionIndex: index,
+          });
+        });
+
+        // Process questions in parallel
+        const results: Array<{
+          questionId: string;
+          isApplicable: boolean | null;
+          justification: string | null;
+          success: boolean;
+          error?: string;
+          insufficientData?: boolean;
+        }> = [];
+
+        // Process all questions in parallel
+        const promises = questions.map(async (question, index) => {
+          try {
+            return await processQuestion(question, index, organizationId, isFullyRemote, send);
+          } catch (error) {
+            logger.error('Failed to process SOA question', {
+              questionId: question.id,
+              error: error instanceof Error ? error.message : 'Unknown error',
+            });
+
+            send({
+              type: 'answer',
+              questionId: question.id,
+              questionIndex: index,
+              isApplicable: null,
+              justification: null,
+              success: false,
+              error: 'Insufficient data',
+              insufficientData: true,
+            });
+
+            return {
+              questionId: question.id,
+              isApplicable: null,
+              justification: null,
+              success: false,
+              error: 'Insufficient data',
+              insufficientData: true,
+            };
+          }
+        });
+
+        // Wait for all questions to complete
+        const settledResults = await Promise.allSettled(promises);
+
+        // Collect all results
+        settledResults.forEach((result) => {
+          if (result.status === 'fulfilled') {
+            results.push(result.value);
+          }
+        });
+
+        // Save answers to database
+        const successfulResults = results.filter((r) => r.success && r.isApplicable !== null);
+        
+        await saveAnswersToDatabase(documentId, questions, successfulResults, userId);
+        
+        // Update configuration with results
+        await updateConfigurationWithResults(
+          configuration.id,
+          questions,
+          successfulResults,
+        );
+        
+        // Update document
+        const answeredCount = successfulResults.filter((r) => r.isApplicable !== null).length;
+        await updateDocumentAfterAutoFill(documentId, questions.length, answeredCount);
+
+        // Send completion
+        send({
+          type: 'complete',
+          total: questions.length,
+          answered: successfulResults.length,
+          results: successfulResults,
+        });
+
+        logger.info('Auto-fill SOA completed via SSE', {
+          organizationId,
+          documentId,
+          totalQuestions: questions.length,
+          answered: successfulResults.length,
+        });
+
+        controller.close();
+      } catch (error) {
+        logger.error('Error in auto-fill SOA SSE stream', {
+          organizationId,
+          error: error instanceof Error ? error.message : 'Unknown error',
+        });
+
+        send({
+          type: 'error',
+          error: error instanceof Error ? error.message : 'Unknown error',
+        });
+
+        controller.close();
+      }
+    },
+  });
+
+  return new Response(stream, {
+    headers: {
+      'Content-Type': 'text/event-stream',
+      'Cache-Control': 'no-cache',
+      Connection: 'keep-alive',
+    },
+  });
+}
+
diff --git a/apps/app/src/components/main-menu.tsx b/apps/app/src/components/main-menu.tsx
index 9b66df0c0..8a751578d 100644
--- a/apps/app/src/components/main-menu.tsx
+++ b/apps/app/src/components/main-menu.tsx
@@ -127,7 +127,7 @@ export function MainMenu({
     },
     {
       id: 'questionnaire',
-      path: '/:organizationId/security-questionnaire',
+      path: '/:organizationId/questionnaire',
       name: 'Questionnaire',
       disabled: false,
       icon: FileTextIcon,
diff --git a/apps/app/src/jobs/tasks/vendors/answer-question-helpers.ts b/apps/app/src/jobs/tasks/vendors/answer-question-helpers.ts
index eee286faa..7fc62497c 100644
--- a/apps/app/src/jobs/tasks/vendors/answer-question-helpers.ts
+++ b/apps/app/src/jobs/tasks/vendors/answer-question-helpers.ts
@@ -3,7 +3,7 @@ import type { SimilarContentResult } from '@/lib/vector';
 import { openai } from '@ai-sdk/openai';
 import { logger } from '@trigger.dev/sdk';
 import { generateText } from 'ai';
-import { deduplicateSources } from '@/app/(app)/[orgId]/security-questionnaire/utils/deduplicate-sources';
+import { deduplicateSources } from '@/app/(app)/[orgId]/questionnaire/utils/deduplicate-sources';
 
 export interface AnswerWithSources {
   answer: string | null;
diff --git a/packages/db/prisma/migrations/20251125130730_add_soa_tables_with_versioning/migration.sql b/packages/db/prisma/migrations/20251125130730_add_soa_tables_with_versioning/migration.sql
new file mode 100644
index 000000000..659cac32b
--- /dev/null
+++ b/packages/db/prisma/migrations/20251125130730_add_soa_tables_with_versioning/migration.sql
@@ -0,0 +1,117 @@
+-- CreateEnum
+CREATE TYPE "SOADocumentStatus" AS ENUM ('draft', 'in_progress', 'completed');
+
+-- CreateEnum
+CREATE TYPE "SOAAnswerStatus" AS ENUM ('untouched', 'generated', 'manual');
+
+-- CreateTable
+CREATE TABLE "SOAFrameworkConfiguration" (
+    "id" TEXT NOT NULL DEFAULT generate_prefixed_cuid('soa_cfg'::text),
+    "frameworkId" TEXT NOT NULL,
+    "version" INTEGER NOT NULL DEFAULT 1,
+    "isLatest" BOOLEAN NOT NULL DEFAULT true,
+    "columns" JSONB NOT NULL,
+    "questions" JSONB NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "SOAFrameworkConfiguration_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "SOADocument" (
+    "id" TEXT NOT NULL DEFAULT generate_prefixed_cuid('soa_doc'::text),
+    "frameworkId" TEXT NOT NULL,
+    "organizationId" TEXT NOT NULL,
+    "configurationId" TEXT NOT NULL,
+    "version" INTEGER NOT NULL DEFAULT 1,
+    "isLatest" BOOLEAN NOT NULL DEFAULT true,
+    "status" "SOADocumentStatus" NOT NULL DEFAULT 'draft',
+    "totalQuestions" INTEGER NOT NULL DEFAULT 0,
+    "answeredQuestions" INTEGER NOT NULL DEFAULT 0,
+    "completedAt" TIMESTAMP(3),
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "SOADocument_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "SOAAnswer" (
+    "id" TEXT NOT NULL DEFAULT generate_prefixed_cuid('soa_ans'::text),
+    "documentId" TEXT NOT NULL,
+    "questionId" TEXT NOT NULL,
+    "answer" TEXT,
+    "status" "SOAAnswerStatus" NOT NULL DEFAULT 'untouched',
+    "sources" JSONB,
+    "generatedAt" TIMESTAMP(3),
+    "answerVersion" INTEGER NOT NULL DEFAULT 1,
+    "isLatestAnswer" BOOLEAN NOT NULL DEFAULT true,
+    "createdBy" TEXT,
+    "updatedBy" TEXT,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "SOAAnswer_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE INDEX "SOAFrameworkConfiguration_frameworkId_idx" ON "SOAFrameworkConfiguration"("frameworkId");
+
+-- CreateIndex
+CREATE INDEX "SOAFrameworkConfiguration_frameworkId_version_idx" ON "SOAFrameworkConfiguration"("frameworkId", "version");
+
+-- CreateIndex
+CREATE INDEX "SOAFrameworkConfiguration_frameworkId_isLatest_idx" ON "SOAFrameworkConfiguration"("frameworkId", "isLatest");
+
+-- CreateIndex
+CREATE INDEX "SOADocument_frameworkId_organizationId_idx" ON "SOADocument"("frameworkId", "organizationId");
+
+-- CreateIndex
+CREATE INDEX "SOADocument_frameworkId_organizationId_version_idx" ON "SOADocument"("frameworkId", "organizationId", "version");
+
+-- CreateIndex
+CREATE INDEX "SOADocument_frameworkId_organizationId_isLatest_idx" ON "SOADocument"("frameworkId", "organizationId", "isLatest");
+
+-- CreateIndex
+CREATE INDEX "SOADocument_configurationId_idx" ON "SOADocument"("configurationId");
+
+-- CreateIndex
+CREATE INDEX "SOADocument_status_idx" ON "SOADocument"("status");
+
+-- CreateIndex
+CREATE INDEX "SOAAnswer_documentId_idx" ON "SOAAnswer"("documentId");
+
+-- CreateIndex
+CREATE INDEX "SOAAnswer_documentId_questionId_idx" ON "SOAAnswer"("documentId", "questionId");
+
+-- CreateIndex
+CREATE INDEX "SOAAnswer_documentId_questionId_isLatestAnswer_idx" ON "SOAAnswer"("documentId", "questionId", "isLatestAnswer");
+
+-- CreateIndex
+CREATE INDEX "SOAAnswer_status_idx" ON "SOAAnswer"("status");
+
+-- CreateUniqueConstraint
+CREATE UNIQUE INDEX "SOAFrameworkConfiguration_frameworkId_version_key" ON "SOAFrameworkConfiguration"("frameworkId", "version");
+
+-- CreateUniqueConstraint
+CREATE UNIQUE INDEX "SOADocument_frameworkId_organizationId_version_key" ON "SOADocument"("frameworkId", "organizationId", "version");
+
+-- CreateUniqueConstraint
+CREATE UNIQUE INDEX "SOAAnswer_documentId_questionId_answerVersion_key" ON "SOAAnswer"("documentId", "questionId", "answerVersion");
+
+-- AddForeignKey
+ALTER TABLE "SOAFrameworkConfiguration" ADD CONSTRAINT "SOAFrameworkConfiguration_frameworkId_fkey" FOREIGN KEY ("frameworkId") REFERENCES "FrameworkEditorFramework"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "SOADocument" ADD CONSTRAINT "SOADocument_frameworkId_fkey" FOREIGN KEY ("frameworkId") REFERENCES "FrameworkEditorFramework"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "SOADocument" ADD CONSTRAINT "SOADocument_organizationId_fkey" FOREIGN KEY ("organizationId") REFERENCES "Organization"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "SOADocument" ADD CONSTRAINT "SOADocument_configurationId_fkey" FOREIGN KEY ("configurationId") REFERENCES "SOAFrameworkConfiguration"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "SOAAnswer" ADD CONSTRAINT "SOAAnswer_documentId_fkey" FOREIGN KEY ("documentId") REFERENCES "SOADocument"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
diff --git a/packages/db/prisma/migrations/20251125182239_add_prepared_by_approved_by_to_soa_document/migration.sql b/packages/db/prisma/migrations/20251125182239_add_prepared_by_approved_by_to_soa_document/migration.sql
new file mode 100644
index 000000000..693082306
--- /dev/null
+++ b/packages/db/prisma/migrations/20251125182239_add_prepared_by_approved_by_to_soa_document/migration.sql
@@ -0,0 +1,5 @@
+-- AlterTable
+ALTER TABLE "SOADocument" ADD COLUMN "preparedBy" TEXT NOT NULL DEFAULT 'Comp AI';
+ALTER TABLE "SOADocument" ADD COLUMN "approvedBy" TEXT;
+ALTER TABLE "SOADocument" ADD COLUMN "approvedAt" TIMESTAMP(3);
+
diff --git a/packages/db/prisma/migrations/20251125191143_change_approved_by_to_approver_id/migration.sql b/packages/db/prisma/migrations/20251125191143_change_approved_by_to_approver_id/migration.sql
new file mode 100644
index 000000000..5016bdc4f
--- /dev/null
+++ b/packages/db/prisma/migrations/20251125191143_change_approved_by_to_approver_id/migration.sql
@@ -0,0 +1,9 @@
+-- AlterEnum: Add needs_review status
+ALTER TYPE "SOADocumentStatus" ADD VALUE 'needs_review';
+
+-- AlterTable: Rename approvedBy to approverId and change to reference Member
+ALTER TABLE "SOADocument" RENAME COLUMN "approvedBy" TO "approverId";
+
+-- AddForeignKey: Add relation to Member
+ALTER TABLE "SOADocument" ADD CONSTRAINT "SOADocument_approverId_fkey" FOREIGN KEY ("approverId") REFERENCES "Member"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
diff --git a/packages/db/prisma/schema/auth.prisma b/packages/db/prisma/schema/auth.prisma
index f2e78befb..d1caee02a 100644
--- a/packages/db/prisma/schema/auth.prisma
+++ b/packages/db/prisma/schema/auth.prisma
@@ -101,6 +101,7 @@ model Member {
 
   assignedPolicies       Policy[]             @relation("PolicyAssignee") // Policies where this member is an assignee
   approvedPolicies       Policy[]             @relation("PolicyApprover") // Policies where this member is an approver
+  approvedSOADocuments   SOADocument[]        @relation("SOADocumentApprover") // SOA documents where this member is an approver
   risks                  Risk[]
   tasks                  Task[]
   vendors                Vendor[]
diff --git a/packages/db/prisma/schema/framework-editor.prisma b/packages/db/prisma/schema/framework-editor.prisma
index 7321c4b45..9f37d1535 100644
--- a/packages/db/prisma/schema/framework-editor.prisma
+++ b/packages/db/prisma/schema/framework-editor.prisma
@@ -20,6 +20,8 @@ model FrameworkEditorFramework {
 
   requirements       FrameworkEditorRequirement[]
   frameworkInstances FrameworkInstance[]
+  soaConfigurations  SOAFrameworkConfiguration[] // Multiple SOA config versions per framework
+  soaDocuments       SOADocument[] // SOA documents from organizations
 
   // Dates
   createdAt DateTime @default(now())
diff --git a/packages/db/prisma/schema/knowledge-base-document.prisma b/packages/db/prisma/schema/knowledge-base-document.prisma
index 9c2aca6d2..5f87249de 100644
--- a/packages/db/prisma/schema/knowledge-base-document.prisma
+++ b/packages/db/prisma/schema/knowledge-base-document.prisma
@@ -1,13 +1,13 @@
 model KnowledgeBaseDocument {
-  id             String   @id @default(dbgenerated("generate_prefixed_cuid('kbd'::text)"))
-  name           String   // Original filename
-  description    String?  // Optional user description/notes
-  s3Key          String   // S3 storage key (e.g., "org123/knowledge-base-documents/timestamp-file.pdf")
-  fileType       String   // MIME type (e.g., "application/pdf")
-  fileSize       Int      // File size in bytes
+  id               String                                @id @default(dbgenerated("generate_prefixed_cuid('kbd'::text)"))
+  name             String // Original filename
+  description      String? // Optional user description/notes
+  s3Key            String // S3 storage key (e.g., "org123/knowledge-base-documents/timestamp-file.pdf")
+  fileType         String // MIME type (e.g., "application/pdf")
+  fileSize         Int // File size in bytes
   processingStatus KnowledgeBaseDocumentProcessingStatus @default(pending) // Track indexing status
-  processedAt    DateTime? // When indexing completed
-  triggerRunId   String?  // Trigger.dev run ID for tracking processing progress
+  processedAt      DateTime? // When indexing completed
+  triggerRunId     String? // Trigger.dev run ID for tracking processing progress
 
   // Dates
   createdAt DateTime @default(now())
@@ -24,9 +24,8 @@ model KnowledgeBaseDocument {
 }
 
 enum KnowledgeBaseDocumentProcessingStatus {
-  pending     // Uploaded but not yet processed/indexed
-  processing  // Currently being processed/indexed
-  completed   // Successfully indexed in vector database
-  failed      // Processing failed
+  pending // Uploaded but not yet processed/indexed
+  processing // Currently being processed/indexed
+  completed // Successfully indexed in vector database
+  failed // Processing failed
 }
-
diff --git a/packages/db/prisma/schema/organization.prisma b/packages/db/prisma/schema/organization.prisma
index a81ca74d8..66dd4a924 100644
--- a/packages/db/prisma/schema/organization.prisma
+++ b/packages/db/prisma/schema/organization.prisma
@@ -15,28 +15,29 @@ model Organization {
   fleetDmLabelId        Int?
   isFleetSetupCompleted Boolean @default(false)
 
-  apiKeys             ApiKey[]
-  auditLog            AuditLog[]
-  controls            Control[]
-  frameworkInstances  FrameworkInstance[]
-  integrations        Integration[]
-  invitations         Invitation[]
-  members             Member[]
-  policy              Policy[]
-  risk                Risk[]
-  vendors             Vendor[]
-  tasks               Task[]
-  comments            Comment[]
-  attachments         Attachment[]
-  trust               Trust[]
-  context             Context[]
-  secrets             Secret[]
-  trustAccessRequests TrustAccessRequest[]
-  trustNdaAgreements  TrustNDAAgreement[]
-  trustDocuments      TrustDocument[]
-  knowledgeBaseDocuments KnowledgeBaseDocument[]
-  questionnaires         Questionnaire[]
+  apiKeys                            ApiKey[]
+  auditLog                           AuditLog[]
+  controls                           Control[]
+  frameworkInstances                 FrameworkInstance[]
+  integrations                       Integration[]
+  invitations                        Invitation[]
+  members                            Member[]
+  policy                             Policy[]
+  risk                               Risk[]
+  vendors                            Vendor[]
+  tasks                              Task[]
+  comments                           Comment[]
+  attachments                        Attachment[]
+  trust                              Trust[]
+  context                            Context[]
+  secrets                            Secret[]
+  trustAccessRequests                TrustAccessRequest[]
+  trustNdaAgreements                 TrustNDAAgreement[]
+  trustDocuments                     TrustDocument[]
+  knowledgeBaseDocuments             KnowledgeBaseDocument[]
+  questionnaires                     Questionnaire[]
   securityQuestionnaireManualAnswers SecurityQuestionnaireManualAnswer[]
+  soaDocuments                       SOADocument[]
 
   @@index([slug])
 }
diff --git a/packages/db/prisma/schema/questionnaire.prisma b/packages/db/prisma/schema/questionnaire.prisma
index 2f0811334..c551a641a 100644
--- a/packages/db/prisma/schema/questionnaire.prisma
+++ b/packages/db/prisma/schema/questionnaire.prisma
@@ -1,13 +1,13 @@
 model Questionnaire {
-  id             String   @id @default(dbgenerated("generate_prefixed_cuid('qst'::text)"))
-  filename       String   // Original filename
-  s3Key          String   // S3 storage key for the uploaded file
-  fileType       String   // MIME type (e.g., "application/pdf")
-  fileSize       Int      // File size in bytes
-  status         QuestionnaireStatus @default(parsing) // Parsing status
-  parsedAt       DateTime? // When parsing completed
-  totalQuestions Int      @default(0) // Total number of questions parsed
-  answeredQuestions Int   @default(0) // Number of questions with answers
+  id                String              @id @default(dbgenerated("generate_prefixed_cuid('qst'::text)"))
+  filename          String // Original filename
+  s3Key             String // S3 storage key for the uploaded file
+  fileType          String // MIME type (e.g., "application/pdf")
+  fileSize          Int // File size in bytes
+  status            QuestionnaireStatus @default(parsing) // Parsing status
+  parsedAt          DateTime? // When parsing completed
+  totalQuestions    Int                 @default(0) // Total number of questions parsed
+  answeredQuestions Int                 @default(0) // Number of questions with answers
 
   // Dates
   createdAt DateTime @default(now())
@@ -15,7 +15,7 @@ model Questionnaire {
 
   // Relationships
   organizationId String
-  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  organization   Organization                        @relation(fields: [organizationId], references: [id], onDelete: Cascade)
   questions      QuestionnaireQuestionAnswer[]
   manualAnswers  SecurityQuestionnaireManualAnswer[] // Manual answers saved from this questionnaire
 
@@ -25,14 +25,14 @@ model Questionnaire {
 }
 
 model QuestionnaireQuestionAnswer {
-  id             String   @id @default(dbgenerated("generate_prefixed_cuid('qqa'::text)"))
-  question       String   // The question text
-  answer          String?  // The answer (nullable if not provided in file or not generated yet)
-  status          QuestionnaireAnswerStatus @default(untouched) // Answer status
-  questionIndex   Int      // Order/index of the question in the questionnaire
-  sources         Json?    // Sources used for generated answers (array of source objects)
-  generatedAt     DateTime? // When answer was generated (if status is generated)
-  updatedBy       String?  // User ID who last updated the answer (if manual)
+  id            String                    @id @default(dbgenerated("generate_prefixed_cuid('qqa'::text)"))
+  question      String // The question text
+  answer        String? // The answer (nullable if not provided in file or not generated yet)
+  status        QuestionnaireAnswerStatus @default(untouched) // Answer status
+  questionIndex Int // Order/index of the question in the questionnaire
+  sources       Json? // Sources used for generated answers (array of source objects)
+  generatedAt   DateTime? // When answer was generated (if status is generated)
+  updatedBy     String? // User ID who last updated the answer (if manual)
 
   // Dates
   createdAt DateTime @default(now())
@@ -48,14 +48,13 @@ model QuestionnaireQuestionAnswer {
 }
 
 enum QuestionnaireStatus {
-  parsing    // Currently being parsed
-  completed  // Successfully parsed
-  failed     // Parsing failed
+  parsing // Currently being parsed
+  completed // Successfully parsed
+  failed // Parsing failed
 }
 
 enum QuestionnaireAnswerStatus {
-  untouched  // No answer yet (empty or not generated)
-  generated  // AI generated answer
-  manual     // Manually written/edited by user
+  untouched // No answer yet (empty or not generated)
+  generated // AI generated answer
+  manual // Manually written/edited by user
 }
-
diff --git a/packages/db/prisma/schema/security-questionnaire-manual-answer.prisma b/packages/db/prisma/schema/security-questionnaire-manual-answer.prisma
index c41ad7394..aeabb3e04 100644
--- a/packages/db/prisma/schema/security-questionnaire-manual-answer.prisma
+++ b/packages/db/prisma/schema/security-questionnaire-manual-answer.prisma
@@ -1,29 +1,28 @@
 model SecurityQuestionnaireManualAnswer {
-  id             String   @id @default(dbgenerated("generate_prefixed_cuid('sqma'::text)"))
-  question       String   // The question text
-  answer         String   // The answer text (required for saved answers)
-  tags           String[] @default([]) // Optional tags for categorization
-  
+  id       String   @id @default(dbgenerated("generate_prefixed_cuid('sqma'::text)"))
+  question String // The question text
+  answer   String // The answer text (required for saved answers)
+  tags     String[] @default([]) // Optional tags for categorization
+
   // Optional reference to original questionnaire (for tracking)
   sourceQuestionnaireId String?
   sourceQuestionnaire   Questionnaire? @relation(fields: [sourceQuestionnaireId], references: [id], onDelete: SetNull)
-  
+
   // User who created/updated this answer
-  createdBy      String?  // User ID
-  updatedBy      String?  // User ID
-  
+  createdBy String? // User ID
+  updatedBy String? // User ID
+
   // Dates
   createdAt DateTime @default(now())
   updatedAt DateTime @updatedAt
-  
+
   // Relationships
   organizationId String
   organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  
+
+  @@unique([organizationId, question]) // Prevent duplicate questions per organization
   @@index([organizationId])
   @@index([organizationId, question])
   @@index([tags])
   @@index([createdAt])
-  @@unique([organizationId, question]) // Prevent duplicate questions per organization
 }
-
diff --git a/packages/db/prisma/schema/soa.prisma b/packages/db/prisma/schema/soa.prisma
new file mode 100644
index 000000000..d3f28d386
--- /dev/null
+++ b/packages/db/prisma/schema/soa.prisma
@@ -0,0 +1,134 @@
+// Statement of Applicability (SOA) Auto-complete Configuration and Answers
+
+model SOAFrameworkConfiguration {
+  id          String                   @id @default(dbgenerated("generate_prefixed_cuid('soa_cfg'::text)"))
+  frameworkId String
+  framework   FrameworkEditorFramework @relation(fields: [frameworkId], references: [id], onDelete: Cascade)
+
+  // Configuration versioning - allows multiple configurations per framework
+  version  Int     @default(1) // Version number for this configuration (increments when config changes)
+  isLatest Boolean @default(true) // Whether this is the latest configuration version
+
+  // Column definitions for SOA structure (template used when creating new documents)
+  columns Json // Array of { name: string, type: string } objects
+  // Example: [{ name: "Control ID", type: "string" }, { name: "Control Name", type: "string" }, { name: "Applicable", type: "boolean" }, { name: "Justification", type: "text" }]
+
+  // Predefined questions for this framework
+  // Documents reference a specific configuration version via SOADocument.configurationId
+  // Old documents keep their old config version, new documents use new config version
+  questions Json // Array of question objects with unique IDs
+  // Example: [{ id: "A.5.1.1", text: "Is this control applicable?", columnMapping: "Applicable", controlId: "A.5.1.1" }, ...]
+  // IMPORTANT: question.id must be unique and stable - this is what SOAAnswer.questionId references
+
+  // Dates
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  // Relationships
+  documents SOADocument[]
+
+  @@unique([frameworkId, version]) // Prevent duplicate configuration versions
+  @@index([frameworkId])
+  @@index([frameworkId, version])
+  @@index([frameworkId, isLatest])
+}
+
+model SOADocument {
+  id String @id @default(dbgenerated("generate_prefixed_cuid('soa_doc'::text)"))
+
+  // Framework and organization context
+  frameworkId    String
+  framework      FrameworkEditorFramework @relation(fields: [frameworkId], references: [id], onDelete: Cascade)
+  organizationId String
+  organization   Organization             @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+
+  // Configuration reference - references a specific SOAFrameworkConfiguration version
+  // Each document version can use a different configuration version
+  // Old documents keep their old config, new documents use new config
+  configurationId String
+  configuration   SOAFrameworkConfiguration @relation(fields: [configurationId], references: [id], onDelete: Cascade)
+
+  // Document versioning
+  version  Int     @default(1) // Version number for this document (increments yearly)
+  isLatest Boolean @default(true) // Whether this is the latest version
+
+  // Document status
+  status SOADocumentStatus @default(draft) // draft, in_progress, completed
+
+  // Document metadata
+  totalQuestions    Int @default(0) // Total number of questions in this document
+  answeredQuestions Int @default(0) // Number of questions with answers
+
+  // Approval tracking
+  preparedBy String  @default("Comp AI") // Always "Comp AI"
+  approverId String? // Member ID who will approve this document (set when submitted for approval)
+  approver   Member? @relation("SOADocumentApprover", fields: [approverId], references: [id], onDelete: SetNull, onUpdate: Cascade)
+  approvedAt DateTime? // When document was approved
+
+  // Dates
+  completedAt DateTime? // When document was completed
+  createdAt   DateTime  @default(now())
+  updatedAt   DateTime  @updatedAt
+
+  // Relationships
+  answers SOAAnswer[]
+
+  @@unique([frameworkId, organizationId, version]) // Prevent duplicate versions
+  @@index([frameworkId, organizationId])
+  @@index([frameworkId, organizationId, version])
+  @@index([frameworkId, organizationId, isLatest])
+  @@index([configurationId])
+  @@index([status])
+}
+
+model SOAAnswer {
+  id String @id @default(dbgenerated("generate_prefixed_cuid('soa_ans'::text)"))
+
+  // Document context (replaces direct framework/organization link)
+  documentId String
+  document   SOADocument @relation(fields: [documentId], references: [id], onDelete: Cascade)
+
+  // Question reference - references question.id from SOADocument.configuration.questions
+  // References the specific configuration version that the document uses
+  // If config changes, old documents still reference their old config version
+  questionId String // Must match a question.id from SOADocument.configuration.questions
+
+  // Answer data - simple text answer
+  answer String? // Text answer (nullable if not generated yet)
+
+  // Answer metadata
+  status      SOAAnswerStatus @default(untouched) // untouched, generated, manual
+  sources     Json? // Sources used for generated answers (similar to questionnaire)
+  generatedAt DateTime? // When answer was generated
+
+  // Answer versioning (within the document)
+  answerVersion  Int     @default(1) // Version number for this specific answer
+  isLatestAnswer Boolean @default(true) // Whether this is the latest version of this answer
+
+  // User tracking
+  createdBy String? // User ID who created this answer
+  updatedBy String? // User ID who last updated this answer
+
+  // Dates
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  @@unique([documentId, questionId, answerVersion]) // Prevent duplicate answer versions
+  @@index([documentId])
+  @@index([documentId, questionId])
+  @@index([documentId, questionId, isLatestAnswer])
+  @@index([status])
+}
+
+enum SOADocumentStatus {
+  draft // Document is being created/edited
+  in_progress // Document is being generated
+  needs_review // Document is submitted for approval
+  completed // Document is complete and approved
+}
+
+enum SOAAnswerStatus {
+  untouched // No answer yet (not generated)
+  generated // AI generated answer
+  manual // Manually written/edited by user
+}
diff --git a/packages/ui/src/components/secondary-menu.tsx b/packages/ui/src/components/secondary-menu.tsx
index e2dbb4a4b..4350b3283 100644
--- a/packages/ui/src/components/secondary-menu.tsx
+++ b/packages/ui/src/components/secondary-menu.tsx
@@ -131,7 +131,7 @@ export function SecondaryMenu({
   }, [activeIndex]);
 
   return (
-    <nav className={'pb-4'} key={pathname}>
+    <nav className={'pb-4 relative z-5 bg-background'}>
       <div className="flex items-center gap-2 overflow-auto p-[1px]">
         {showBackButton && (
           <Button variant="ghost" size="sm" asChild>

From 8bdd1adca77bb695f94c5f453de5853d3eb01fa1 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 26 Nov 2025 11:07:28 -0500
Subject: [PATCH 3/7] fix(soa): enhance EditableSOAFields with justification
 dialog and save logic, change colors (#1840)

Co-authored-by: Tofik Hasanov <annexcies@gmail.com>
---
 .../soa/components/EditableSOAFields.tsx      | 262 +++++++++++-------
 .../soa/components/SOADocumentInfo.tsx        |  35 ++-
 .../components/SOAPendingApprovalAlert.tsx    |  23 +-
 .../questionnaire/soa/components/SOATable.tsx |   9 +-
 .../soa/components/SOATableRow.tsx            |   2 +-
 5 files changed, 220 insertions(+), 111 deletions(-)

diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/EditableSOAFields.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/EditableSOAFields.tsx
index 2b302bbd8..f17f6eff4 100644
--- a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/EditableSOAFields.tsx
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/EditableSOAFields.tsx
@@ -10,7 +10,15 @@ import {
   SelectTrigger,
   SelectValue,
 } from '@comp/ui/select';
-import { Check, X, Loader2, Edit2 } from 'lucide-react';
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from '@comp/ui/dialog';
+import { X, Loader2, Edit2 } from 'lucide-react';
 import { useAction } from 'next-safe-action/hooks';
 import { saveSOAAnswer } from '../actions/save-soa-answer';
 import { toast } from 'sonner';
@@ -41,6 +49,16 @@ export function EditableSOAFields({
   const [justification, setJustification] = useState<string | null>(initialJustification);
   const [error, setError] = useState<string | null>(null);
   const justificationTextareaRef = useRef<HTMLTextAreaElement>(null);
+  const [isJustificationDialogOpen, setJustificationDialogOpen] = useState(false);
+  const dialogSavedRef = useRef(false);
+  const badgeBaseClasses =
+    'inline-flex items-center justify-center rounded-full border px-3 py-1 text-xs font-medium tracking-wide w-[3rem]';
+  const badgeClasses =
+    isApplicable === true
+      ? `${badgeBaseClasses} bg-primary text-primary-foreground border-primary/70 shadow-sm shadow-primary/40`
+      : isApplicable === false
+        ? `${badgeBaseClasses} bg-destructive text-destructive-foreground border-destructive/70 shadow-sm shadow-destructive/40`
+        : `${badgeBaseClasses} bg-muted text-muted-foreground border-transparent`;
 
   const saveAction = useAction(saveSOAAnswer, {
     onSuccess: () => {
@@ -53,94 +71,139 @@ export function EditableSOAFields({
       }
       onUpdate?.();
     },
-    onError: ({ error }) => {
-      setError(error.serverError || 'Failed to save answer');
-      toast.error(error.serverError || 'Failed to save answer');
+    onError: () => {
+      const message = 'Failed to save answer';
+      if (!isJustificationDialogOpen) {
+        setIsApplicable(initialIsApplicable);
+        setJustification(initialJustification);
+        setJustificationDialogOpen(false);
+      }
+      setError(message);
+      toast.error(message);
     },
   });
 
+  useEffect(() => {
+    setIsApplicable(initialIsApplicable);
+    setJustification(initialJustification);
+  }, [initialIsApplicable, initialJustification]);
+
   // If control 7.* and fully remote, disable editing
   const isDisabled = isPendingApproval || (isControl7 && isFullyRemote);
 
-  // Auto-focus justification field when NO is selected
+  // Auto-focus justification field when dialog opens
   useEffect(() => {
-    if (isEditing && isApplicable === false && justificationTextareaRef.current) {
-      // Small delay to ensure the textarea is rendered
+    if (isJustificationDialogOpen && justificationTextareaRef.current) {
       setTimeout(() => {
         justificationTextareaRef.current?.focus();
-      }, 100);
-    }
-  }, [isEditing, isApplicable]);
-
-  const handleSave = async () => {
-    // Validate: if NO, justification is required
-    if (isApplicable === false && (!justification || justification.trim().length === 0)) {
-      setError('Justification is required when Applicable is NO');
-      if (justificationTextareaRef.current) {
-        justificationTextareaRef.current.focus();
-      }
-      return;
+      }, 75);
     }
+  }, [isJustificationDialogOpen]);
 
-    const answerValue = isApplicable === false ? justification : null;
-
-    await saveAction.execute({
+  const executeSave = (
+    nextIsApplicable: boolean | null,
+    nextJustification: string | null,
+  ) => {
+    const answerValue = nextIsApplicable === false ? nextJustification : null;
+    return saveAction.execute({
       documentId,
       questionId,
       answer: answerValue,
-      isApplicable,
-      justification: isApplicable === false ? justification : null,
+      isApplicable: nextIsApplicable,
+      justification: nextIsApplicable === false ? nextJustification : null,
     });
   };
 
-  const handleCancel = () => {
+  const closeEditing = () => {
+    setIsEditing(false);
     setIsApplicable(initialIsApplicable);
     setJustification(initialJustification);
-    setIsEditing(false);
     setError(null);
+    setJustificationDialogOpen(false);
+  };
+
+  const handleEditClick = () => {
+    setIsEditing(true);
+    if (isApplicable === false) {
+      setJustificationDialogOpen(true);
+    } else {
+      setJustificationDialogOpen(false);
+    }
+  };
+
+  const handleSelectChange = (value: 'yes' | 'no' | 'null') => {
+    const newValue = value === 'yes' ? true : value === 'no' ? false : null;
+    setIsApplicable(newValue);
+    setError(null);
+
+    if (newValue === true) {
+      setJustification(null);
+      setJustificationDialogOpen(false);
+      void executeSave(true, null);
+      return;
+    }
+
+    if (newValue === false) {
+      setJustificationDialogOpen(true);
+      return;
+    }
+
+    setJustificationDialogOpen(false);
+    void executeSave(null, null);
+  };
+
+  const handleJustificationSave = async () => {
+    if (!justification || justification.trim().length === 0) {
+      setError('Justification is required when Applicable is NO');
+      justificationTextareaRef.current?.focus();
+      return;
+    }
+
+    await executeSave(false, justification);
+    dialogSavedRef.current = true;
+    setJustificationDialogOpen(false);
+  };
+
+  const handleDialogOpenChange = (open: boolean) => {
+    if (!open) {
+      if (dialogSavedRef.current) {
+        dialogSavedRef.current = false;
+      } else {
+        setIsApplicable(initialIsApplicable);
+        setJustification(initialJustification);
+      }
+      setError(null);
+    }
+
+    setJustificationDialogOpen(open);
   };
 
   if (isDisabled && !isEditing) {
     // Display mode
     return (
-      <div className="flex flex-col gap-2">
-        <span className={`inline-flex items-center justify-center px-3 py-1.5 rounded-md text-xs font-semibold w-fit ${
-          isApplicable === true
-            ? 'bg-emerald-500 text-white shadow-sm'
-            : isApplicable === false
-              ? 'bg-rose-500 text-white shadow-sm'
-              : 'bg-muted text-muted-foreground'
-        }`}>
+      <div className="flex w-full flex-col items-center gap-2 text-center">
+        <span className={`${badgeClasses} uppercase`}>
           {isApplicable === true ? 'YES' : isApplicable === false ? 'NO' : '—'}
         </span>
-        {isApplicable === false && justification && (
-          <p className="text-sm leading-relaxed text-foreground whitespace-pre-wrap break-words">
-            {justification}
-          </p>
-        )}
       </div>
     );
   }
 
   if (!isEditing) {
     return (
-      <div className="flex items-center gap-2">
-        <span className={`inline-flex items-center justify-center px-3 py-1.5 rounded-md text-xs font-semibold w-fit ${
-          isApplicable === true
-            ? 'bg-emerald-500 text-white shadow-sm'
-            : isApplicable === false
-              ? 'bg-rose-500 text-white shadow-sm'
-              : 'bg-muted text-muted-foreground'
-        }`}>
+      <div className="group relative flex w-full items-center justify-center">
+        <span className={`${badgeClasses} uppercase`}>
           {isApplicable === true ? 'YES' : isApplicable === false ? 'NO' : '—'}
         </span>
         <Button
           variant="ghost"
-          size="sm"
-          onClick={() => setIsEditing(true)}
-          className="h-6 px-2 text-xs"
+          size="icon"
+          onClick={handleEditClick}
+          className="absolute right-0 h-6 w-6 text-muted-foreground opacity-0 transition-opacity group-hover:opacity-100 group-focus-within:opacity-100 focus-visible:opacity-100"
+          aria-label="Edit answer"
         >
           <Edit2 className="h-3 w-3" />
+          <span className="sr-only">Edit answer</span>
         </Button>
       </div>
     );
@@ -148,79 +211,80 @@ export function EditableSOAFields({
 
   return (
     <div className="flex flex-col gap-3">
-      <div className="flex items-center gap-2">
+      <div className="flex items-center justify-between gap-2">
         <Select
           value={isApplicable === null ? 'null' : isApplicable ? 'yes' : 'no'}
-          onValueChange={(value) => {
-            const newValue = value === 'yes' ? true : value === 'no' ? false : null;
-            setIsApplicable(newValue);
-            // Clear justification if switching to YES
-            if (newValue === true) {
-              setJustification(null);
-            }
-            // Clear error when changing selection
-            setError(null);
-          }}
+          onValueChange={handleSelectChange}
         >
-          <SelectTrigger className="w-32">
+          <SelectTrigger className="w-32" disabled={saveAction.status === 'executing'}>
             <SelectValue />
           </SelectTrigger>
           <SelectContent>
+            <SelectItem value="null" disabled>
+              —
+            </SelectItem>
             <SelectItem value="yes">YES</SelectItem>
             <SelectItem value="no">NO</SelectItem>
           </SelectContent>
         </Select>
+        <Button
+          variant="ghost"
+          size="icon"
+          onClick={closeEditing}
+          disabled={saveAction.status === 'executing'}
+          aria-label="Close editing"
+        >
+          <X className="h-3 w-3" />
+          <span className="sr-only">Close editing</span>
+        </Button>
       </div>
 
-      {isApplicable === false && (
-        <div className="flex flex-col gap-2">
+      <Dialog open={isJustificationDialogOpen} onOpenChange={handleDialogOpenChange}>
+        <DialogContent>
+          <DialogHeader>
+            <DialogTitle>Justification Required</DialogTitle>
+            <DialogDescription>
+              Explain why this control is not applicable to your organization.
+            </DialogDescription>
+          </DialogHeader>
           <Textarea
             ref={justificationTextareaRef}
             value={justification || ''}
             onChange={(e) => {
               setJustification(e.target.value);
-              setError(null); // Clear error when typing
+              setError(null);
             }}
             placeholder="Enter justification (required)"
-            className="min-h-[80px]"
+            className="min-h-[120px]"
             required
           />
           {error && (
             <p className="text-xs text-destructive">{error}</p>
           )}
-        </div>
-      )}
-
-      <div className="flex items-center gap-2">
-        <Button
-          size="sm"
-          onClick={handleSave}
-          disabled={saveAction.status === 'executing'}
-          className="h-7"
-        >
-          {saveAction.status === 'executing' ? (
-            <>
-              <Loader2 className="mr-1 h-3 w-3 animate-spin" />
-              Saving...
-            </>
-          ) : (
-            <>
-              <Check className="mr-1 h-3 w-3" />
-              Save
-            </>
-          )}
-        </Button>
-        <Button
-          size="sm"
-          variant="ghost"
-          onClick={handleCancel}
-          disabled={saveAction.status === 'executing'}
-          className="h-7"
-        >
-          <X className="mr-1 h-3 w-3" />
-          Cancel
-        </Button>
-      </div>
+          <DialogFooter className="gap-2">
+            <Button
+              variant="ghost"
+              onClick={() => handleDialogOpenChange(false)}
+              disabled={saveAction.status === 'executing'}
+            >
+              Cancel
+            </Button>
+            <Button
+              onClick={handleJustificationSave}
+              disabled={saveAction.status === 'executing'}
+            >
+              {saveAction.status === 'executing' ? (
+                <>
+                  <Loader2 className="mr-2 h-4 w-4 animate-spin" />
+                  Saving...
+                </>
+              ) : (
+                'Save justification'
+              )}
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
     </div>
   );
 }
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOADocumentInfo.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOADocumentInfo.tsx
index e72b9b383..6c16d4f81 100644
--- a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOADocumentInfo.tsx
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOADocumentInfo.tsx
@@ -2,7 +2,7 @@
 
 import { Card } from '@comp/ui';
 import { Button } from '@comp/ui/button';
-import { Zap, Loader2, ShieldX } from 'lucide-react';
+import { Zap, Loader2, ShieldCheck } from 'lucide-react';
 import { Member, User } from '@db';
 
 type Document = {
@@ -14,6 +14,8 @@ type Document = {
   preparedBy: string | null;
   approverId?: string | null;
   approvedAt?: Date | null;
+  declinedAt?: Date | null;
+  declinedBy?: (Member & { user: User }) | null;
 };
 
 interface SOADocumentInfoProps {
@@ -64,13 +66,15 @@ export function SOADocumentInfo({
           </div>
           <div className="h-8 w-px bg-border" />
           <div className="flex flex-col gap-1">
-            <p className="text-xs font-medium text-muted-foreground uppercase tracking-wide">Approved</p>
+            <p className="text-xs font-medium text-muted-foreground uppercase tracking-wide">Approval status</p>
             <p className="text-sm font-semibold text-foreground">
               {document.approvedAt
-                ? new Date(document.approvedAt).toLocaleDateString()
-                : approver
-                  ? 'Pending approval'
-                  : 'Not approved'}
+                ? `Approved on ${new Date(document.approvedAt).toLocaleDateString()}`
+                : document.status === 'needs_review' && document.declinedAt
+                  ? `Declined on ${new Date(document.declinedAt).toLocaleDateString()}`
+                  : approver
+                    ? 'Pending approval'
+                    : 'Not approved'}
             </p>
           </div>
           {approver && document.approvedAt && (
@@ -84,7 +88,7 @@ export function SOADocumentInfo({
               </div>
             </>
           )}
-          {approver && !document.approvedAt && (
+          {approver && !document.approvedAt && document.status !== 'needs_review' && (
             <>
               <div className="h-8 w-px bg-border" />
               <div className="flex flex-col gap-1">
@@ -95,6 +99,21 @@ export function SOADocumentInfo({
               </div>
             </>
           )}
+          {document.status === 'needs_review' && document.declinedAt && (
+            <>
+              <div className="h-8 w-px bg-border" />
+              <div className="flex flex-col gap-1">
+                <p className="text-xs font-medium text-muted-foreground uppercase tracking-wide">Declined by</p>
+                <p className="text-sm font-semibold text-foreground">
+                  {document.declinedBy?.user?.name ||
+                    document.declinedBy?.user?.email ||
+                    approver?.user.name ||
+                    approver?.user.email ||
+                    'Unknown'}
+                </p>
+              </div>
+            </>
+          )}
         </div>
         <div className="flex items-center gap-2">
           {!isPendingApproval && canApprove && document.status !== 'needs_review' && (
@@ -104,7 +123,7 @@ export function SOADocumentInfo({
               variant="outline"
               disabled={!!document.approvedAt}
             >
-              <ShieldX className="mr-2 h-4 w-4" />
+              <ShieldCheck className="mr-2 h-4 w-4" />
               Submit for Approval
             </Button>
           )}
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAPendingApprovalAlert.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAPendingApprovalAlert.tsx
index 4ead27f2e..f7397fc07 100644
--- a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAPendingApprovalAlert.tsx
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAPendingApprovalAlert.tsx
@@ -14,6 +14,8 @@ interface SOAPendingApprovalAlertProps {
   isDeclining: boolean;
   onApprove: () => void;
   onDecline: () => void;
+  lastDeclinedAt?: Date | null;
+  lastDeclinedBy?: (Member & { user: User }) | null;
 }
 
 export function SOAPendingApprovalAlert({
@@ -25,6 +27,8 @@ export function SOAPendingApprovalAlert({
   isDeclining,
   onApprove,
   onDecline,
+  lastDeclinedAt,
+  lastDeclinedBy,
 }: SOAPendingApprovalAlertProps) {
   return (
     <Alert variant="default">
@@ -33,8 +37,23 @@ export function SOAPendingApprovalAlert({
         {canCurrentUserApprove ? 'Action Required by You' : 'Pending Approval'}
       </AlertTitle>
       <AlertDescription className="flex flex-col gap-2">
+        {lastDeclinedAt && (
+          <div className="rounded-md border border-destructive/40 bg-destructive/5 p-3 text-sm text-destructive">
+            <div className="font-semibold flex items-center gap-2">
+              <XCircle className="h-4 w-4" />
+              Document was declined on{' '}
+              {new Date(lastDeclinedAt).toLocaleDateString()}
+              {lastDeclinedBy
+                ? ` by ${lastDeclinedBy.user.name || lastDeclinedBy.user.email || 'an approver'}`
+                : ''}
+            </div>
+            <p className="mt-1 text-xs text-destructive/80">
+              Review the comments and make necessary changes before resubmitting for approval.
+            </p>
+          </div>
+        )}
         <div>
-          This SOA document is awaiting approval from{' '}
+          This document is awaiting approval from{' '}
           <span className="font-semibold">
             {approverId === currentMemberId
               ? 'you'
@@ -45,7 +64,7 @@ export function SOAPendingApprovalAlert({
           .
         </div>
         {canCurrentUserApprove &&
-          ' Please review the details and approve the document.'}
+          ' Please review the details and approve or decline the document.'}
         {!canCurrentUserApprove && ' All fields are disabled until the document is approved.'}
         {canCurrentUserApprove && (
           <div className="flex items-center gap-2 mt-2">
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOATable.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOATable.tsx
index af713b1fc..c01b13b1d 100644
--- a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOATable.tsx
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOATable.tsx
@@ -42,6 +42,13 @@ interface SOATableProps {
   isPendingApproval: boolean;
 }
 
+const columnLabelMap: Record<string, string> = {
+  title: 'Control',
+  control_objective: 'Control Objective',
+  isApplicable: 'Applicable',
+  justification: 'Justification',
+};
+
 export function SOATable({
   columns,
   questions,
@@ -94,7 +101,7 @@ export function SOATable({
                       index === 0 ? 'pl-6 pr-6' : index === columns.length - 1 ? 'px-6 pr-6' : 'px-6'
                     }`}
                   >
-                    {column.name.replace(/_/g, ' ')}
+                    {columnLabelMap[column.name] ?? column.name.replace(/_/g, ' ')}
                   </th>
                 );
               })}
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOATableRow.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOATableRow.tsx
index efe0573ed..7baaf9fb9 100644
--- a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOATableRow.tsx
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOATableRow.tsx
@@ -108,7 +108,7 @@ export function SOATableRow({
             key={column.name}
             className={`py-4 text-sm ${
               colIndex === 0 ? 'pl-6 pr-6' : colIndex === columns.length - 1 ? 'px-6 pr-6' : 'px-6'
-            } ${column.name === 'isApplicable' ? 'bg-muted/10' : ''}`}
+            } ${column.name === 'isApplicable' ? 'bg-muted/10 text-center' : ''}`}
           >
             {showSpinner ? (
               <div className="flex items-center gap-2">

From 02d191938347d457c6d441b66b08f29f3df9715b Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 26 Nov 2025 11:58:30 -0500
Subject: [PATCH 4/7] fix(soa): remove unrelevant text (#1841)

Co-authored-by: Tofik Hasanov <annexcies@gmail.com>
---
 .../questionnaire/soa/components/SOAPendingApprovalAlert.tsx     | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAPendingApprovalAlert.tsx b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAPendingApprovalAlert.tsx
index f7397fc07..e9dc0dff9 100644
--- a/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAPendingApprovalAlert.tsx
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/soa/components/SOAPendingApprovalAlert.tsx
@@ -65,7 +65,6 @@ export function SOAPendingApprovalAlert({
         </div>
         {canCurrentUserApprove &&
           ' Please review the details and approve or decline the document.'}
-        {!canCurrentUserApprove && ' All fields are disabled until the document is approved.'}
         {canCurrentUserApprove && (
           <div className="flex items-center gap-2 mt-2">
             <Button onClick={onApprove} disabled={isApproving || isDeclining}>

From fbbe6661f30815c880541167b23d9000ef55d3bf Mon Sep 17 00:00:00 2001
From: Lewis Carhart <lewis@trycomp.ai>
Date: Wed, 26 Nov 2025 17:32:30 +0000
Subject: [PATCH 5/7] feat(frameworks): add people score calculation and
 visualization (#1842)

Co-authored-by: Mariano Fuentes <marfuen98@gmail.com>
---
 .../components/ComplianceOverview.tsx         |  67 ++++++--
 .../components/ComplianceProgressChart.tsx    |  18 +--
 .../components/FrameworksOverview.tsx         |   2 +-
 .../frameworks/components/Overview.tsx        |   9 ++
 .../frameworks/components/PeopleChart.tsx     | 143 ++++++++++++++++++
 .../frameworks/components/PoliciesChart.tsx   |  18 +--
 .../frameworks/components/TasksChart.tsx      |  20 +--
 .../(app)/[orgId]/frameworks/lib/getPeople.ts | 106 +++++++++++++
 .../src/app/(app)/[orgId]/frameworks/page.tsx |   3 +
 9 files changed, 341 insertions(+), 45 deletions(-)
 create mode 100644 apps/app/src/app/(app)/[orgId]/frameworks/components/PeopleChart.tsx
 create mode 100644 apps/app/src/app/(app)/[orgId]/frameworks/lib/getPeople.ts

diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/components/ComplianceOverview.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/components/ComplianceOverview.tsx
index f4c690b3f..c32dd7a78 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/components/ComplianceOverview.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/components/ComplianceOverview.tsx
@@ -4,6 +4,7 @@ import { Card, CardContent, CardHeader, CardTitle } from '@comp/ui/card';
 import { Progress } from '@comp/ui/progress';
 import { FrameworkInstance } from '@db';
 import { ComplianceProgressChart } from './ComplianceProgressChart';
+import { PeopleChart } from './PeopleChart';
 import { PoliciesChart } from './PoliciesChart';
 import { TasksChart } from './TasksChart';
 
@@ -13,22 +14,29 @@ export function ComplianceOverview({
   publishedPolicies,
   totalTasks,
   doneTasks,
+  totalMembers,
+  completedMembers,
 }: {
   frameworks: FrameworkInstance[];
   totalPolicies: number;
   publishedPolicies: number;
   totalTasks: number;
   doneTasks: number;
+  totalMembers: number;
+  completedMembers: number;
 }) {
   const compliancePercentage = complianceProgress(
     publishedPolicies,
     doneTasks,
     totalPolicies,
     totalTasks,
+    totalMembers,
+    completedMembers,
   );
 
   const policiesPercentage = Math.round((publishedPolicies / Math.max(totalPolicies, 1)) * 100);
   const tasksPercentage = Math.round((doneTasks / Math.max(totalTasks, 1)) * 100);
+  const peoplePercentage = Math.round((completedMembers / Math.max(totalMembers, 1)) * 100);
 
   return (
     <Card className="flex flex-col overflow-hidden border h-full">
@@ -46,7 +54,7 @@ export function ComplianceOverview({
           />
         </div>
       </CardHeader>
-      <CardContent className="flex flex-col gap-3">
+      <CardContent className="flex flex-col flex-1 justify-center">
         {/* Progress bars for smaller screens */}
         <div className="space-y-4 lg:hidden mt-4">
           {/* Overall Compliance Progress Bar */}
@@ -84,23 +92,39 @@ export function ComplianceOverview({
             </div>
             <Progress value={tasksPercentage} className="h-1" />
           </div>
+
+          {/* People Progress Bar */}
+          <div className="space-y-3">
+            <div className="flex items-center justify-between">
+              <div className="flex items-center gap-2">
+                <div className="h-2 w-2 rounded-full bg-green-500"></div>
+                <span className="text-sm">People Score</span>
+              </div>
+              <span className="font-medium text-sm tabular-nums">{peoplePercentage}%</span>
+            </div>
+            <Progress value={peoplePercentage} className="h-1" />
+          </div>
         </div>
 
         {/* Charts for larger screens */}
-        <div className="hidden lg:flex lg:flex-col lg:items-center lg:justify-center">
+        <div className="hidden lg:flex lg:flex-col lg:items-center lg:justify-center lg:gap-4">
           <ComplianceProgressChart
             data={{ score: compliancePercentage, remaining: 100 - compliancePercentage }}
           />
-        </div>
-
-        <div className="hidden lg:flex lg:flex-col lg:items-center lg:justify-center lg:gap-3 lg:flex-row lg:gap-6">
-          <div className="flex flex-col items-center justify-center">
-            <PoliciesChart
-              data={{ published: policiesPercentage, draft: 100 - policiesPercentage }}
-            />
-          </div>
-          <div className="flex flex-col items-center justify-center">
-            <TasksChart data={{ done: tasksPercentage, remaining: 100 - tasksPercentage }} />
+          <div className="flex flex-row items-center justify-center gap-3">
+            <div className="flex flex-col items-center justify-center">
+              <PoliciesChart
+                data={{ published: policiesPercentage, draft: 100 - policiesPercentage }}
+              />
+            </div>
+            <div className="flex flex-col items-center justify-center">
+              <TasksChart data={{ done: tasksPercentage, remaining: 100 - tasksPercentage }} />
+            </div>
+            <div className="flex flex-col items-center justify-center">
+              <PeopleChart
+                data={{ completed: peoplePercentage, remaining: 100 - peoplePercentage }}
+              />
+            </div>
           </div>
         </div>
       </CardContent>
@@ -113,13 +137,24 @@ function complianceProgress(
   doneTasks: number,
   totalPolicies: number,
   totalTasks: number,
+  totalMembers: number,
+  completedMembers: number,
 ) {
-  const totalItems = totalPolicies + totalTasks;
+  // Calculate individual percentages
+  const policiesPercentage = totalPolicies > 0 ? publishedPolicies / totalPolicies : 0;
+  const tasksPercentage = totalTasks > 0 ? doneTasks / totalTasks : 0;
+  const peoplePercentage = totalMembers > 0 ? completedMembers / totalMembers : 0;
+
+  // Calculate average of the three percentages
+  const totalCategories = [totalPolicies, totalTasks, totalMembers].filter(
+    (count) => count > 0,
+  ).length;
 
-  if (totalItems === 0) return 0;
+  if (totalCategories === 0) return 0;
 
-  const completedItems = publishedPolicies + doneTasks;
-  const complianceScore = Math.round((completedItems / totalItems) * 100);
+  const averagePercentage =
+    (policiesPercentage + tasksPercentage + peoplePercentage) / totalCategories;
+  const complianceScore = Math.round(averagePercentage * 100);
 
   return complianceScore;
 }
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/components/ComplianceProgressChart.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/components/ComplianceProgressChart.tsx
index 8a961b384..03acf2135 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/components/ComplianceProgressChart.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/components/ComplianceProgressChart.tsx
@@ -73,10 +73,10 @@ export function ComplianceProgressChart({ data }: ComplianceProgressChartProps)
   } satisfies ChartConfig;
 
   return (
-    <ChartContainer config={chartConfig} className="mx-auto h-[160px] max-w-[200px]">
+    <ChartContainer config={chartConfig} className="mx-auto h-[120px] max-w-[150px]">
       <PieChart
-        width={200}
-        height={160}
+        width={120}
+        height={120}
         margin={{
           top: 0,
           right: 0,
@@ -89,8 +89,8 @@ export function ComplianceProgressChart({ data }: ComplianceProgressChartProps)
           data={chartData}
           dataKey="value"
           nameKey="name"
-          innerRadius={45}
-          outerRadius={62}
+          innerRadius={35}
+          outerRadius={50}
           paddingAngle={2}
           strokeWidth={2}
           cursor="pointer"
@@ -111,14 +111,14 @@ export function ComplianceProgressChart({ data }: ComplianceProgressChartProps)
                       <tspan
                         x={viewBox.cx}
                         y={viewBox.cy}
-                        className="fill-foreground text-lg font-medium select-none"
+                        className="fill-foreground text-base font-medium select-none"
                       >
                         {data.score}%
                       </tspan>
                       <tspan
                         x={viewBox.cx}
-                        y={(viewBox.cy || 0) + 22}
-                        className="fill-muted-foreground text-[10px] select-none"
+                        y={(viewBox.cy || 0) + 18}
+                        className="fill-muted-foreground text-[9px] select-none"
                       >
                         Overall
                       </tspan>
@@ -126,7 +126,7 @@ export function ComplianceProgressChart({ data }: ComplianceProgressChartProps)
                     <circle
                       cx={viewBox.cx}
                       cy={viewBox.cy}
-                      r={42}
+                      r={32}
                       fill="none"
                       stroke="hsl(var(--border))"
                       strokeWidth={1}
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/components/FrameworksOverview.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/components/FrameworksOverview.tsx
index e7782c4c2..f706b764b 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/components/FrameworksOverview.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/components/FrameworksOverview.tsx
@@ -81,7 +81,7 @@ export function FrameworksOverview({
   );
 
   return (
-    <Card className="flex flex-col h-full">
+    <Card className="flex flex-col overflow-hidden border h-full">
       <CardHeader className="pb-2">
         <div className="flex items-center justify-between">
           <CardTitle className="flex items-center gap-2">{'Frameworks'}</CardTitle>
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/components/Overview.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/components/Overview.tsx
index be88095ca..c8b57da44 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/components/Overview.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/components/Overview.tsx
@@ -22,6 +22,11 @@ export interface DoneTasksScore {
   incompleteTasks: Task[];
 }
 
+export interface PeopleScore {
+  totalMembers: number;
+  completedMembers: number;
+}
+
 export interface OverviewProps {
   frameworksWithControls: FrameworkInstanceWithControls[];
   frameworksWithCompliance: FrameworkInstanceWithComplianceScore[];
@@ -29,6 +34,7 @@ export interface OverviewProps {
   organizationId: string;
   publishedPoliciesScore: PublishedPoliciesScore;
   doneTasksScore: DoneTasksScore;
+  peopleScore: PeopleScore;
   currentMember: { id: string; role: string } | null;
 }
 
@@ -39,6 +45,7 @@ export const Overview = ({
   organizationId,
   publishedPoliciesScore,
   doneTasksScore,
+  peopleScore,
   currentMember,
 }: OverviewProps) => {
   return (
@@ -49,6 +56,8 @@ export const Overview = ({
         publishedPolicies={publishedPoliciesScore.publishedPolicies}
         totalTasks={doneTasksScore.totalTasks}
         doneTasks={doneTasksScore.doneTasks}
+        totalMembers={peopleScore.totalMembers}
+        completedMembers={peopleScore.completedMembers}
       />
       <FrameworksOverview
         frameworksWithControls={frameworksWithControls}
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/components/PeopleChart.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/components/PeopleChart.tsx
new file mode 100644
index 000000000..d34afa091
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/components/PeopleChart.tsx
@@ -0,0 +1,143 @@
+'use client';
+
+import * as React from 'react';
+import { Label, Pie, PieChart } from 'recharts';
+
+import { Card, CardContent, CardHeader, CardTitle } from '@comp/ui/card';
+import {
+  type ChartConfig,
+  ChartContainer,
+  ChartTooltip,
+  ChartTooltipContent,
+} from '@comp/ui/chart';
+import { Info } from 'lucide-react';
+
+interface PeopleChartData {
+  completed: number;
+  remaining: number;
+}
+
+interface PeopleChartProps {
+  data?: PeopleChartData | null;
+}
+
+const CHART_COLORS = {
+  completed: 'hsl(var(--chart-primary))',
+  remaining: 'hsl(var(--muted))',
+};
+
+export function PeopleChart({ data }: PeopleChartProps) {
+  const chartData = React.useMemo(() => {
+    if (!data) return [];
+    const items = [
+      {
+        name: 'Compliant',
+        value: data.completed,
+        fill: CHART_COLORS.completed,
+      },
+      {
+        name: 'Remaining',
+        value: data.remaining,
+        fill: CHART_COLORS.remaining,
+      },
+    ];
+    return items.filter((item) => item.value > 0);
+  }, [data]);
+
+  if (!data) {
+    return (
+      <Card className="flex flex-col overflow-hidden border">
+        <CardHeader className="pb-2">
+          <div className="flex items-center justify-between">
+            <CardTitle className="flex items-center gap-2">People</CardTitle>
+          </div>
+        </CardHeader>
+        <CardContent className="flex flex-1 items-center justify-center py-10">
+          <div className="space-y-2 text-center">
+            <div className="text-muted-foreground flex justify-center">
+              <Info className="h-10 w-10 opacity-30" />
+            </div>
+            <p className="text-muted-foreground text-center text-sm">No data available</p>
+          </div>
+        </CardContent>
+      </Card>
+    );
+  }
+
+  const chartConfig = {
+    value: {
+      label: 'People Status',
+    },
+  } satisfies ChartConfig;
+
+  return (
+    <ChartContainer config={chartConfig} className="mx-auto h-[120px] max-w-[150px]">
+      <PieChart
+        width={120}
+        height={120}
+        margin={{
+          top: 0,
+          right: 0,
+          bottom: 0,
+          left: 0,
+        }}
+      >
+        <ChartTooltip cursor={false} content={<ChartTooltipContent isPercentage={true} />} />
+        <Pie
+          data={chartData}
+          dataKey="value"
+          nameKey="name"
+          innerRadius={35}
+          outerRadius={50}
+          paddingAngle={2}
+          strokeWidth={2}
+          cursor="pointer"
+          animationDuration={500}
+          animationBegin={100}
+        >
+          <Label
+            content={({ viewBox }) => {
+              if (viewBox && 'cx' in viewBox && 'cy' in viewBox) {
+                return (
+                  <g>
+                    <text
+                      x={viewBox.cx}
+                      y={viewBox.cy}
+                      textAnchor="middle"
+                      dominantBaseline="middle"
+                    >
+                      <tspan
+                        x={viewBox.cx}
+                        y={viewBox.cy}
+                        className="fill-foreground text-base font-medium select-none"
+                      >
+                        {data.completed}%
+                      </tspan>
+                      <tspan
+                        x={viewBox.cx}
+                        y={(viewBox.cy || 0) + 18}
+                        className="fill-muted-foreground text-[9px] select-none"
+                      >
+                        People
+                      </tspan>
+                    </text>
+                    <circle
+                      cx={viewBox.cx}
+                      cy={viewBox.cy}
+                      r={32}
+                      fill="none"
+                      stroke="hsl(var(--border))"
+                      strokeWidth={1}
+                      strokeDasharray="2,2"
+                    />
+                  </g>
+                );
+              }
+              return null;
+            }}
+          />
+        </Pie>
+      </PieChart>
+    </ChartContainer>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/components/PoliciesChart.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/components/PoliciesChart.tsx
index 847a1c514..2272645ac 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/components/PoliciesChart.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/components/PoliciesChart.tsx
@@ -87,10 +87,10 @@ export function PoliciesChart({ data }: PoliciesChartProps) {
   } satisfies ChartConfig;
 
   return (
-    <ChartContainer config={chartConfig} className="mx-auto h-[160px] max-w-[200px]">
+    <ChartContainer config={chartConfig} className="mx-auto h-[120px] max-w-[150px]">
       <PieChart
-        width={200}
-        height={160}
+        width={120}
+        height={120}
         margin={{
           top: 0,
           right: 0,
@@ -103,8 +103,8 @@ export function PoliciesChart({ data }: PoliciesChartProps) {
           data={chartData}
           dataKey="value"
           nameKey="name"
-          innerRadius={45}
-          outerRadius={62}
+          innerRadius={35}
+          outerRadius={50}
           paddingAngle={2}
           strokeWidth={2}
           cursor="pointer"
@@ -125,14 +125,14 @@ export function PoliciesChart({ data }: PoliciesChartProps) {
                       <tspan
                         x={viewBox.cx}
                         y={viewBox.cy}
-                        className="fill-foreground text-lg font-medium select-none"
+                        className="fill-foreground text-base font-medium select-none"
                       >
                         {data.published}%
                       </tspan>
                       <tspan
                         x={viewBox.cx}
-                        y={(viewBox.cy || 0) + 22}
-                        className="fill-muted-foreground text-[10px] select-none"
+                        y={(viewBox.cy || 0) + 18}
+                        className="fill-muted-foreground text-[9px] select-none"
                       >
                         Policies
                       </tspan>
@@ -140,7 +140,7 @@ export function PoliciesChart({ data }: PoliciesChartProps) {
                     <circle
                       cx={viewBox.cx}
                       cy={viewBox.cy}
-                      r={42}
+                      r={32}
                       fill="none"
                       stroke="hsl(var(--border))"
                       strokeWidth={1}
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/components/TasksChart.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/components/TasksChart.tsx
index 3c7337c29..f582c33ee 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/components/TasksChart.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/components/TasksChart.tsx
@@ -31,7 +31,7 @@ export function TasksChart({ data }: TasksChartProps) {
     if (!data) return [];
     const items = [
       {
-        name: 'Done',
+        name: 'Compliant',
         value: data.done,
         fill: CHART_COLORS.done,
       },
@@ -71,10 +71,10 @@ export function TasksChart({ data }: TasksChartProps) {
   } satisfies ChartConfig;
 
   return (
-    <ChartContainer config={chartConfig} className="mx-auto h-[160px] max-w-[200px]">
+    <ChartContainer config={chartConfig} className="mx-auto h-[120px] max-w-[150px]">
       <PieChart
-        width={200}
-        height={160}
+        width={120}
+        height={120}
         margin={{
           top: 0,
           right: 0,
@@ -87,8 +87,8 @@ export function TasksChart({ data }: TasksChartProps) {
           data={chartData}
           dataKey="value"
           nameKey="name"
-          innerRadius={45}
-          outerRadius={62}
+          innerRadius={35}
+          outerRadius={50}
           paddingAngle={2}
           strokeWidth={2}
           cursor="pointer"
@@ -109,14 +109,14 @@ export function TasksChart({ data }: TasksChartProps) {
                       <tspan
                         x={viewBox.cx}
                         y={viewBox.cy}
-                        className="fill-foreground text-lg font-medium select-none"
+                        className="fill-foreground text-base font-medium select-none"
                       >
                         {data.done}%
                       </tspan>
                       <tspan
                         x={viewBox.cx}
-                        y={(viewBox.cy || 0) + 22}
-                        className="fill-muted-foreground text-[10px] select-none"
+                        y={(viewBox.cy || 0) + 18}
+                        className="fill-muted-foreground text-[9px] select-none"
                       >
                         Tasks
                       </tspan>
@@ -124,7 +124,7 @@ export function TasksChart({ data }: TasksChartProps) {
                     <circle
                       cx={viewBox.cx}
                       cy={viewBox.cy}
-                      r={42}
+                      r={32}
                       fill="none"
                       stroke="hsl(var(--border))"
                       strokeWidth={1}
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/lib/getPeople.ts b/apps/app/src/app/(app)/[orgId]/frameworks/lib/getPeople.ts
new file mode 100644
index 000000000..b653bccfb
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/lib/getPeople.ts
@@ -0,0 +1,106 @@
+import { trainingVideos } from '@/lib/data/training-videos';
+import { getFleetInstance } from '@/lib/fleet';
+import { db } from '@db';
+
+export async function getPeopleScore(organizationId: string) {
+  // Get all active members (employees and contractors)
+  const allMembers = await db.member.findMany({
+    where: {
+      organizationId,
+      deactivated: false,
+    },
+    include: {
+      user: true,
+    },
+  });
+
+  // Filter to only employees and contractors
+  const employees = allMembers.filter((member) => {
+    const roles = member.role.includes(',') ? member.role.split(',') : [member.role];
+    return roles.includes('employee') || roles.includes('contractor');
+  });
+
+  if (employees.length === 0) {
+    return {
+      totalMembers: 0,
+      completedMembers: 0,
+    };
+  }
+
+  // Get all required policies (published, required to sign, not archived)
+  const requiredPolicies = await db.policy.findMany({
+    where: {
+      organizationId,
+      isRequiredToSign: true,
+      status: 'published',
+      isArchived: false,
+    },
+  });
+
+  // Get all training video completions for these employees
+  const trainingVideoCompletions = await db.employeeTrainingVideoCompletion.findMany({
+    where: {
+      memberId: {
+        in: employees.map((e) => e.id),
+      },
+    },
+  });
+
+  // Get required training video IDs (sat-1 through sat-5)
+  const requiredTrainingVideoIds = trainingVideos.map((video) => video.id);
+
+  // Get fleet instance for device checks
+  const fleet = await getFleetInstance();
+
+  // Check each employee's completion status
+  let completedMembers = 0;
+
+  for (const employee of employees) {
+    // 1. Check if all policies are accepted
+    const hasAcceptedAllPolicies =
+      requiredPolicies.length === 0 ||
+      requiredPolicies.every((policy) => policy.signedBy.includes(employee.id));
+
+    // 2. Check if all training videos are completed
+    const employeeVideoCompletions = trainingVideoCompletions.filter(
+      (completion) => completion.memberId === employee.id,
+    );
+    const completedVideoIds = employeeVideoCompletions
+      .filter((completion) => completion.completedAt !== null)
+      .map((completion) => completion.videoId);
+    const hasCompletedAllTraining = requiredTrainingVideoIds.every((videoId) =>
+      completedVideoIds.includes(videoId),
+    );
+
+    // 3. Check if device is secure
+    let hasSecureDevice = true;
+
+    if (employee.fleetDmLabelId) {
+      try {
+        const deviceResponse = await fleet.get(`/labels/${employee.fleetDmLabelId}/hosts`);
+        const device = deviceResponse.data.hosts?.[0];
+
+        if (device) {
+          const deviceWithPolicies = await fleet.get(`/hosts/${device.id}`);
+          const fleetPolicies = deviceWithPolicies.data.host.policies || [];
+          hasSecureDevice = fleetPolicies.every(
+            (policy: { response: string }) => policy.response === 'pass',
+          );
+        }
+      } catch (error) {
+        // If there's an error fetching device, consider it not secure
+        hasSecureDevice = false;
+      }
+    }
+
+    // Employee is "done" if all three conditions are met
+    if (hasAcceptedAllPolicies && hasCompletedAllTraining && hasSecureDevice) {
+      completedMembers++;
+    }
+  }
+
+  return {
+    totalMembers: employees.length,
+    completedMembers,
+  };
+}
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/page.tsx b/apps/app/src/app/(app)/[orgId]/frameworks/page.tsx
index 7c87b44eb..02f00747e 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/page.tsx
@@ -6,6 +6,7 @@ import { cache } from 'react';
 import { Overview } from './components/Overview';
 import { getAllFrameworkInstancesWithControls } from './data/getAllFrameworkInstancesWithControls';
 import { getFrameworkWithComplianceScores } from './data/getFrameworkWithComplianceScores';
+import { getPeopleScore } from './lib/getPeople';
 import { getPublishedPoliciesScore } from './lib/getPolicies';
 import { getDoneTasks } from './lib/getTasks';
 
@@ -61,6 +62,7 @@ export default async function DashboardPage({ params }: { params: Promise<{ orgI
 
   const publishedPoliciesScore = await getPublishedPoliciesScore(organizationId);
   const doneTasksScore = await getDoneTasks(organizationId);
+  const peopleScore = await getPeopleScore(organizationId);
 
   return (
     <Overview
@@ -70,6 +72,7 @@ export default async function DashboardPage({ params }: { params: Promise<{ orgI
       organizationId={organizationId}
       publishedPoliciesScore={publishedPoliciesScore}
       doneTasksScore={doneTasksScore}
+      peopleScore={peopleScore}
       currentMember={member}
     />
   );

From cb198331f0da3218939bd711fc1f31c29deb8158 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 26 Nov 2025 13:24:37 -0500
Subject: [PATCH 6/7] [dev] [Marfuen] feat/auditor-view (#1835)

* feat(auditor): add auditor view page with AI-generated content

- Add new auditor page visible only to users with auditor role
- Implement role-based sidebar visibility (hide Settings/Integrations for auditor-only users)
- Add Trigger.dev task for generating auditor content sections
- Use Firecrawl for website scraping and GPT for content generation
- Add realtime progress tracking with useRealtimeRun hook
- Sections: Company Background, Services, Mission/Vision, System Description, Critical Vendors, Subservice Organizations

* chore(auditor): add layout and save content functionality for auditor view

- Create layout component for auditor view page
- Implement save action for auditor content with upsert functionality
- Enhance AuditorView component to handle content updates and display editable sections
- Integrate real-time content generation tracking and updates

* refactor(auditor): remove save-auditor-content action and update AuditorView

* refactor(auditor): simplify AuditorView component and remove orgId prop

* chore(organization): add actions for updating and removing organization logo

* refactor(onboarding): remove unnecessary blank line in backfill task

* feat(onboarding): add backfill queue for executive context task

* refactor(auditor): remove trigger-auditor-content action

* chore(onboarding): update message to reflect AI personalization

* chore(onboarding): update message to clarify AI personalization

* chore(env): add APP_AWS_ORG_ASSETS_BUCKET for organization static assets

---------

Co-authored-by: Mariano Fuentes <marfuen98@gmail.com>
---
 SELF_HOSTING.md                               |   2 +
 .../update-organization-logo-action.ts        | 112 +++++
 .../(overview)/components/AuditorView.tsx     | 179 ++++++++
 .../[orgId]/auditor/(overview)/layout.tsx     |   4 +
 .../(app)/[orgId]/auditor/(overview)/page.tsx | 140 ++++++
 apps/app/src/app/(app)/[orgId]/layout.tsx     |  17 +-
 apps/app/src/app/(app)/[orgId]/page.tsx       |  41 +-
 .../components/table/ContextColumns.tsx       | 342 +++++++++++++--
 .../src/app/(app)/[orgId]/settings/page.tsx   |  21 +
 .../src/app/(app)/onboarding/[orgId]/page.tsx |   8 +-
 .../onboarding/actions/complete-onboarding.ts |  11 +
 .../components/PostPaymentOnboarding.tsx      |  48 ++-
 .../hooks/usePostPaymentOnboarding.ts         |  51 ++-
 .../setup/components/OnboardingStepInput.tsx  | 276 ++++++++++--
 .../components/OrganizationSetupForm.tsx      |  48 ++-
 .../(app)/setup/hooks/useOnboardingForm.ts    |  13 +-
 apps/app/src/app/(app)/setup/lib/constants.ts |  33 +-
 apps/app/src/app/(app)/setup/lib/types.ts     |  14 +
 apps/app/src/app/s3.ts                        |   1 +
 .../organization/update-organization-logo.tsx | 173 ++++++++
 apps/app/src/components/main-menu.tsx         |  34 +-
 .../src/components/organization-switcher.tsx  |  35 +-
 apps/app/src/components/sidebar.tsx           |  56 ++-
 apps/app/src/env.mjs                          |   2 +
 .../tasks/auditor/generate-auditor-content.ts | 400 ++++++++++++++++++
 .../backfill-executive-context-all-orgs.ts    |  86 ++++
 .../backfill-executive-context-single-org.ts  |  83 ++++
 .../tasks/onboarding/onboard-organization.ts  |   7 +
 28 files changed, 2103 insertions(+), 134 deletions(-)
 create mode 100644 apps/app/src/actions/organization/update-organization-logo-action.ts
 create mode 100644 apps/app/src/app/(app)/[orgId]/auditor/(overview)/components/AuditorView.tsx
 create mode 100644 apps/app/src/app/(app)/[orgId]/auditor/(overview)/layout.tsx
 create mode 100644 apps/app/src/app/(app)/[orgId]/auditor/(overview)/page.tsx
 create mode 100644 apps/app/src/components/forms/organization/update-organization-logo.tsx
 create mode 100644 apps/app/src/jobs/tasks/auditor/generate-auditor-content.ts
 create mode 100644 apps/app/src/jobs/tasks/onboarding/backfill-executive-context-all-orgs.ts
 create mode 100644 apps/app/src/jobs/tasks/onboarding/backfill-executive-context-single-org.ts

diff --git a/SELF_HOSTING.md b/SELF_HOSTING.md
index c33f1a28e..858cd7f43 100644
--- a/SELF_HOSTING.md
+++ b/SELF_HOSTING.md
@@ -46,6 +46,7 @@ App (`apps/app`):
 - **APP_AWS_REGION**, **APP_AWS_ACCESS_KEY_ID**, **APP_AWS_SECRET_ACCESS_KEY**, **APP_AWS_BUCKET_NAME**: AWS S3 credentials for file storage (attachments, general uploads).
 - **APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET**: AWS S3 bucket name specifically for questionnaire file uploads. Required for the Security Questionnaire feature. If not set, users will see an error when trying to parse questionnaires.
 - **APP_AWS_KNOWLEDGE_BASE_BUCKET**: AWS S3 bucket name specifically for knowledge base documents. Required for the Knowledge Base feature in Security Questionnaire. If not set, users will see an error when trying to upload knowledge base documents.
+- **APP_AWS_ORG_ASSETS_BUCKET**: AWS S3 bucket name for organization static assets (e.g., company logos). Required for logo uploads in organization settings. If not set, logo upload will fail.
 - **OPENAI_API_KEY**: Enables AI features that call OpenAI models.
 - **UPSTASH_REDIS_REST_URL**, **UPSTASH_REDIS_REST_TOKEN**: Optional Redis (Upstash) used for rate limiting/queues/caching.
 - **NEXT_PUBLIC_POSTHOG_KEY**, **NEXT_PUBLIC_POSTHOG_HOST**: Client analytics via PostHog; leave unset to disable.
@@ -153,6 +154,7 @@ NEXT_PUBLIC_BETTER_AUTH_URL_PORTAL=http://localhost:3002
 # APP_AWS_BUCKET_NAME=
 # APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET=
 # APP_AWS_KNOWLEDGE_BASE_BUCKET=
+# APP_AWS_ORG_ASSETS_BUCKET=
 # OPENAI_API_KEY=
 # UPSTASH_REDIS_REST_URL=
 # UPSTASH_REDIS_REST_TOKEN=
diff --git a/apps/app/src/actions/organization/update-organization-logo-action.ts b/apps/app/src/actions/organization/update-organization-logo-action.ts
new file mode 100644
index 000000000..dba929af9
--- /dev/null
+++ b/apps/app/src/actions/organization/update-organization-logo-action.ts
@@ -0,0 +1,112 @@
+'use server';
+
+import { authActionClient } from '@/actions/safe-action';
+import { APP_AWS_ORG_ASSETS_BUCKET, s3Client } from '@/app/s3';
+import { GetObjectCommand, PutObjectCommand } from '@aws-sdk/client-s3';
+import { getSignedUrl } from '@aws-sdk/s3-request-presigner';
+import { db } from '@db';
+import { revalidatePath } from 'next/cache';
+import { z } from 'zod';
+
+const updateLogoSchema = z.object({
+  fileName: z.string(),
+  fileType: z.string(),
+  fileData: z.string(), // base64 encoded
+});
+
+export const updateOrganizationLogoAction = authActionClient
+  .inputSchema(updateLogoSchema)
+  .metadata({
+    name: 'update-organization-logo',
+    track: {
+      event: 'update-organization-logo',
+      channel: 'server',
+    },
+  })
+  .action(async ({ parsedInput, ctx }) => {
+    const { fileName, fileType, fileData } = parsedInput;
+    const organizationId = ctx.session.activeOrganizationId;
+
+    if (!organizationId) {
+      throw new Error('No active organization');
+    }
+
+    // Validate file type
+    if (!fileType.startsWith('image/')) {
+      throw new Error('Only image files are allowed');
+    }
+
+    // Check S3 client
+    if (!s3Client || !APP_AWS_ORG_ASSETS_BUCKET) {
+      throw new Error('File upload service is not available');
+    }
+
+    // Convert base64 to buffer
+    const fileBuffer = Buffer.from(fileData, 'base64');
+
+    // Validate file size (2MB limit for logos)
+    const MAX_FILE_SIZE_BYTES = 2 * 1024 * 1024;
+    if (fileBuffer.length > MAX_FILE_SIZE_BYTES) {
+      throw new Error('Logo must be less than 2MB');
+    }
+
+    // Generate S3 key
+    const timestamp = Date.now();
+    const sanitizedFileName = fileName.replace(/[^a-zA-Z0-9.-]/g, '_');
+    const key = `${organizationId}/logo/${timestamp}-${sanitizedFileName}`;
+
+    // Upload to S3
+    const putCommand = new PutObjectCommand({
+      Bucket: APP_AWS_ORG_ASSETS_BUCKET,
+      Key: key,
+      Body: fileBuffer,
+      ContentType: fileType,
+    });
+    await s3Client.send(putCommand);
+
+    // Update organization with new logo key
+    await db.organization.update({
+      where: { id: organizationId },
+      data: { logo: key },
+    });
+
+    // Generate signed URL for immediate display
+    const getCommand = new GetObjectCommand({
+      Bucket: APP_AWS_ORG_ASSETS_BUCKET,
+      Key: key,
+    });
+    const signedUrl = await getSignedUrl(s3Client, getCommand, {
+      expiresIn: 3600,
+    });
+
+    revalidatePath(`/${organizationId}/settings`);
+
+    return { success: true, logoUrl: signedUrl };
+  });
+
+export const removeOrganizationLogoAction = authActionClient
+  .inputSchema(z.object({}))
+  .metadata({
+    name: 'remove-organization-logo',
+    track: {
+      event: 'remove-organization-logo',
+      channel: 'server',
+    },
+  })
+  .action(async ({ ctx }) => {
+    const organizationId = ctx.session.activeOrganizationId;
+
+    if (!organizationId) {
+      throw new Error('No active organization');
+    }
+
+    // Remove logo from organization
+    await db.organization.update({
+      where: { id: organizationId },
+      data: { logo: null },
+    });
+
+    revalidatePath(`/${organizationId}/settings`);
+
+    return { success: true };
+  });
diff --git a/apps/app/src/app/(app)/[orgId]/auditor/(overview)/components/AuditorView.tsx b/apps/app/src/app/(app)/[orgId]/auditor/(overview)/components/AuditorView.tsx
new file mode 100644
index 000000000..f990ac7cf
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/auditor/(overview)/components/AuditorView.tsx
@@ -0,0 +1,179 @@
+'use client';
+
+import { Download } from 'lucide-react';
+import Image from 'next/image';
+
+interface AuditorViewProps {
+  initialContent: Record<string, string>;
+  organizationName: string;
+  logoUrl: string | null;
+  employeeCount: string | null;
+  cSuite: { name: string; title: string }[];
+  reportSignatory: { fullName: string; jobTitle: string; email: string } | null;
+}
+
+export function AuditorView({
+  initialContent,
+  organizationName,
+  logoUrl,
+  employeeCount,
+  cSuite,
+  reportSignatory,
+}: AuditorViewProps) {
+  return (
+    <div className="flex flex-col gap-10">
+      {/* Header */}
+      <div className="flex items-center gap-4">
+        {logoUrl && (
+          <a
+            href={logoUrl}
+            download={`${organizationName.replace(/[^a-zA-Z0-9]/g, '_')}_logo`}
+            className="group relative h-14 w-14 shrink-0 overflow-hidden rounded-lg border bg-background transition-all hover:shadow-md"
+            title="Download logo"
+          >
+            <Image src={logoUrl} alt={`${organizationName} logo`} fill className="object-contain" />
+            <div className="absolute inset-0 flex items-center justify-center bg-black/50 opacity-0 transition-opacity group-hover:opacity-100">
+              <Download className="h-4 w-4 text-white" />
+            </div>
+          </a>
+        )}
+        <div>
+          <h1 className="text-foreground text-xl font-semibold tracking-tight">
+            {organizationName}
+          </h1>
+          <p className="text-muted-foreground text-sm">Company Overview</p>
+        </div>
+      </div>
+
+      {/* Company Information */}
+      <Section title="Company Information">
+        <div className="grid gap-6 sm:grid-cols-2 lg:grid-cols-3">
+          <InfoCell
+            label="Employees"
+            value={employeeCount || '—'}
+            className="lg:border-r lg:border-border lg:pr-6"
+          />
+          <InfoCell
+            label="Report Signatory"
+            className="lg:border-r lg:border-border lg:pr-6"
+            value={
+              reportSignatory ? (
+                <div>
+                  <div className="flex items-baseline gap-2">
+                    <span className="font-medium">{reportSignatory.fullName}</span>
+                    <span className="text-muted-foreground text-xs">
+                      {reportSignatory.jobTitle}
+                    </span>
+                  </div>
+                  <div className="text-muted-foreground text-xs mt-0.5">
+                    {reportSignatory.email}
+                  </div>
+                </div>
+              ) : (
+                '—'
+              )
+            }
+          />
+          <InfoCell
+            label="Executive Team"
+            className="sm:col-span-2 lg:col-span-1"
+            value={
+              cSuite.length > 0 ? (
+                <div className="space-y-1">
+                  {cSuite.map((exec, i) => (
+                    <div key={i} className="flex items-baseline gap-2 text-sm">
+                      <span className="font-medium">{exec.name}</span>
+                      <span className="text-muted-foreground text-xs">{exec.title}</span>
+                    </div>
+                  ))}
+                </div>
+              ) : (
+                '—'
+              )
+            }
+          />
+        </div>
+      </Section>
+
+      {/* Business Overview */}
+      <Section title="Business Overview">
+        <div className="space-y-6">
+          <ContentRow
+            title="Company Background & Overview of Operations"
+            content={initialContent['Company Background & Overview of Operations']}
+          />
+          <ContentRow
+            title="Types of Services Provided"
+            content={initialContent['Types of Services Provided']}
+          />
+          <ContentRow title="Mission & Vision" content={initialContent['Mission & Vision']} />
+        </div>
+      </Section>
+
+      {/* System Architecture */}
+      <Section title="System Architecture">
+        <ContentRow title="System Description" content={initialContent['System Description']} />
+      </Section>
+
+      {/* Third Party Dependencies */}
+      <Section title="Third Party Dependencies">
+        <div className="grid gap-6 lg:grid-cols-2">
+          <ContentRow title="Critical Vendors" content={initialContent['Critical Vendors']} />
+          <ContentRow
+            title="Subservice Organizations"
+            content={initialContent['Subservice Organizations']}
+          />
+        </div>
+      </Section>
+    </div>
+  );
+}
+
+function Section({ title, children }: { title: string; children: React.ReactNode }) {
+  return (
+    <div className="space-y-4">
+      <div className="flex items-center gap-3 border-b border-border pb-2">
+        <h2 className="text-xs font-medium uppercase tracking-wider text-muted-foreground">
+          {title}
+        </h2>
+      </div>
+      {children}
+    </div>
+  );
+}
+
+function InfoCell({
+  label,
+  value,
+  className,
+}: {
+  label: string;
+  value: React.ReactNode;
+  className?: string;
+}) {
+  return (
+    <div className={className || ''}>
+      <div className="text-[11px] font-medium uppercase tracking-wider text-muted-foreground mb-1.5">
+        {label}
+      </div>
+      <div className="text-sm text-foreground">{value}</div>
+    </div>
+  );
+}
+
+function ContentRow({ title, content }: { title: string; content?: string }) {
+  const hasContent = content?.trim().length;
+
+  return (
+    <div className="space-y-1.5">
+      <h3 className="text-sm font-medium text-foreground">{title}</h3>
+      {hasContent ? (
+        <p className="text-sm leading-relaxed text-muted-foreground whitespace-pre-wrap">
+          {content}
+        </p>
+      ) : (
+        <p className="text-xs text-muted-foreground/50">Not yet available</p>
+      )}
+    </div>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/auditor/(overview)/layout.tsx b/apps/app/src/app/(app)/[orgId]/auditor/(overview)/layout.tsx
new file mode 100644
index 000000000..b63d72119
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/auditor/(overview)/layout.tsx
@@ -0,0 +1,4 @@
+export default function Layout({ children }: { children: React.ReactNode }) {
+  return <div className="m-auto max-w-[1200px] py-8">{children}</div>;
+}
+
diff --git a/apps/app/src/app/(app)/[orgId]/auditor/(overview)/page.tsx b/apps/app/src/app/(app)/[orgId]/auditor/(overview)/page.tsx
new file mode 100644
index 000000000..73ea7608b
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/auditor/(overview)/page.tsx
@@ -0,0 +1,140 @@
+import { APP_AWS_ORG_ASSETS_BUCKET, s3Client } from '@/app/s3';
+import PageWithBreadcrumb from '@/components/pages/PageWithBreadcrumb';
+import { auth } from '@/utils/auth';
+import { GetObjectCommand } from '@aws-sdk/client-s3';
+import { getSignedUrl } from '@aws-sdk/s3-request-presigner';
+import { db, Role } from '@db';
+import type { Metadata } from 'next';
+import { headers } from 'next/headers';
+import { notFound, redirect } from 'next/navigation';
+import { AuditorView } from './components/AuditorView';
+
+// Helper to safely parse comma-separated roles string
+function parseRolesString(rolesStr: string | null | undefined): Role[] {
+  if (!rolesStr) return [];
+  return rolesStr
+    .split(',')
+    .map((r) => r.trim())
+    .filter((r) => r in Role) as Role[];
+}
+
+export async function generateMetadata(): Promise<Metadata> {
+  return {
+    title: 'Auditor View',
+  };
+}
+
+export default async function AuditorPage({ params }: { params: Promise<{ orgId: string }> }) {
+  const { orgId: organizationId } = await params;
+
+  const session = await auth.api.getSession({
+    headers: await headers(),
+  });
+
+  if (!session) {
+    redirect('/auth');
+  }
+
+  const member = await db.member.findFirst({
+    where: {
+      userId: session.user.id,
+      organizationId,
+      deactivated: false,
+    },
+  });
+
+  if (!member) {
+    redirect('/auth/unauthorized');
+  }
+
+  const roles = parseRolesString(member.role);
+  if (!roles.includes(Role.auditor)) {
+    notFound();
+  }
+
+  // Fetch organization for name and logo
+  const organization = await db.organization.findUnique({
+    where: { id: organizationId },
+    select: { name: true, logo: true },
+  });
+
+  // Get signed URL for logo if it exists
+  let logoUrl: string | null = null;
+  if (organization?.logo && s3Client && APP_AWS_ORG_ASSETS_BUCKET) {
+    try {
+      const command = new GetObjectCommand({
+        Bucket: APP_AWS_ORG_ASSETS_BUCKET,
+        Key: organization.logo,
+      });
+      logoUrl = await getSignedUrl(s3Client, command, { expiresIn: 3600 });
+    } catch {
+      // Logo not available
+    }
+  }
+
+  // All context questions we need
+  const CONTEXT_QUESTIONS = [
+    // AI-generated sections
+    'Company Background & Overview of Operations',
+    'Types of Services Provided',
+    'Mission & Vision',
+    'System Description',
+    'Critical Vendors',
+    'Subservice Organizations',
+    // Onboarding data
+    'How many employees do you have?',
+    'Who are your C-Suite executives?',
+    'Who will sign off on the final report?',
+  ];
+
+  // Load existing content from Context
+  const existingContext = await db.context.findMany({
+    where: {
+      organizationId,
+      question: { in: CONTEXT_QUESTIONS },
+    },
+  });
+
+  // Map question -> answer for the frontend
+  const initialContent: Record<string, string> = {};
+  for (const item of existingContext) {
+    initialContent[item.question] = item.answer;
+  }
+
+  // Parse structured data
+  let cSuiteData: { name: string; title: string }[] = [];
+  let signatoryData: { fullName: string; jobTitle: string; email: string } | null = null;
+
+  try {
+    const cSuiteRaw = initialContent['Who are your C-Suite executives?'];
+    if (cSuiteRaw) {
+      cSuiteData = JSON.parse(cSuiteRaw);
+    }
+  } catch {
+    // Invalid JSON
+  }
+
+  try {
+    const signatoryRaw = initialContent['Who will sign off on the final report?'];
+    if (signatoryRaw) {
+      signatoryData = JSON.parse(signatoryRaw);
+    }
+  } catch {
+    // Invalid JSON
+  }
+
+  return (
+    <PageWithBreadcrumb
+      breadcrumbs={[{ label: 'Auditor View', href: `/${organizationId}/auditor`, current: true }]}
+    >
+      <AuditorView
+        initialContent={initialContent}
+        organizationName={organization?.name ?? 'Organization'}
+        logoUrl={logoUrl}
+        employeeCount={initialContent['How many employees do you have?'] || null}
+        cSuite={cSuiteData}
+        reportSignatory={signatoryData}
+      />
+    </PageWithBreadcrumb>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/layout.tsx b/apps/app/src/app/(app)/[orgId]/layout.tsx
index 50cc6268c..99d1b69ea 100644
--- a/apps/app/src/app/(app)/[orgId]/layout.tsx
+++ b/apps/app/src/app/(app)/[orgId]/layout.tsx
@@ -6,7 +6,7 @@ import { Sidebar } from '@/components/sidebar';
 import { TriggerTokenProvider } from '@/components/trigger-token-provider';
 import { SidebarProvider } from '@/context/sidebar-context';
 import { auth } from '@/utils/auth';
-import { db } from '@db';
+import { db, Role } from '@db';
 import dynamic from 'next/dynamic';
 import { cookies, headers } from 'next/headers';
 import { redirect } from 'next/navigation';
@@ -15,6 +15,15 @@ import { ConditionalOnboardingTracker } from './components/ConditionalOnboarding
 import { ConditionalPaddingWrapper } from './components/ConditionalPaddingWrapper';
 import { DynamicMinHeight } from './components/DynamicMinHeight';
 
+// Helper to safely parse comma-separated roles string
+function parseRolesString(rolesStr: string | null | undefined): Role[] {
+  if (!rolesStr) return [];
+  return rolesStr
+    .split(',')
+    .map((r) => r.trim())
+    .filter((r) => r in Role) as Role[];
+}
+
 const HotKeys = dynamic(() => import('@/components/hot-keys').then((mod) => mod.HotKeys), {
   ssr: true,
 });
@@ -65,7 +74,11 @@ export default async function Layout({
     return redirect('/auth/unauthorized');
   }
 
-  if (member.role === 'employee' || member.role === 'contractor') {
+  const roles = parseRolesString(member.role);
+  const hasAccess =
+    roles.includes(Role.owner) || roles.includes(Role.admin) || roles.includes(Role.auditor);
+
+  if (!hasAccess) {
     return redirect('/no-access');
   }
 
diff --git a/apps/app/src/app/(app)/[orgId]/page.tsx b/apps/app/src/app/(app)/[orgId]/page.tsx
index 19e28e12d..0d4d803ab 100644
--- a/apps/app/src/app/(app)/[orgId]/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/page.tsx
@@ -1,7 +1,46 @@
+import { auth } from '@/utils/auth';
+import { db, Role } from '@db';
+import { headers } from 'next/headers';
 import { redirect } from 'next/navigation';
 
+// Helper to safely parse comma-separated roles string
+function parseRolesString(rolesStr: string | null | undefined): Role[] {
+  if (!rolesStr) return [];
+  return rolesStr
+    .split(',')
+    .map((r) => r.trim())
+    .filter((r) => r in Role) as Role[];
+}
+
 export default async function DashboardPage({ params }: { params: Promise<{ orgId: string }> }) {
-  const organizationId = (await params).orgId;
+  const { orgId: organizationId } = await params;
+
+  const session = await auth.api.getSession({
+    headers: await headers(),
+  });
+
+  if (session?.user?.id) {
+    const member = await db.member.findFirst({
+      where: {
+        userId: session.user.id,
+        organizationId,
+        deactivated: false,
+      },
+      select: { role: true },
+    });
+
+    if (member?.role) {
+      const roles = parseRolesString(member.role);
+      // Redirect to auditor view if user has auditor role but not admin or owner
+      if (
+        roles.includes(Role.auditor) &&
+        !roles.includes(Role.admin) &&
+        !roles.includes(Role.owner)
+      ) {
+        return redirect(`/${organizationId}/auditor`);
+      }
+    }
+  }
 
   return redirect(`/${organizationId}/frameworks`);
 }
diff --git a/apps/app/src/app/(app)/[orgId]/settings/context-hub/components/table/ContextColumns.tsx b/apps/app/src/app/(app)/[orgId]/settings/context-hub/components/table/ContextColumns.tsx
index 05e6c2eed..7f3d74605 100644
--- a/apps/app/src/app/(app)/[orgId]/settings/context-hub/components/table/ContextColumns.tsx
+++ b/apps/app/src/app/(app)/[orgId]/settings/context-hub/components/table/ContextColumns.tsx
@@ -1,4 +1,7 @@
+'use client';
+
 import { deleteContextEntryAction } from '@/actions/context-hub/delete-context-entry-action';
+import { updateContextEntryAction } from '@/actions/context-hub/update-context-entry-action';
 import { DataTableColumnHeader } from '@/components/data-table/data-table-column-header';
 import { isJSON } from '@/lib/utils';
 import {
@@ -13,29 +16,309 @@ import {
   AlertDialogTrigger,
 } from '@comp/ui/alert-dialog';
 import { Button } from '@comp/ui/button';
+import { Textarea } from '@comp/ui/textarea';
 import type { Context } from '@db';
 import type { ColumnDef } from '@tanstack/react-table';
-import { Trash2 } from 'lucide-react';
+import { Check, Loader2, Pencil, Trash2 } from 'lucide-react';
 import { useAction } from 'next-safe-action/hooks';
-import { useState } from 'react';
+import { useCallback, useEffect, useRef, useState } from 'react';
+import { toast } from 'sonner';
+
+// Question cell (read-only display)
+function QuestionCell({ context }: { context: Context }) {
+  return <span>{context.question}</span>;
+}
+
+// Editable answer cell - click to edit
+function EditableAnswerCell({ context }: { context: Context }) {
+  const [isEditing, setIsEditing] = useState(false);
+  const [value, setValue] = useState(context.answer);
+  const [structuredValue, setStructuredValue] = useState<Record<string, string> | null>(null);
+  const [arrayValue, setArrayValue] = useState<Record<string, string>[] | null>(null);
+  const textareaRef = useRef<HTMLTextAreaElement>(null);
+
+  const { execute, status } = useAction(updateContextEntryAction, {
+    onSuccess: () => {
+      setIsEditing(false);
+      toast.success('Answer updated');
+    },
+    onError: () => {
+      setValue(context.answer);
+      toast.error('Failed to update answer');
+    },
+  });
+
+  // Parse structured data when entering edit mode
+  useEffect(() => {
+    if (isEditing && isJSON(context.answer)) {
+      const parsed = JSON.parse(context.answer);
+      if (Array.isArray(parsed)) {
+        setArrayValue(parsed);
+        setStructuredValue(null);
+      } else if (typeof parsed === 'object') {
+        setStructuredValue(parsed);
+        setArrayValue(null);
+      }
+    }
+  }, [isEditing, context.answer]);
+
+  useEffect(() => {
+    if (isEditing && textareaRef.current && !structuredValue && !arrayValue) {
+      textareaRef.current.focus();
+      textareaRef.current.select();
+    }
+  }, [isEditing, structuredValue, arrayValue]);
+
+  // Reset value when context changes
+  useEffect(() => {
+    setValue(context.answer);
+  }, [context.answer]);
+
+  const handleSave = useCallback(() => {
+    let finalValue = value;
+
+    // Convert structured data back to JSON
+    if (arrayValue) {
+      finalValue = JSON.stringify(arrayValue);
+    } else if (structuredValue) {
+      finalValue = JSON.stringify(structuredValue);
+    }
+
+    if (finalValue.trim() && finalValue !== context.answer) {
+      execute({ id: context.id, question: context.question, answer: finalValue });
+    } else {
+      setIsEditing(false);
+      setValue(context.answer);
+    }
+  }, [value, arrayValue, structuredValue, context.answer, context.id, context.question, execute]);
+
+  const handleCancel = useCallback(() => {
+    setValue(context.answer);
+    setStructuredValue(null);
+    setArrayValue(null);
+    setIsEditing(false);
+  }, [context.answer]);
+
+  // Update a field in structured object
+  const updateStructuredField = (key: string, newValue: string) => {
+    if (structuredValue) {
+      setStructuredValue({ ...structuredValue, [key]: newValue });
+    }
+  };
+
+  // Update a field in array item
+  const updateArrayItem = (index: number, key: string, newValue: string) => {
+    if (arrayValue) {
+      const newArray = [...arrayValue];
+      newArray[index] = { ...newArray[index], [key]: newValue };
+      setArrayValue(newArray);
+    }
+  };
+
+  // Add new item to array
+  const addArrayItem = () => {
+    if (arrayValue && arrayValue.length > 0) {
+      // Clone the structure of the first item with empty values
+      const template = Object.keys(arrayValue[0]).reduce(
+        (acc, key) => ({ ...acc, [key]: '' }),
+        {},
+      );
+      setArrayValue([...arrayValue, template]);
+    }
+  };
+
+  // Remove item from array
+  const removeArrayItem = (index: number) => {
+    if (arrayValue && arrayValue.length > 1) {
+      setArrayValue(arrayValue.filter((_, i) => i !== index));
+    }
+  };
+
+  if (isEditing) {
+    // Render array editor (like cSuite)
+    if (arrayValue) {
+      const keys = arrayValue.length > 0 ? Object.keys(arrayValue[0]) : [];
+      return (
+        <div className="flex flex-col gap-3">
+          <div className="space-y-2">
+            {arrayValue.map((item, index) => (
+              <div key={index} className="flex items-center gap-2 p-2 rounded-md bg-muted/30">
+                {keys.map((key) => (
+                  <input
+                    key={key}
+                    type="text"
+                    value={item[key] || ''}
+                    onChange={(e) => updateArrayItem(index, key, e.target.value)}
+                    placeholder={key}
+                    className="flex-1 px-2 py-1 text-sm rounded border border-input bg-background"
+                    disabled={status === 'executing'}
+                  />
+                ))}
+                {arrayValue.length > 1 && (
+                  <Button
+                    type="button"
+                    variant="ghost"
+                    size="icon"
+                    className="h-7 w-7 text-muted-foreground hover:text-destructive"
+                    onClick={() => removeArrayItem(index)}
+                    disabled={status === 'executing'}
+                  >
+                    <Trash2 className="h-3.5 w-3.5" />
+                  </Button>
+                )}
+              </div>
+            ))}
+          </div>
+          <Button
+            type="button"
+            variant="outline"
+            size="sm"
+            onClick={addArrayItem}
+            disabled={status === 'executing'}
+            className="w-fit"
+          >
+            + Add Item
+          </Button>
+          <div className="flex items-center gap-2">
+            <Button size="sm" variant="outline" onClick={handleCancel} disabled={status === 'executing'}>
+              Cancel
+            </Button>
+            <Button size="sm" variant="default" onClick={handleSave} disabled={status === 'executing'}>
+              {status === 'executing' ? <Loader2 className="h-4 w-4 animate-spin mr-1" /> : <Check className="h-4 w-4 mr-1" />}
+              Save
+            </Button>
+          </div>
+        </div>
+      );
+    }
+
+    // Render object editor (like reportSignatory)
+    if (structuredValue) {
+      return (
+        <div className="flex flex-col gap-3">
+          <div className="space-y-2">
+            {Object.entries(structuredValue).map(([key, val]) => (
+              <div key={key} className="flex items-center gap-2">
+                <label className="text-xs font-medium text-muted-foreground capitalize w-20 shrink-0">
+                  {key}
+                </label>
+                <input
+                  type="text"
+                  value={val || ''}
+                  onChange={(e) => updateStructuredField(key, e.target.value)}
+                  className="flex-1 px-2 py-1 text-sm rounded border border-input bg-background"
+                  disabled={status === 'executing'}
+                />
+              </div>
+            ))}
+          </div>
+          <div className="flex items-center gap-2">
+            <Button size="sm" variant="outline" onClick={handleCancel} disabled={status === 'executing'}>
+              Cancel
+            </Button>
+            <Button size="sm" variant="default" onClick={handleSave} disabled={status === 'executing'}>
+              {status === 'executing' ? <Loader2 className="h-4 w-4 animate-spin mr-1" /> : <Check className="h-4 w-4 mr-1" />}
+              Save
+            </Button>
+          </div>
+        </div>
+      );
+    }
+
+    // Render plain text editor
+    return (
+      <div className="flex flex-col gap-2">
+        <Textarea
+          ref={textareaRef}
+          value={value}
+          onChange={(e) => setValue(e.target.value)}
+          className="min-h-[100px] text-sm"
+          disabled={status === 'executing'}
+        />
+        <div className="flex items-center gap-2">
+          <Button size="sm" variant="outline" onClick={handleCancel} disabled={status === 'executing'}>
+            Cancel
+          </Button>
+          <Button size="sm" variant="default" onClick={handleSave} disabled={status === 'executing'}>
+            {status === 'executing' ? <Loader2 className="h-4 w-4 animate-spin mr-1" /> : <Check className="h-4 w-4 mr-1" />}
+            Save
+          </Button>
+        </div>
+      </div>
+    );
+  }
+
+  // Render clickable content with hover state
+  const renderContent = () => {
+    if (isJSON(context.answer)) {
+      const parsed = JSON.parse(context.answer);
+
+      // Handle arrays (like cSuite)
+      if (Array.isArray(parsed)) {
+        if (parsed.length === 0) {
+          return <span className="text-muted-foreground/60 italic">Empty list</span>;
+        }
+        return (
+          <div className="space-y-1">
+            {parsed.map((item, index) => (
+              <div key={index} className="text-sm">
+                {typeof item === 'object'
+                  ? Object.entries(item)
+                      .filter(([, v]) => !!v)
+                      .map(([, v]) => `${v}`)
+                      .join(' — ')
+                  : String(item)}
+              </div>
+            ))}
+          </div>
+        );
+      }
+
+      // Handle objects (like reportSignatory, shipping)
+      return (
+        <div className="space-y-0.5">
+          {Object.entries(parsed)
+            .filter(([, val]) => !!val)
+            .map(([key, val]) => (
+              <div key={key} className="text-sm">
+                <span className="font-medium capitalize">{key}: </span>
+                <span>{typeof val === 'object' ? JSON.stringify(val) : String(val)}</span>
+              </div>
+            ))}
+        </div>
+      );
+    }
+    return <span className="line-clamp-3">{context.answer}</span>;
+  };
+
+  return (
+    <div
+      className="group relative cursor-pointer rounded-xs px-2 py-1.5 -mx-2 -my-1.5 hover:bg-muted/50 transition-colors"
+      onClick={() => setIsEditing(true)}
+    >
+      <div className="pr-6">{renderContent()}</div>
+      <Pencil className="absolute right-2 top-1/2 -translate-y-1/2 h-3.5 w-3.5 text-muted-foreground opacity-0 group-hover:opacity-100 transition-opacity" />
+    </div>
+  );
+}
+
+// Delete button cell
+function DeleteCell({ context }: { context: Context }) {
+  const [deleteOpen, setDeleteOpen] = useState(false);
 
-// Extract the cell content into a separate component
-function ContextDeleteCell({ context }: { context: Context }) {
-  const [open, setOpen] = useState(false);
   const { execute, status } = useAction(deleteContextEntryAction, {
     onSuccess: () => {
-      setOpen(false);
+      setDeleteOpen(false);
     },
   });
 
   return (
-    <AlertDialog open={open} onOpenChange={setOpen}>
+    <AlertDialog open={deleteOpen} onOpenChange={setDeleteOpen}>
       <AlertDialogTrigger asChild>
         <Button
           variant="ghost"
           size="icon"
           className="text-destructive hover:bg-destructive/10"
-          onClick={() => setOpen(true)}
         >
           <Trash2 className="h-4 w-4" />
         </Button>
@@ -67,11 +350,11 @@ export const columns = (): ColumnDef<Context>[] => [
     id: 'question',
     accessorKey: 'question',
     header: ({ column }) => <DataTableColumnHeader column={column} title="Question" />,
-    cell: ({ row }) => <span>{row.original.question}</span>,
+    cell: ({ row }) => <QuestionCell context={row.original} />,
     meta: { label: 'Question', variant: 'text' },
-    size: 200,
+    size: 250,
     minSize: 200,
-    maxSize: 200,
+    maxSize: 300,
     enableColumnFilter: true,
     enableSorting: true,
   },
@@ -79,39 +362,22 @@ export const columns = (): ColumnDef<Context>[] => [
     id: 'answer',
     accessorKey: 'answer',
     header: ({ column }) => <DataTableColumnHeader column={column} title="Answer" />,
-    cell: ({ row }) => {
-      if (isJSON(row.original.answer)) {
-        return (
-          <span>
-            {Object.entries(JSON.parse(row.original.answer))
-              .filter(([key, value]) => !!value)
-              .map(([key, value]) => (
-                <div key={key}>
-                  <span className="font-medium capitalize">{key}:</span>
-                  <span>{value as string}</span>
-                </div>
-              ))}
-          </span>
-        );
-      }
-
-      return <span>{row.original.answer}</span>;
-    },
+    cell: ({ row }) => <EditableAnswerCell context={row.original} />,
     meta: { label: 'Answer' },
     enableColumnFilter: true,
     enableSorting: false,
-    size: 300,
-    minSize: 200,
-    maxSize: 400,
+    size: 400,
+    minSize: 300,
+    maxSize: 500,
   },
   {
-    id: 'delete',
-    header: () => <span>Delete</span>,
-    cell: ({ row }) => <ContextDeleteCell context={row.original} />,
-    meta: { label: 'Delete' },
+    id: 'actions',
+    header: () => <span className="sr-only">Actions</span>,
+    cell: ({ row }) => <DeleteCell context={row.original} />,
+    meta: { label: 'Actions' },
     enableColumnFilter: false,
     enableSorting: false,
-    size: 20,
-    minSize: 20,
+    size: 50,
+    minSize: 50,
   },
 ];
diff --git a/apps/app/src/app/(app)/[orgId]/settings/page.tsx b/apps/app/src/app/(app)/[orgId]/settings/page.tsx
index 4e4a00f92..05d76f58b 100644
--- a/apps/app/src/app/(app)/[orgId]/settings/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/settings/page.tsx
@@ -1,8 +1,12 @@
+import { APP_AWS_ORG_ASSETS_BUCKET, s3Client } from '@/app/s3';
 import { DeleteOrganization } from '@/components/forms/organization/delete-organization';
 import { UpdateOrganizationAdvancedMode } from '@/components/forms/organization/update-organization-advanced-mode';
+import { UpdateOrganizationLogo } from '@/components/forms/organization/update-organization-logo';
 import { UpdateOrganizationName } from '@/components/forms/organization/update-organization-name';
 import { UpdateOrganizationWebsite } from '@/components/forms/organization/update-organization-website';
 import { auth } from '@/utils/auth';
+import { GetObjectCommand } from '@aws-sdk/client-s3';
+import { getSignedUrl } from '@aws-sdk/s3-request-presigner';
 import { db } from '@db';
 import type { Metadata } from 'next';
 import { headers } from 'next/headers';
@@ -10,11 +14,13 @@ import { cache } from 'react';
 
 export default async function OrganizationSettings() {
   const organization = await organizationDetails();
+  const logoUrl = await getLogoUrl(organization?.logo);
 
   return (
     <div className="space-y-4">
       <UpdateOrganizationName organizationName={organization?.name ?? ''} />
       <UpdateOrganizationWebsite organizationWebsite={organization?.website ?? ''} />
+      <UpdateOrganizationLogo currentLogoUrl={logoUrl} />
       <UpdateOrganizationAdvancedMode
         advancedModeEnabled={organization?.advancedModeEnabled ?? false}
       />
@@ -23,6 +29,20 @@ export default async function OrganizationSettings() {
   );
 }
 
+async function getLogoUrl(logoKey: string | null | undefined): Promise<string | null> {
+  if (!logoKey || !s3Client || !APP_AWS_ORG_ASSETS_BUCKET) return null;
+
+  try {
+    const command = new GetObjectCommand({
+      Bucket: APP_AWS_ORG_ASSETS_BUCKET,
+      Key: logoKey,
+    });
+    return await getSignedUrl(s3Client, command, { expiresIn: 3600 });
+  } catch {
+    return null;
+  }
+}
+
 export async function generateMetadata(): Promise<Metadata> {
   return {
     title: 'Settings',
@@ -45,6 +65,7 @@ const organizationDetails = cache(async () => {
       id: true,
       website: true,
       advancedModeEnabled: true,
+      logo: true,
     },
   });
 
diff --git a/apps/app/src/app/(app)/onboarding/[orgId]/page.tsx b/apps/app/src/app/(app)/onboarding/[orgId]/page.tsx
index a8a5e59ce..effe7ca65 100644
--- a/apps/app/src/app/(app)/onboarding/[orgId]/page.tsx
+++ b/apps/app/src/app/(app)/onboarding/[orgId]/page.tsx
@@ -92,5 +92,11 @@ export default async function OnboardingPage({ params }: OnboardingPageProps) {
   }
 
   // We'll use a modified version that starts at step 3
-  return <PostPaymentOnboarding organization={organization} initialData={initialData} />;
+  return (
+    <PostPaymentOnboarding
+      organization={organization}
+      initialData={initialData}
+      userEmail={session.user.email}
+    />
+  );
 }
diff --git a/apps/app/src/app/(app)/onboarding/actions/complete-onboarding.ts b/apps/app/src/app/(app)/onboarding/actions/complete-onboarding.ts
index 42dd4b20d..7419445f6 100644
--- a/apps/app/src/app/(app)/onboarding/actions/complete-onboarding.ts
+++ b/apps/app/src/app/(app)/onboarding/actions/complete-onboarding.ts
@@ -16,6 +16,17 @@ const onboardingCompletionSchema = z.object({
   describe: z.string().min(1).max(300),
   industry: z.string().min(1),
   teamSize: z.string().min(1),
+  cSuite: z.array(
+    z.object({
+      name: z.string(),
+      title: z.string(),
+    }),
+  ),
+  reportSignatory: z.object({
+    fullName: z.string(),
+    jobTitle: z.string(),
+    email: z.string(),
+  }),
   devices: z.string().min(1),
   authentication: z.string().min(1),
   software: z.string().min(1),
diff --git a/apps/app/src/app/(app)/onboarding/components/PostPaymentOnboarding.tsx b/apps/app/src/app/(app)/onboarding/components/PostPaymentOnboarding.tsx
index 9af1b2431..9808ada47 100644
--- a/apps/app/src/app/(app)/onboarding/components/PostPaymentOnboarding.tsx
+++ b/apps/app/src/app/(app)/onboarding/components/PostPaymentOnboarding.tsx
@@ -15,11 +15,13 @@ import { usePostPaymentOnboarding } from '../hooks/usePostPaymentOnboarding';
 interface PostPaymentOnboardingProps {
   organization: Organization;
   initialData?: Record<string, any>;
+  userEmail?: string;
 }
 
 export function PostPaymentOnboarding({
   organization,
   initialData = {},
+  userEmail,
 }: PostPaymentOnboardingProps) {
   const {
     stepIndex,
@@ -40,6 +42,7 @@ export function PostPaymentOnboarding({
     organizationId: organization.id,
     organizationName: organization.name,
     initialData,
+    userEmail,
   });
 
   const isLocal = useMemo(() => {
@@ -133,23 +136,34 @@ export function PostPaymentOnboarding({
                   className="w-full"
                   autoComplete="off"
                 >
-                  <FormField
-                    name={step.key}
-                    render={({ field }) => (
-                      <FormItem>
-                        <FormControl>
-                          <OnboardingStepInput
-                            currentStep={step}
-                            form={form}
-                            savedAnswers={savedAnswers}
-                          />
-                        </FormControl>
-                        <div className="min-h-[20px]">
-                          <FormMessage />
-                        </div>
-                      </FormItem>
-                    )}
-                  />
+                  {/* Complex fields handle their own validation UI */}
+                  {step.key === 'reportSignatory' ||
+                  step.key === 'shipping' ||
+                  step.key === 'cSuite' ? (
+                    <OnboardingStepInput
+                      currentStep={step}
+                      form={form}
+                      savedAnswers={savedAnswers}
+                    />
+                  ) : (
+                    <FormField
+                      name={step.key}
+                      render={({ field }) => (
+                        <FormItem>
+                          <FormControl>
+                            <OnboardingStepInput
+                              currentStep={step}
+                              form={form}
+                              savedAnswers={savedAnswers}
+                            />
+                          </FormControl>
+                          <div className="min-h-[20px]">
+                            <FormMessage />
+                          </div>
+                        </FormItem>
+                      )}
+                    />
+                  )}
                 </form>
               </Form>
             </AnimatedWrapper>
diff --git a/apps/app/src/app/(app)/onboarding/hooks/usePostPaymentOnboarding.ts b/apps/app/src/app/(app)/onboarding/hooks/usePostPaymentOnboarding.ts
index e9677d8e2..f0ae7f142 100644
--- a/apps/app/src/app/(app)/onboarding/hooks/usePostPaymentOnboarding.ts
+++ b/apps/app/src/app/(app)/onboarding/hooks/usePostPaymentOnboarding.ts
@@ -8,7 +8,7 @@ import { trackEvent, trackOnboardingEvent } from '@/utils/tracking';
 import { zodResolver } from '@hookform/resolvers/zod';
 import { useAction } from 'next-safe-action/hooks';
 import { useRouter } from 'next/navigation';
-import { useEffect, useState } from 'react';
+import { useEffect, useMemo, useState } from 'react';
 import { useForm } from 'react-hook-form';
 import { toast } from 'sonner';
 import { z } from 'zod';
@@ -18,21 +18,41 @@ interface UsePostPaymentOnboardingProps {
   organizationId: string;
   organizationName: string;
   initialData?: Record<string, any>;
+  userEmail?: string;
 }
 
 const showShippingStep = process.env.NEXT_PUBLIC_APP_ENV !== 'staging';
-// Use steps 4-12 (post-payment steps)
-const postPaymentSteps = showShippingStep
-  ? steps.slice(3)
-  : steps.slice(3).filter((step) => step.key !== 'shipping');
+
+// Filter steps based on environment and user
+function getPostPaymentSteps(userEmail?: string) {
+  let filteredSteps = steps.slice(3);
+
+  // Hide shipping step in staging
+  if (!showShippingStep) {
+    filteredSteps = filteredSteps.filter((step) => step.key !== 'shipping');
+  }
+
+  // Hide cSuite and reportSignatory for @trycomp.ai users
+  if (userEmail?.includes('@trycomp.ai')) {
+    filteredSteps = filteredSteps.filter(
+      (step) => step.key !== 'cSuite' && step.key !== 'reportSignatory',
+    );
+  }
+
+  return filteredSteps;
+}
 
 export function usePostPaymentOnboarding({
   organizationId,
   organizationName,
   initialData = {},
+  userEmail,
 }: UsePostPaymentOnboardingProps) {
   const router = useRouter();
 
+  // Get filtered steps based on user
+  const postPaymentSteps = useMemo(() => getPostPaymentSteps(userEmail), [userEmail]);
+
   // Create storage keys specific to this organization
   const storageKey = `onboarding-progress-${organizationId}`;
   const stepStorageKey = `onboarding-step-${organizationId}`;
@@ -67,7 +87,7 @@ export function usePostPaymentOnboarding({
 
     setStepIndex(initialStep);
     setIsLoading(false);
-  }, [savedAnswers, savedStepIndex]);
+  }, [savedAnswers, savedStepIndex, postPaymentSteps]);
 
   const step = postPaymentSteps[stepIndex];
   const stepSchema = z.object({
@@ -130,6 +150,12 @@ export function usePostPaymentOnboarding({
       describe: allAnswers.describe || '',
       industry: allAnswers.industry || '',
       teamSize: allAnswers.teamSize || '',
+      cSuite: allAnswers.cSuite || [],
+      reportSignatory: allAnswers.reportSignatory || {
+        fullName: '',
+        jobTitle: '',
+        email: '',
+      },
       devices: allAnswers.devices || '',
       authentication: allAnswers.authentication || '',
       software: allAnswers.software || '',
@@ -161,9 +187,18 @@ export function usePostPaymentOnboarding({
 
     // Handle multi-select fields with "Other" option
     for (const key of Object.keys(newAnswers)) {
-      if (step.options && step.key === key && key !== 'frameworkIds' && key !== 'shipping') {
+      // Only process multi-select string fields (exclude objects/arrays)
+      if (
+        step.options &&
+        step.key === key &&
+        key !== 'frameworkIds' &&
+        key !== 'shipping' &&
+        key !== 'cSuite' &&
+        key !== 'reportSignatory'
+      ) {
         const customValue = newAnswers[`${key}Other`] || '';
-        const values = (newAnswers[key] || '').split(',').filter(Boolean);
+        const rawValue = newAnswers[key];
+        const values = (typeof rawValue === 'string' ? rawValue : '').split(',').filter(Boolean);
 
         if (customValue) {
           values.push(customValue);
diff --git a/apps/app/src/app/(app)/setup/components/OnboardingStepInput.tsx b/apps/app/src/app/(app)/setup/components/OnboardingStepInput.tsx
index 4d3505048..48dad46db 100644
--- a/apps/app/src/app/(app)/setup/components/OnboardingStepInput.tsx
+++ b/apps/app/src/app/(app)/setup/components/OnboardingStepInput.tsx
@@ -1,13 +1,15 @@
 import { AnimatedWrapper } from '@/components/animated-wrapper';
 import { SelectablePill } from '@/components/selectable-pill';
+import { Button } from '@comp/ui/button';
 import { FormLabel } from '@comp/ui/form';
 import { Input } from '@comp/ui/input';
+import { Label } from '@comp/ui/label';
 import { Textarea } from '@comp/ui/textarea';
-import { X } from 'lucide-react';
+import { ChevronDown, ChevronUp, Plus, Trash2, X } from 'lucide-react';
 import { useRef, useState } from 'react';
 import type { UseFormReturn } from 'react-hook-form';
-import { Controller } from 'react-hook-form';
-import type { CompanyDetails, Step } from '../lib/types';
+import { Controller, useFieldArray } from 'react-hook-form';
+import type { CompanyDetails, CSuiteEntry, Step } from '../lib/types';
 import { FrameworkSelection } from './FrameworkSelection';
 import { WebsiteInput } from './WebsiteInput';
 
@@ -48,39 +50,44 @@ export function OnboardingStepInput({
   }
 
   if (currentStep.key === 'shipping') {
+    const { errors, isSubmitted } = form.formState;
+
     return (
       <div className="space-y-4" data-testid={`onboarding-input-${currentStep.key}`}>
         <AnimatedWrapper delay={100}>
           <div className="flex flex-col gap-4 sm:flex-row">
-            <div className="flex-1">
-              <FormLabel>Full Name</FormLabel>
+            <div className="flex-1 space-y-1.5">
+              <Label>Full Name</Label>
               <Input
                 {...form.register('shipping.fullName')}
                 placeholder="John Doe"
                 autoFocus
                 data-testid={`onboarding-input-${currentStep.key}-fullName`}
               />
-              <p className="text-destructive text-[0.8rem] font-medium">
-                {form.formState.errors.shipping?.fullName?.message}
-              </p>
+              {isSubmitted && errors.shipping?.fullName?.message && (
+                <p className="text-destructive text-[0.8rem] font-medium">
+                  {errors.shipping.fullName.message}
+                </p>
+              )}
             </div>
-            <div className="flex-1">
-              <FormLabel>Phone</FormLabel>
+            <div className="flex-1 space-y-1.5">
+              <Label>Phone</Label>
               <Input
                 {...form.register('shipping.phone')}
                 placeholder="+1 (555) 123-4567"
-                autoFocus
                 data-testid={`onboarding-input-${currentStep.key}-phone`}
               />
-              <p className="text-destructive text-[0.8rem] font-medium">
-                {form.formState.errors.shipping?.phone?.message}
-              </p>
+              {isSubmitted && errors.shipping?.phone?.message && (
+                <p className="text-destructive text-[0.8rem] font-medium">
+                  {errors.shipping.phone.message}
+                </p>
+              )}
             </div>
           </div>
         </AnimatedWrapper>
         <AnimatedWrapper delay={200}>
-          <div>
-            <FormLabel>Address</FormLabel>
+          <div className="space-y-1.5">
+            <Label>Address</Label>
             <Textarea
               {...form.register('shipping.address')}
               placeholder="123 Main St, Apt 4B, Springfield, IL, USA"
@@ -88,9 +95,11 @@ export function OnboardingStepInput({
               maxLength={300}
               data-testid={`onboarding-input-${currentStep.key}-address`}
             />
-            <p className="text-destructive text-[0.8rem] font-medium">
-              {form.formState.errors.shipping?.address?.message}
-            </p>
+            {isSubmitted && errors.shipping?.address?.message && (
+              <p className="text-destructive text-[0.8rem] font-medium">
+                {errors.shipping.address.message}
+              </p>
+            )}
           </div>
         </AnimatedWrapper>
         <AnimatedWrapper delay={300}>
@@ -136,13 +145,83 @@ export function OnboardingStepInput({
     );
   }
 
+  if (currentStep.key === 'teamSize') {
+    return (
+      <AnimatedWrapper delay={100} animationKey={`teamSize-${currentStep.key}`}>
+        <div className="space-y-2" data-testid={`onboarding-input-${currentStep.key}`}>
+          <NumberInput
+            value={form.watch(currentStep.key) || ''}
+            onChange={(val) => form.setValue(currentStep.key, val)}
+            placeholder={currentStep.placeholder}
+          />
+          {currentStep.description && (
+            <p className="text-xs text-muted-foreground">{currentStep.description}</p>
+          )}
+        </div>
+      </AnimatedWrapper>
+    );
+  }
+
+  if (currentStep.key === 'cSuite') {
+    return <CSuiteInput form={form} description={currentStep.description} />;
+  }
+
+  if (currentStep.key === 'reportSignatory') {
+    const { errors, isSubmitted } = form.formState;
+
+    return (
+      <div className="space-y-4" data-testid={`onboarding-input-${currentStep.key}`}>
+        <AnimatedWrapper delay={100}>
+          <div className="flex flex-col gap-4">
+            <div className="space-y-1.5">
+              <Label>Full Name</Label>
+              <Input
+                {...form.register('reportSignatory.fullName')}
+                placeholder="John Doe"
+                autoFocus
+              />
+              {isSubmitted && errors.reportSignatory?.fullName?.message && (
+                <p className="text-destructive text-[0.8rem] font-medium">
+                  {errors.reportSignatory.fullName.message}
+                </p>
+              )}
+            </div>
+            <div className="space-y-1.5">
+              <Label>Job Title</Label>
+              <Input {...form.register('reportSignatory.jobTitle')} placeholder="CEO" />
+              {isSubmitted && errors.reportSignatory?.jobTitle?.message && (
+                <p className="text-destructive text-[0.8rem] font-medium">
+                  {errors.reportSignatory.jobTitle.message}
+                </p>
+              )}
+            </div>
+            <div className="space-y-1.5">
+              <Label>Email</Label>
+              <Input
+                {...form.register('reportSignatory.email')}
+                type="email"
+                placeholder="john@company.com"
+              />
+              {isSubmitted && errors.reportSignatory?.email?.message && (
+                <p className="text-destructive text-[0.8rem] font-medium">
+                  {errors.reportSignatory.email.message}
+                </p>
+              )}
+            </div>
+          </div>
+        </AnimatedWrapper>
+        {currentStep.description && (
+          <AnimatedWrapper delay={200}>
+            <p className="text-xs text-muted-foreground">{currentStep.description}</p>
+          </AnimatedWrapper>
+        )}
+      </div>
+    );
+  }
+
   if (currentStep.options) {
     // Single-select fields
-    if (
-      currentStep.key === 'industry' ||
-      currentStep.key === 'teamSize' ||
-      currentStep.key === 'workLocation'
-    ) {
+    if (currentStep.key === 'industry' || currentStep.key === 'workLocation') {
       const selectedValue = form.watch(currentStep.key);
 
       return (
@@ -166,14 +245,16 @@ export function OnboardingStepInput({
     }
 
     // Multi-select fields with custom value support
-    const selectedValues = (form.watch(currentStep.key) || '').split(',').filter(Boolean);
+    // At this point we know the field is a comma-separated string
+    const rawValue = form.watch(currentStep.key) as string | undefined;
+    const selectedValues = (rawValue || '').split(',').filter(Boolean);
 
     const handlePillToggle = (option: string) => {
       const isSelected = selectedValues.includes(option);
-      let newValues;
+      let newValues: string[];
 
       if (isSelected) {
-        newValues = selectedValues.filter((v) => v !== option);
+        newValues = selectedValues.filter((v: string) => v !== option);
       } else {
         newValues = [...selectedValues, option];
       }
@@ -276,3 +357,144 @@ export function OnboardingStepInput({
     </AnimatedWrapper>
   );
 }
+
+// C-Suite input component with dynamic list
+function CSuiteInput({
+  form,
+  description,
+}: {
+  form: UseFormReturn<OnboardingFormFields>;
+  description?: string;
+}) {
+  const { fields, append, remove } = useFieldArray({
+    control: form.control,
+    name: 'cSuite',
+  });
+
+  // Initialize with one empty entry if none exist
+  if (fields.length === 0) {
+    append({ name: '', title: '' });
+  }
+
+  const commonTitles = ['CEO', 'CTO', 'CFO', 'COO', 'CMO', 'CISO', 'CPO', 'CRO'];
+
+  return (
+    <div className="space-y-4" data-testid="onboarding-input-cSuite">
+      <AnimatedWrapper delay={100}>
+        <div className="space-y-3">
+          {fields.map((field, index) => (
+            <div key={field.id} className="flex gap-2 items-start">
+              <div className="flex-1 space-y-2">
+                <div className="flex gap-2">
+                  <Input
+                    {...form.register(`cSuite.${index}.name`)}
+                    placeholder="Full name"
+                    autoFocus={index === 0}
+                  />
+                  <Input
+                    {...form.register(`cSuite.${index}.title`)}
+                    placeholder="Title (e.g., CEO)"
+                    list={`titles-${index}`}
+                  />
+                  <datalist id={`titles-${index}`}>
+                    {commonTitles.map((title) => (
+                      <option key={title} value={title} />
+                    ))}
+                  </datalist>
+                </div>
+              </div>
+              {fields.length > 1 && (
+                <Button
+                  type="button"
+                  variant="ghost"
+                  size="icon"
+                  onClick={() => remove(index)}
+                  className="text-muted-foreground hover:text-destructive shrink-0"
+                >
+                  <Trash2 className="h-4 w-4" />
+                </Button>
+              )}
+            </div>
+          ))}
+        </div>
+      </AnimatedWrapper>
+
+      <AnimatedWrapper delay={200}>
+        <Button
+          type="button"
+          variant="outline"
+          size="sm"
+          onClick={() => append({ name: '', title: '' })}
+          className="gap-1"
+        >
+          <Plus className="h-4 w-4" />
+          Add Executive
+        </Button>
+      </AnimatedWrapper>
+
+      {description && (
+        <AnimatedWrapper delay={300}>
+          <p className="text-xs text-muted-foreground">{description}</p>
+        </AnimatedWrapper>
+      )}
+    </div>
+  );
+}
+
+// Custom number input with styled increment/decrement buttons
+function NumberInput({
+  value,
+  onChange,
+  placeholder,
+}: {
+  value: string;
+  onChange: (val: string) => void;
+  placeholder?: string;
+}) {
+  const increment = () => {
+    const num = Number.parseInt(value, 10) || 0;
+    onChange(String(num + 1));
+  };
+
+  const decrement = () => {
+    const num = Number.parseInt(value, 10) || 0;
+    if (num > 1) {
+      onChange(String(num - 1));
+    }
+  };
+
+  const handleChange = (e: React.ChangeEvent<HTMLInputElement>) => {
+    const val = e.target.value.replace(/\D/g, '');
+    onChange(val);
+  };
+
+  return (
+    <div className="relative max-w-[200px]">
+      <input
+        type="text"
+        inputMode="numeric"
+        value={value}
+        onChange={handleChange}
+        placeholder={placeholder}
+        autoFocus
+        className="border-input bg-background placeholder:text-muted-foreground focus-visible:ring-ring h-9 w-full rounded-sm border py-1 pl-3 pr-10 text-sm transition-colors focus-visible:ring-1 focus-visible:ring-offset-0 focus-visible:outline-hidden"
+      />
+      <div className="absolute right-0 top-0 flex h-full flex-col border-l border-input">
+        <button
+          type="button"
+          onClick={increment}
+          className="flex h-1/2 w-7 items-center justify-center text-muted-foreground transition-colors hover:bg-muted hover:text-foreground rounded-tr-sm"
+        >
+          <ChevronUp className="h-3 w-3" />
+        </button>
+        <button
+          type="button"
+          onClick={decrement}
+          className="flex h-1/2 w-7 items-center justify-center border-t border-input text-muted-foreground transition-colors hover:bg-muted hover:text-foreground rounded-br-sm"
+        >
+          <ChevronDown className="h-3 w-3" />
+        </button>
+      </div>
+    </div>
+  );
+}
diff --git a/apps/app/src/app/(app)/setup/components/OrganizationSetupForm.tsx b/apps/app/src/app/(app)/setup/components/OrganizationSetupForm.tsx
index 44600f11b..ed7ce227a 100644
--- a/apps/app/src/app/(app)/setup/components/OrganizationSetupForm.tsx
+++ b/apps/app/src/app/(app)/setup/components/OrganizationSetupForm.tsx
@@ -120,24 +120,36 @@ export function OrganizationSetupForm({
                 className="w-full"
                 autoComplete="off"
               >
-                <FormField
-                  name={step.key}
-                  render={({ field }) => (
-                    <FormItem>
-                      <FormControl>
-                        <OnboardingStepInput
-                          currentStep={step}
-                          form={form}
-                          savedAnswers={savedAnswers}
-                          onLoadingChange={setIsLoadingFrameworks}
-                        />
-                      </FormControl>
-                      <div className="min-h-[20px]">
-                        <FormMessage />
-                      </div>
-                    </FormItem>
-                  )}
-                />
+                {/* Complex fields handle their own validation UI */}
+                {step.key === 'reportSignatory' ||
+                step.key === 'shipping' ||
+                step.key === 'cSuite' ? (
+                  <OnboardingStepInput
+                    currentStep={step}
+                    form={form}
+                    savedAnswers={savedAnswers}
+                    onLoadingChange={setIsLoadingFrameworks}
+                  />
+                ) : (
+                  <FormField
+                    name={step.key}
+                    render={({ field }) => (
+                      <FormItem>
+                        <FormControl>
+                          <OnboardingStepInput
+                            currentStep={step}
+                            form={form}
+                            savedAnswers={savedAnswers}
+                            onLoadingChange={setIsLoadingFrameworks}
+                          />
+                        </FormControl>
+                        <div className="min-h-[20px]">
+                          <FormMessage />
+                        </div>
+                      </FormItem>
+                    )}
+                  />
+                )}
               </form>
             </Form>
           </AnimatedWrapper>
diff --git a/apps/app/src/app/(app)/setup/hooks/useOnboardingForm.ts b/apps/app/src/app/(app)/setup/hooks/useOnboardingForm.ts
index 3d5b4f990..adf92858e 100644
--- a/apps/app/src/app/(app)/setup/hooks/useOnboardingForm.ts
+++ b/apps/app/src/app/(app)/setup/hooks/useOnboardingForm.ts
@@ -155,9 +155,18 @@ export function useOnboardingForm({
     const newAnswers: OnboardingFormFields = { ...savedAnswers, ...data };
 
     for (const key of Object.keys(newAnswers)) {
-      if (step.options && step.key === key && key !== 'frameworkIds' && key !== 'shipping') {
+      // Only process multi-select string fields (exclude objects/arrays)
+      if (
+        step.options &&
+        step.key === key &&
+        key !== 'frameworkIds' &&
+        key !== 'shipping' &&
+        key !== 'cSuite' &&
+        key !== 'reportSignatory'
+      ) {
         const customValue = newAnswers[`${key}Other`] || '';
-        const values = (newAnswers[key] || '').split(',').filter(Boolean);
+        const rawValue = newAnswers[key];
+        const values = (typeof rawValue === 'string' ? rawValue : '').split(',').filter(Boolean);
 
         if (customValue) {
           values.push(customValue);
diff --git a/apps/app/src/app/(app)/setup/lib/constants.ts b/apps/app/src/app/(app)/setup/lib/constants.ts
index e02922df1..8274a5c6d 100644
--- a/apps/app/src/app/(app)/setup/lib/constants.ts
+++ b/apps/app/src/app/(app)/setup/lib/constants.ts
@@ -12,7 +12,20 @@ export const companyDetailsSchema = z.object({
     .min(1, 'Please provide a brief overview and description of what your company does')
     .max(300, 'Description must be less than 300 characters'),
   industry: z.string().min(1, 'Please select your industry'),
-  teamSize: z.string().min(1, 'Please select your team size'),
+  teamSize: z.string().min(1, 'Please enter your team size'),
+  cSuite: z
+    .array(
+      z.object({
+        name: z.string().min(1, 'Name is required'),
+        title: z.string().min(1, 'Title is required'),
+      }),
+    )
+    .min(1, 'Please add at least one executive'),
+  reportSignatory: z.object({
+    fullName: z.string().min(1, 'Full name is required'),
+    jobTitle: z.string().min(1, 'Job title is required'),
+    email: z.string().email('Please enter a valid email'),
+  }),
   software: z.string().min(1, 'Please select software you use'),
   infrastructure: z.string().min(1, 'Please select your infrastructure'),
   dataTypes: z.string().min(1, 'Please select types of data you handle'),
@@ -58,8 +71,22 @@ export const steps: Step[] = [
   {
     key: 'teamSize',
     question: 'How many employees do you have?',
-    placeholder: 'e.g., 11-50',
-    options: ['1-10', '11-50', '51-200', '201-500', '500+'],
+    placeholder: 'e.g., 25',
+    description:
+      'We need an approximate count for your compliance reports. You can update this in settings if it changes.',
+  },
+  {
+    key: 'cSuite',
+    question: 'Who are your C-Suite executives?',
+    placeholder: '',
+    description:
+      'These names and titles will appear in your compliance reports. You can update this in settings if it changes.',
+  },
+  {
+    key: 'reportSignatory',
+    question: 'Who will sign off on the final report?',
+    placeholder: '',
+    description: 'This person will be listed as the authorizing signatory on compliance reports.',
   },
   {
     key: 'devices',
diff --git a/apps/app/src/app/(app)/setup/lib/types.ts b/apps/app/src/app/(app)/setup/lib/types.ts
index fcd1f051b..3dd9712ff 100644
--- a/apps/app/src/app/(app)/setup/lib/types.ts
+++ b/apps/app/src/app/(app)/setup/lib/types.ts
@@ -1,3 +1,14 @@
+export type CSuiteEntry = {
+  name: string;
+  title: string;
+};
+
+export type ReportSignatory = {
+  fullName: string;
+  jobTitle: string;
+  email: string;
+};
+
 export type CompanyDetails = {
   frameworkIds: string[];
   organizationName: string;
@@ -5,6 +16,8 @@ export type CompanyDetails = {
   describe: string;
   industry: string;
   teamSize: string;
+  cSuite: CSuiteEntry[];
+  reportSignatory: ReportSignatory;
   devices: string;
   authentication: string;
   workLocation: string;
@@ -31,4 +44,5 @@ export type Step = {
   question: string;
   placeholder: string;
   options?: string[];
+  description?: string;
 };
diff --git a/apps/app/src/app/s3.ts b/apps/app/src/app/s3.ts
index f9907505f..1c4d38544 100644
--- a/apps/app/src/app/s3.ts
+++ b/apps/app/src/app/s3.ts
@@ -7,6 +7,7 @@ const APP_AWS_SECRET_ACCESS_KEY = process.env.APP_AWS_SECRET_ACCESS_KEY;
 export const BUCKET_NAME = process.env.APP_AWS_BUCKET_NAME;
 export const APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET = process.env.APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET;
 export const APP_AWS_KNOWLEDGE_BASE_BUCKET = process.env.APP_AWS_KNOWLEDGE_BASE_BUCKET;
+export const APP_AWS_ORG_ASSETS_BUCKET = process.env.APP_AWS_ORG_ASSETS_BUCKET;
 
 let s3ClientInstance: S3Client;
 
diff --git a/apps/app/src/components/forms/organization/update-organization-logo.tsx b/apps/app/src/components/forms/organization/update-organization-logo.tsx
new file mode 100644
index 000000000..87c437c04
--- /dev/null
+++ b/apps/app/src/components/forms/organization/update-organization-logo.tsx
@@ -0,0 +1,173 @@
+'use client';
+
+import {
+  removeOrganizationLogoAction,
+  updateOrganizationLogoAction,
+} from '@/actions/organization/update-organization-logo-action';
+import { Button } from '@comp/ui/button';
+import {
+  Card,
+  CardContent,
+  CardDescription,
+  CardFooter,
+  CardHeader,
+  CardTitle,
+} from '@comp/ui/card';
+import { ImagePlus, Loader2, Trash2 } from 'lucide-react';
+import { useAction } from 'next-safe-action/hooks';
+import Image from 'next/image';
+import { useRef, useState } from 'react';
+import { toast } from 'sonner';
+
+interface UpdateOrganizationLogoProps {
+  currentLogoUrl: string | null;
+}
+
+export function UpdateOrganizationLogo({ currentLogoUrl }: UpdateOrganizationLogoProps) {
+  const [previewUrl, setPreviewUrl] = useState<string | null>(currentLogoUrl);
+  const fileInputRef = useRef<HTMLInputElement>(null);
+
+  const uploadLogo = useAction(updateOrganizationLogoAction, {
+    onSuccess: (result) => {
+      if (result.data?.logoUrl) {
+        setPreviewUrl(result.data.logoUrl);
+      }
+      toast.success('Logo updated');
+    },
+    onError: (error) => {
+      toast.error(error.error.serverError || 'Failed to upload logo');
+    },
+  });
+
+  const removeLogo = useAction(removeOrganizationLogoAction, {
+    onSuccess: () => {
+      setPreviewUrl(null);
+      toast.success('Logo removed');
+    },
+    onError: () => {
+      toast.error('Failed to remove logo');
+    },
+  });
+
+  const handleFileChange = async (e: React.ChangeEvent<HTMLInputElement>) => {
+    const file = e.target.files?.[0];
+    if (!file) return;
+
+    // Validate file type
+    if (!file.type.startsWith('image/')) {
+      toast.error('Please select an image file');
+      return;
+    }
+
+    // Validate file size (2MB)
+    if (file.size > 2 * 1024 * 1024) {
+      toast.error('Logo must be less than 2MB');
+      return;
+    }
+
+    // Convert to base64
+    const reader = new FileReader();
+    reader.onload = () => {
+      const base64 = (reader.result as string).split(',')[1];
+      uploadLogo.execute({
+        fileName: file.name,
+        fileType: file.type,
+        fileData: base64,
+      });
+    };
+    reader.readAsDataURL(file);
+
+    // Reset input
+    if (fileInputRef.current) {
+      fileInputRef.current.value = '';
+    }
+  };
+
+  const isLoading = uploadLogo.status === 'executing' || removeLogo.status === 'executing';
+
+  return (
+    <Card>
+      <CardHeader>
+        <CardTitle>Organization Logo</CardTitle>
+        <CardDescription>
+          <div className="max-w-[600px]">
+            Upload your organization's logo. This will be displayed in reports and the trust portal.
+          </div>
+        </CardDescription>
+      </CardHeader>
+      <CardContent>
+        <div className="flex items-center gap-4">
+          {/* Logo preview */}
+          <div className="relative flex h-20 w-20 shrink-0 items-center justify-center overflow-hidden rounded-md border bg-muted">
+            {previewUrl ? (
+              <Image
+                src={previewUrl}
+                alt="Organization logo"
+                fill
+                className="object-contain p-2"
+              />
+            ) : (
+              <ImagePlus className="h-8 w-8 text-muted-foreground/50" />
+            )}
+          </div>
+
+          {/* Upload controls */}
+          <div className="flex flex-col gap-2">
+            <input
+              ref={fileInputRef}
+              type="file"
+              accept="image/*"
+              onChange={handleFileChange}
+              className="hidden"
+              disabled={isLoading}
+            />
+            <Button
+              type="button"
+              variant="outline"
+              size="sm"
+              onClick={() => fileInputRef.current?.click()}
+              disabled={isLoading}
+            >
+              {uploadLogo.status === 'executing' ? (
+                <>
+                  <Loader2 className="h-4 w-4 animate-spin" />
+                  Uploading...
+                </>
+              ) : (
+                'Upload logo'
+              )}
+            </Button>
+            {previewUrl && (
+              <Button
+                type="button"
+                variant="ghost"
+                size="sm"
+                onClick={() => removeLogo.execute({})}
+                disabled={isLoading}
+                className="text-destructive hover:text-destructive"
+              >
+                {removeLogo.status === 'executing' ? (
+                  <>
+                    <Loader2 className="h-4 w-4 animate-spin" />
+                    Removing...
+                  </>
+                ) : (
+                  <>
+                    <Trash2 className="h-4 w-4" />
+                    Remove
+                  </>
+                )}
+              </Button>
+            )}
+          </div>
+        </div>
+      </CardContent>
+      <CardFooter>
+        <div className="text-muted-foreground text-xs">
+          Recommended: Square image, at least 200x200px. Max 2MB.
+        </div>
+      </CardFooter>
+    </Card>
+  );
+}
+
diff --git a/apps/app/src/components/main-menu.tsx b/apps/app/src/components/main-menu.tsx
index 8a751578d..32c3f37d6 100644
--- a/apps/app/src/components/main-menu.tsx
+++ b/apps/app/src/components/main-menu.tsx
@@ -6,6 +6,7 @@ import { cn } from '@comp/ui/cn';
 import { Icons } from '@comp/ui/icons';
 import { Tooltip, TooltipContent, TooltipProvider, TooltipTrigger } from '@comp/ui/tooltip';
 import {
+  ClipboardCheck,
   FileTextIcon,
   FlaskConical,
   Gauge,
@@ -46,6 +47,17 @@ interface ItemProps {
   itemRef: (el: HTMLDivElement | null) => void;
 }
 
+export type Props = {
+  organizationId?: string;
+  organization?: { advancedModeEnabled?: boolean } | null;
+  isCollapsed?: boolean;
+  onItemClick?: () => void;
+  isQuestionnaireEnabled?: boolean;
+  isTrustNdaEnabled?: boolean;
+  hasAuditorRole?: boolean;
+  isOnlyAuditor?: boolean;
+};
+
 export function MainMenu({
   organizationId,
   organization,
@@ -53,6 +65,8 @@ export function MainMenu({
   onItemClick,
   isQuestionnaireEnabled = false,
   isTrustNdaEnabled = false,
+  hasAuditorRole = false,
+  isOnlyAuditor = false,
 }: Props) {
   const pathname = usePathname();
   const [activeStyle, setActiveStyle] = useState({ top: '0px', height: '0px' });
@@ -67,6 +81,15 @@ export function MainMenu({
       icon: Gauge,
       protected: false,
     },
+    {
+      id: 'auditor',
+      path: '/:organizationId/auditor',
+      name: 'Auditor View',
+      disabled: false,
+      icon: ClipboardCheck,
+      protected: false,
+      hidden: !hasAuditorRole,
+    },
     {
       id: 'controls',
       path: '/:organizationId/controls',
@@ -141,6 +164,7 @@ export function MainMenu({
       disabled: false,
       icon: Zap,
       protected: false,
+      hidden: isOnlyAuditor,
     },
     {
       id: 'tests',
@@ -157,6 +181,7 @@ export function MainMenu({
       disabled: false,
       icon: Icons.Settings,
       protected: true,
+      hidden: isOnlyAuditor,
     },
   ];
 
@@ -335,12 +360,3 @@ const Item = ({
     </div>
   );
 };
-
-type Props = {
-  organizationId?: string;
-  organization?: { advancedModeEnabled?: boolean } | null;
-  isCollapsed?: boolean;
-  onItemClick?: () => void;
-  isQuestionnaireEnabled?: boolean;
-  isTrustNdaEnabled?: boolean;
-};
diff --git a/apps/app/src/components/organization-switcher.tsx b/apps/app/src/components/organization-switcher.tsx
index b5bea0042..2758cf613 100644
--- a/apps/app/src/components/organization-switcher.tsx
+++ b/apps/app/src/components/organization-switcher.tsx
@@ -17,6 +17,7 @@ import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '@
 import type { Organization } from '@db';
 import { Check, ChevronsUpDown, Loader2, Plus, Search } from 'lucide-react';
 import { useAction } from 'next-safe-action/hooks';
+import Image from 'next/image';
 import { useRouter } from 'next/navigation';
 import { useQueryState } from 'nuqs';
 import { useEffect, useState } from 'react';
@@ -25,10 +26,12 @@ interface OrganizationSwitcherProps {
   organizations: Organization[];
   organization: Organization | null;
   isCollapsed?: boolean;
+  logoUrls?: Record<string, string>;
 }
 
-interface OrganizationInitialsAvatarProps {
+interface OrganizationAvatarProps {
   name: string | null | undefined;
+  logoUrl?: string | null;
   size?: 'sm' | 'default';
   className?: string;
 }
@@ -52,11 +55,24 @@ const COLOR_PAIRS = [
   'bg-cyan-100 text-cyan-700 dark:bg-cyan-900/70 dark:text-cyan-200',
 ];
 
-function OrganizationInitialsAvatar({
+function OrganizationAvatar({
   name,
+  logoUrl,
   size = 'default',
   className,
-}: OrganizationInitialsAvatarProps) {
+}: OrganizationAvatarProps) {
+  const sizeClass = size === 'sm' ? 'h-6 w-6' : 'h-8 w-8';
+
+  // If logo URL exists, show the image
+  if (logoUrl) {
+    return (
+      <div className={cn('relative overflow-hidden rounded-sm border', sizeClass, className)}>
+        <Image src={logoUrl} alt={name || 'Organization'} fill className="object-contain" />
+      </div>
+    );
+  }
+
+  // Fallback to initials
   const initials = name?.slice(0, 2).toUpperCase() || '';
 
   let colorIndex = 0;
@@ -71,7 +87,8 @@ function OrganizationInitialsAvatar({
     <div
       className={cn(
         'flex items-center justify-center rounded-sm font-medium',
-        size === 'sm' ? 'h-6 w-6 text-xs' : 'h-8 w-8 text-sm',
+        sizeClass,
+        size === 'sm' ? 'text-xs' : 'text-sm',
         selectedColorClass,
         className,
       )}
@@ -85,6 +102,7 @@ export function OrganizationSwitcher({
   organizations,
   organization,
   isCollapsed = false,
+  logoUrls = {},
 }: OrganizationSwitcherProps) {
   const router = useRouter();
   const [isDialogOpen, setIsDialogOpen] = useState(false);
@@ -104,7 +122,7 @@ export function OrganizationSwitcher({
 
   const sortedOrganizations = [...organizations].sort((a, b) => {
     if (sortOrder === 'alphabetical') {
-      return (a.name).localeCompare(b.name);
+      return a.name.localeCompare(b.name);
     } else if (sortOrder === 'recent') {
       return new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime();
     }
@@ -180,7 +198,10 @@ export function OrganizationSwitcher({
             )}
             disabled={status === 'executing'}
           >
-            <OrganizationInitialsAvatar name={currentOrganization?.name} />
+            <OrganizationAvatar
+              name={currentOrganization?.name}
+              logoUrl={currentOrganization?.id ? logoUrls[currentOrganization.id] : undefined}
+            />
             {!isCollapsed && (
               <>
                 <span className="ml-2 flex-1 truncate text-left">{currentOrganization?.name}</span>
@@ -235,7 +256,7 @@ export function OrganizationSwitcher({
                     ) : (
                       <div className="h-4 w-4" />
                     )}
-                    <OrganizationInitialsAvatar name={org.name} size="sm" />
+                    <OrganizationAvatar name={org.name} logoUrl={logoUrls[org.id]} size="sm" />
                     <span className="truncate">{getDisplayName(org)}</span>
                   </CommandItem>
                 ))}
diff --git a/apps/app/src/components/sidebar.tsx b/apps/app/src/components/sidebar.tsx
index a5c9292f4..878f16183 100644
--- a/apps/app/src/components/sidebar.tsx
+++ b/apps/app/src/components/sidebar.tsx
@@ -1,14 +1,26 @@
 import { getFeatureFlags } from '@/app/posthog';
+import { APP_AWS_ORG_ASSETS_BUCKET, s3Client } from '@/app/s3';
 import { getOrganizations } from '@/data/getOrganizations';
 import { auth } from '@/utils/auth';
+import { GetObjectCommand } from '@aws-sdk/client-s3';
+import { getSignedUrl } from '@aws-sdk/s3-request-presigner';
 import { cn } from '@comp/ui/cn';
-import type { Organization } from '@db';
+import { db, type Organization, Role } from '@db';
 import { cookies, headers } from 'next/headers';
 import { MainMenu } from './main-menu';
 import { OrganizationSwitcher } from './organization-switcher';
 import { SidebarCollapseButton } from './sidebar-collapse-button';
 import { SidebarLogo } from './sidebar-logo';
 
+// Helper to safely parse comma-separated roles string
+function parseRolesString(rolesStr: string | null | undefined): Role[] {
+  if (!rolesStr) return [];
+  return rolesStr
+    .split(',')
+    .map((r) => r.trim())
+    .filter((r) => r in Role) as Role[];
+}
+
 export async function Sidebar({
   organization,
   collapsed = false,
@@ -20,6 +32,26 @@ export async function Sidebar({
   const isCollapsed = collapsed || cookieStore.get('sidebar-collapsed')?.value === 'true';
   const { organizations } = await getOrganizations();
 
+  // Generate logo URLs for all organizations
+  const logoUrls: Record<string, string> = {};
+  if (s3Client && APP_AWS_ORG_ASSETS_BUCKET) {
+    await Promise.all(
+      organizations.map(async (org) => {
+        if (org.logo) {
+          try {
+            const command = new GetObjectCommand({
+              Bucket: APP_AWS_ORG_ASSETS_BUCKET,
+              Key: org.logo,
+            });
+            logoUrls[org.id] = await getSignedUrl(s3Client, command, { expiresIn: 3600 });
+          } catch {
+            // Logo not available
+          }
+        }
+      }),
+    );
+  }
+
   // Check feature flags for menu items
   const session = await auth.api.getSession({
     headers: await headers(),
@@ -33,6 +65,25 @@ export async function Sidebar({
       flags['is-trust-nda-enabled'] === true || flags['is-trust-nda-enabled'] === 'true';
   }
 
+  let hasAuditorRole = false;
+  let isOnlyAuditor = false;
+  if (session?.user?.id && organization?.id) {
+    const member = await db.member.findFirst({
+      where: {
+        userId: session.user.id,
+        organizationId: organization.id,
+        deactivated: false,
+      },
+    });
+    if (member?.role) {
+      const roles = parseRolesString(member.role);
+      hasAuditorRole = roles.includes(Role.auditor);
+      // Only hide tabs if auditor is their ONLY role
+      // If they have multiple roles (e.g., "owner, auditor" or "admin, auditor"), show tabs
+      isOnlyAuditor = hasAuditorRole && roles.length === 1;
+    }
+  }
+
   return (
     <div className="bg-card flex h-full flex-col gap-0 overflow-x-clip">
       <div className="flex flex-col gap-2 p-4">
@@ -44,6 +95,7 @@ export async function Sidebar({
             organizations={organizations}
             organization={organization}
             isCollapsed={isCollapsed}
+            logoUrls={logoUrls}
           />
           <MainMenu
             organizationId={organization?.id ?? ''}
@@ -51,6 +103,8 @@ export async function Sidebar({
             isCollapsed={isCollapsed}
             isQuestionnaireEnabled={isQuestionnaireEnabled}
             isTrustNdaEnabled={isTrustNdaEnabled}
+            hasAuditorRole={hasAuditorRole}
+            isOnlyAuditor={isOnlyAuditor}
           />
         </div>
       </div>
diff --git a/apps/app/src/env.mjs b/apps/app/src/env.mjs
index 423f6315f..99ed5aa49 100644
--- a/apps/app/src/env.mjs
+++ b/apps/app/src/env.mjs
@@ -31,6 +31,7 @@ export const env = createEnv({
     APP_AWS_BUCKET_NAME: z.string().optional(),
     APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET: z.string().optional(),
     APP_AWS_KNOWLEDGE_BASE_BUCKET: z.string().optional(),
+    APP_AWS_ORG_ASSETS_BUCKET: z.string().optional(),
     NEXT_PUBLIC_PORTAL_URL: z.string(),
     FIRECRAWL_API_KEY: z.string().optional(),
     FLEET_URL: z.string().optional(),
@@ -87,6 +88,7 @@ export const env = createEnv({
     APP_AWS_BUCKET_NAME: process.env.APP_AWS_BUCKET_NAME,
     APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET: process.env.APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET,
     APP_AWS_KNOWLEDGE_BASE_BUCKET: process.env.APP_AWS_KNOWLEDGE_BASE_BUCKET,
+    APP_AWS_ORG_ASSETS_BUCKET: process.env.APP_AWS_ORG_ASSETS_BUCKET,
     NEXT_PUBLIC_PORTAL_URL: process.env.NEXT_PUBLIC_PORTAL_URL,
     FIRECRAWL_API_KEY: process.env.FIRECRAWL_API_KEY,
     FLEET_URL: process.env.FLEET_URL,
diff --git a/apps/app/src/jobs/tasks/auditor/generate-auditor-content.ts b/apps/app/src/jobs/tasks/auditor/generate-auditor-content.ts
new file mode 100644
index 000000000..2f1e5f0d4
--- /dev/null
+++ b/apps/app/src/jobs/tasks/auditor/generate-auditor-content.ts
@@ -0,0 +1,400 @@
+import { getOrganizationContext } from '@/jobs/tasks/onboarding/onboard-organization-helpers';
+import { openai } from '@ai-sdk/openai';
+import { db } from '@db';
+import { logger, metadata, schemaTask } from '@trigger.dev/sdk';
+import { generateText } from 'ai';
+import { z } from 'zod';
+
+const SECTIONS = [
+  'company-background',
+  'services',
+  'mission-vision',
+  'system-description',
+  'critical-vendors',
+  'subservice-organizations',
+] as const;
+
+type Section = (typeof SECTIONS)[number];
+
+// Map from section keys to Context question strings
+const SECTION_QUESTIONS: Record<Section, string> = {
+  'company-background': 'Company Background & Overview of Operations',
+  services: 'Types of Services Provided',
+  'mission-vision': 'Mission & Vision',
+  'system-description': 'System Description',
+  'critical-vendors': 'Critical Vendors',
+  'subservice-organizations': 'Subservice Organizations',
+};
+
+// Shared tone rules
+const TONE_RULES = `
+TONE:
+- Direct, declarative voice. State facts without attribution.
+- No hedging ("may", "might", "likely", "appears").
+- No meta phrases ("the website says", "according to", "it appears").
+- Third person, simple present tense.
+- NEVER mention missing information - only write about what IS available.
+`;
+
+const sectionPrompts: Record<Section, string> = {
+  'company-background': `Write ONE paragraph (~80 words) describing the company background and operations.
+
+INCLUDE (where available): company name, what they do, headquarters location, certifications, workforce characteristics, strategic positioning, operational scope.
+
+EXAMPLE:
+"[Company] is a [type of business] headquartered in [location], with operations serving [markets/regions]. It holds [certifications] and describes itself as [self-description]. It supports [workforce details] and [strategic advantages]. Its services are structured to [delivery approach]."
+
+RULES:
+- Do NOT include the section title.
+- ONE paragraph only, ~80 words.
+- No bullet points.
+${TONE_RULES}`,
+
+  services: `Write ONE paragraph (~60 words) describing the services/products provided.
+
+INCLUDE (where available): service categories, specific service types, technology approach, target markets, business model aspects.
+
+EXAMPLE:
+"The company provides [service categories] including [specific services]. It also emphasises [technology/methodology approach]. Its service model includes [business model details]."
+
+RULES:
+- Do NOT include the section title.
+- ONE paragraph only, ~60 words.
+- No bullet points.
+${TONE_RULES}`,
+
+  'mission-vision': `Write ONE paragraph (~60 words) describing mission and vision.
+
+USE THIS STRUCTURE:
+"[Company] positions its mission around [mission focus], with an emphasis on [key values]. It envisions [vision/strategy for the future]."
+
+RULES:
+- Do NOT include the section title.
+- ONE paragraph only, ~60 words.
+- Use "positions its mission around" and "envisions" phrasing.
+- No bullet points.
+${TONE_RULES}`,
+
+  'system-description': `Write ONE paragraph (~80 words) describing the technical infrastructure.
+
+USE THIS STRUCTURE:
+"[Company] operates a [type of architecture] where [what flows] from [sources] through [network components], via [security/routing], to [destinations/segments]. External connectivity includes [integrations/platforms], and hosting includes [cloud/on-prem infrastructure]."
+
+Use parentheticals for specifics: "(including X, Y, Z)".
+
+RULES:
+- Do NOT include the section title.
+- ONE paragraph only, ~80 words.
+- Describe the FLOW of data/operations through infrastructure.
+- No bullet points.
+${TONE_RULES}`,
+
+  'critical-vendors': `List vendors in this EXACT format, one per line:
+
+[Vendor Name] – [Type: SaaS/IaaS/PaaS] – ([Brief description of service])
+
+EXAMPLE:
+Zoom – SaaS – (Video conferencing / collaboration)
+AWS – IaaS / PaaS – (Cloud infrastructure and hosting)
+Microsoft 365 – SaaS – (Office productivity and identity)
+
+RULES:
+- Do NOT include the section title.
+- Each vendor on its own line.
+- Follow the exact format: Name – Type – (Description)
+- Only include vendors explicitly mentioned in sources.
+${TONE_RULES}`,
+
+  'subservice-organizations': `List subservice organizations in this EXACT format:
+
+Subservice organisations: [Name1], [Name2], ...
+
+If only one: "Subservice organisations: [Name]"
+
+EXAMPLE:
+Subservice organisations: AWS
+
+RULES:
+- Do NOT include the section title.
+- Use "Subservice organisations:" prefix.
+- Just list the names, comma-separated if multiple.
+- Only include organizations explicitly mentioned as subservice providers in sources.
+${TONE_RULES}`,
+};
+
+const sleep = (ms: number): Promise<void> => new Promise((resolve) => setTimeout(resolve, ms));
+
+const MAX_POLL_DURATION_MS = 1000 * 60 * 5; // 5 minutes
+const POLL_INTERVAL_MS = 5000; // 5 seconds
+
+async function scrapeWebsite(website: string): Promise<string> {
+  const apiKey = process.env.FIRECRAWL_API_KEY;
+
+  if (!apiKey) {
+    throw new Error('Firecrawl API key is not configured');
+  }
+
+  const initialResponse = await fetch('https://api.firecrawl.dev/v1/extract', {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      Authorization: `Bearer ${apiKey}`,
+    },
+    body: JSON.stringify({
+      urls: [website],
+      prompt:
+        'Extract all text content from this website, including company information, services, mission, vision, and any other relevant business information.',
+      scrapeOptions: {
+        onlyMainContent: true,
+        removeBase64Images: true,
+      },
+    }),
+  });
+
+  const initialData = await initialResponse.json();
+
+  if (!initialData.success || !initialData.id) {
+    throw new Error('Failed to start Firecrawl extraction');
+  }
+
+  const jobId = initialData.id;
+  const startTime = Date.now();
+
+  while (Date.now() - startTime < MAX_POLL_DURATION_MS) {
+    await sleep(POLL_INTERVAL_MS);
+
+    const statusResponse = await fetch(`https://api.firecrawl.dev/v1/extract/${jobId}`, {
+      method: 'GET',
+      headers: {
+        'Content-Type': 'application/json',
+        Authorization: `Bearer ${apiKey}`,
+      },
+    });
+
+    const statusData = await statusResponse.json();
+
+    if (statusData.status === 'completed' && statusData.data) {
+      const extractedData = statusData.data;
+      if (typeof extractedData === 'string') {
+        return extractedData;
+      }
+      if (typeof extractedData === 'object' && extractedData.content) {
+        return typeof extractedData.content === 'string'
+          ? extractedData.content
+          : JSON.stringify(extractedData.content);
+      }
+      return JSON.stringify(extractedData);
+    }
+
+    if (statusData.status === 'failed') {
+      throw new Error('Firecrawl extraction failed');
+    }
+
+    if (statusData.status === 'cancelled') {
+      throw new Error('Firecrawl extraction was cancelled');
+    }
+  }
+
+  throw new Error('Firecrawl extraction timed out');
+}
+
+async function generateSectionContent(
+  section: Section,
+  organization: { name: string; website: string },
+  websiteContent: string,
+  contextHubText: string,
+): Promise<string> {
+  const { text } = await generateText({
+    model: openai('gpt-4.1'),
+    system: `You are an expert at extracting and organizing company information for audit purposes.
+
+CRITICAL RULES:
+1. ONLY use information EXPLICITLY stated in the provided sources.
+2. DO NOT make up, infer, or hallucinate ANY information.
+3. DO NOT add generic industry information not explicitly mentioned.
+4. Write in third person and simple present tense.
+5. Be concise and factual.
+
+ABSOLUTELY FORBIDDEN:
+- NEVER say "information not found", "not available", "no data provided", "could not be determined", or ANY similar phrases.
+- NEVER use hedging words: "may", "might", "likely", "appears", "seems".
+- NEVER use attribution phrases: "according to", "the website states", "documentation notes".
+- If information is not available, simply OMIT that topic and write about what IS available.
+- Always produce substantive content based on what you CAN find.`,
+    prompt: `${sectionPrompts[section]}
+
+Company: ${organization.name}
+Website: ${organization.website}
+
+=== WEBSITE CONTENT ===
+${websiteContent}
+
+=== ORGANIZATION CONTEXT ===
+${contextHubText || 'No additional context.'}
+
+=== END OF SOURCES ===
+
+Generate the content based on the sources above. Write substantively about what you find - never mention missing information:`,
+  });
+
+  return text;
+}
+
+export const generateAuditorContentTask = schemaTask({
+  id: 'generate-auditor-content',
+  schema: z.object({
+    organizationId: z.string(),
+  }),
+  maxDuration: 1000 * 60 * 15, // 15 minutes
+  retry: {
+    maxAttempts: 3,
+  },
+  run: async (payload) => {
+    const { organizationId } = payload;
+
+    logger.info(`Starting auditor content generation for org ${organizationId}`);
+
+    // Initialize metadata for tracking
+    metadata.set('status', 'initializing');
+    metadata.set('currentSection', null);
+    metadata.set('completedSections', 0);
+    metadata.set('totalSections', SECTIONS.length);
+
+    // Initialize all sections as pending
+    const results: Record<Section, string | null> = {
+      'company-background': null,
+      services: null,
+      'mission-vision': null,
+      'system-description': null,
+      'critical-vendors': null,
+      'subservice-organizations': null,
+    };
+
+    for (const section of SECTIONS) {
+      metadata.set(`section_${section}_status`, 'pending');
+      metadata.set(`section_${section}_content`, null);
+    }
+
+    try {
+      // Get organization context
+      metadata.set('status', 'fetching-context');
+      const { organization, questionsAndAnswers } = await getOrganizationContext(organizationId);
+
+      if (!organization.website) {
+        metadata.set('status', 'error');
+        metadata.set('error', 'Organization website is not set');
+        return {
+          success: false,
+          error: 'Organization website is not set',
+          results: null,
+        };
+      }
+
+      // Scrape website
+      metadata.set('status', 'scraping-website');
+      logger.info(`Scraping website: ${organization.website}`);
+
+      let websiteContent: string;
+      try {
+        websiteContent = await scrapeWebsite(organization.website);
+      } catch (error) {
+        metadata.set('status', 'error');
+        metadata.set('error', 'Failed to scrape website');
+        logger.error('Failed to scrape website', { error });
+        return {
+          success: false,
+          error: 'Failed to scrape website',
+          results: null,
+        };
+      }
+
+      // Build context from organization data (excluding auditor sections to avoid circular reference)
+      const auditorQuestions = new Set(Object.values(SECTION_QUESTIONS));
+      const contextHubText = questionsAndAnswers
+        .filter((qa) => !auditorQuestions.has(qa.question))
+        .map((qa) => `Q: ${qa.question}\nA: ${qa.answer}`)
+        .join('\n\n');
+
+      metadata.set('status', 'generating');
+
+      // Generate content for each section
+      for (const section of SECTIONS) {
+        logger.info(`Generating content for section: ${section}`);
+        metadata.set('currentSection', section);
+        metadata.set(`section_${section}_status`, 'generating');
+
+        try {
+          const content = await generateSectionContent(
+            section,
+            { name: organization.name, website: organization.website },
+            websiteContent,
+            contextHubText,
+          );
+
+          const question = SECTION_QUESTIONS[section];
+
+          // Save to Context table (upsert based on question)
+          const existingContext = await db.context.findFirst({
+            where: {
+              organizationId,
+              question,
+            },
+          });
+
+          if (existingContext) {
+            await db.context.update({
+              where: { id: existingContext.id },
+              data: {
+                answer: content,
+                tags: ['auditor'],
+              },
+            });
+          } else {
+            await db.context.create({
+              data: {
+                organizationId,
+                question,
+                answer: content,
+                tags: ['auditor'],
+              },
+            });
+          }
+
+          results[section] = content;
+          metadata.set(`section_${section}_status`, 'completed');
+          metadata.set(`section_${section}_content`, content);
+          metadata.increment('completedSections', 1);
+
+          logger.info(`Completed section: ${section} and saved to Context`);
+        } catch (error) {
+          logger.error(`Failed to generate content for section: ${section}`, { error });
+          metadata.set(`section_${section}_status`, 'error');
+          metadata.set(
+            `section_${section}_error`,
+            error instanceof Error ? error.message : 'Unknown error',
+          );
+        }
+      }
+
+      metadata.set('status', 'completed');
+      metadata.set('currentSection', null);
+
+      logger.info(`Completed auditor content generation for org ${organizationId}`);
+
+      return {
+        success: true,
+        results,
+      };
+    } catch (error) {
+      logger.error('Failed to generate auditor content', { error });
+      metadata.set('status', 'error');
+      metadata.set('error', error instanceof Error ? error.message : 'Unknown error');
+
+      return {
+        success: false,
+        error: error instanceof Error ? error.message : 'Failed to generate content',
+        results: null,
+      };
+    }
+  },
+});
diff --git a/apps/app/src/jobs/tasks/onboarding/backfill-executive-context-all-orgs.ts b/apps/app/src/jobs/tasks/onboarding/backfill-executive-context-all-orgs.ts
new file mode 100644
index 000000000..791fbc8bd
--- /dev/null
+++ b/apps/app/src/jobs/tasks/onboarding/backfill-executive-context-all-orgs.ts
@@ -0,0 +1,86 @@
+import { db } from '@db';
+import { logger, task } from '@trigger.dev/sdk';
+import { backfillExecutiveContextSingleOrg } from './backfill-executive-context-single-org';
+
+export const backfillExecutiveContextAllOrgs = task({
+  id: 'backfill-executive-context-all-orgs',
+  run: async () => {
+    logger.info('Starting executive context backfill for all organizations');
+
+    try {
+      // Get all organizations that have completed onboarding
+      const organizations = await db.organization.findMany({
+        where: {
+          onboardingCompleted: true,
+        },
+        select: {
+          id: true,
+          name: true,
+        },
+        orderBy: {
+          createdAt: 'asc',
+        },
+      });
+
+      logger.info(`Found ${organizations.length} organizations to process`);
+
+      if (organizations.length === 0) {
+        logger.info('No organizations found, nothing to backfill');
+        return {
+          success: true,
+          organizationsProcessed: 0,
+        };
+      }
+
+      // Create batch items for processing
+      const allBatchItems = organizations.map((org) => ({
+        payload: {
+          organizationId: org.id,
+        },
+      }));
+
+      // Split into chunks of 500 (Trigger.dev batch size limit)
+      const BATCH_SIZE = 500;
+      const batches: (typeof allBatchItems)[] = [];
+
+      for (let i = 0; i < allBatchItems.length; i += BATCH_SIZE) {
+        batches.push(allBatchItems.slice(i, i + BATCH_SIZE));
+      }
+
+      logger.info(
+        `Splitting ${allBatchItems.length} organizations into ${batches.length} batches of max ${BATCH_SIZE} each`,
+      );
+
+      // Process each batch
+      let totalTriggered = 0;
+      for (let i = 0; i < batches.length; i++) {
+        const batch = batches[i];
+        logger.info(
+          `Triggering batch ${i + 1}/${batches.length} with ${batch.length} organizations`,
+        );
+
+        try {
+          await backfillExecutiveContextSingleOrg.batchTrigger(batch);
+          totalTriggered += batch.length;
+          logger.info(`Successfully triggered batch ${i + 1}/${batches.length}`);
+        } catch (error) {
+          logger.error(`Failed to trigger batch ${i + 1}/${batches.length}: ${error}`);
+          throw error;
+        }
+      }
+
+      logger.info(
+        `Successfully triggered executive context backfill jobs for ${totalTriggered} organizations across ${batches.length} batches`,
+      );
+
+      return {
+        success: true,
+        organizationsProcessed: totalTriggered,
+        totalBatches: batches.length,
+      };
+    } catch (error) {
+      logger.error(`Error during executive context backfill batch trigger: ${error}`);
+      throw error;
+    }
+  },
+});
diff --git a/apps/app/src/jobs/tasks/onboarding/backfill-executive-context-single-org.ts b/apps/app/src/jobs/tasks/onboarding/backfill-executive-context-single-org.ts
new file mode 100644
index 000000000..442a5c604
--- /dev/null
+++ b/apps/app/src/jobs/tasks/onboarding/backfill-executive-context-single-org.ts
@@ -0,0 +1,83 @@
+import { db } from '@db';
+import { logger, queue, schemaTask } from '@trigger.dev/sdk';
+import { z } from 'zod';
+
+const CSUITE_QUESTION = 'Who are your C-Suite executives?';
+const SIGNATORY_QUESTION = 'Who will sign off on the final report?';
+
+const backfillQueue = queue({
+  name: 'backfill-executive-context-single-org',
+  concurrencyLimit: 10,
+});
+
+export const backfillExecutiveContextSingleOrg = schemaTask({
+  id: 'backfill-executive-context-single-org',
+  queue: backfillQueue,
+  schema: z.object({
+    organizationId: z.string(),
+  }),
+  run: async ({ organizationId }) => {
+    logger.info(`Backfilling executive context for organization ${organizationId}`);
+
+    // Check if the org already has these context entries
+    const existingContext = await db.context.findMany({
+      where: {
+        organizationId,
+        question: {
+          in: [CSUITE_QUESTION, SIGNATORY_QUESTION],
+        },
+      },
+      select: {
+        question: true,
+      },
+    });
+
+    const existingQuestions = new Set(existingContext.map((c) => c.question));
+
+    const toCreate: {
+      question: string;
+      answer: string;
+      organizationId: string;
+      tags: string[];
+    }[] = [];
+
+    // Check if cSuite is missing
+    if (!existingQuestions.has(CSUITE_QUESTION)) {
+      toCreate.push({
+        question: CSUITE_QUESTION,
+        answer: JSON.stringify([{ name: 'TBD', title: 'CEO' }]),
+        organizationId,
+        tags: ['onboarding'],
+      });
+    }
+
+    // Check if signatory is missing
+    if (!existingQuestions.has(SIGNATORY_QUESTION)) {
+      toCreate.push({
+        question: SIGNATORY_QUESTION,
+        answer: JSON.stringify({
+          fullName: 'TBD',
+          jobTitle: 'CEO',
+          email: 'tbd@company.com',
+        }),
+        organizationId,
+        tags: ['onboarding'],
+      });
+    }
+
+    if (toCreate.length > 0) {
+      await db.context.createMany({ data: toCreate });
+      logger.info(`Created ${toCreate.length} context entries for org ${organizationId}`);
+      return {
+        success: true,
+        entriesCreated: toCreate.length,
+      };
+    }
+
+    logger.info(`Organization ${organizationId} already has all executive context entries`);
+    return {
+      success: true,
+      entriesCreated: 0,
+    };
+  },
+});
diff --git a/apps/app/src/jobs/tasks/onboarding/onboard-organization.ts b/apps/app/src/jobs/tasks/onboarding/onboard-organization.ts
index f03ee3a71..47d696342 100644
--- a/apps/app/src/jobs/tasks/onboarding/onboard-organization.ts
+++ b/apps/app/src/jobs/tasks/onboarding/onboard-organization.ts
@@ -1,6 +1,7 @@
 import { db } from '@db';
 import { logger, metadata, queue, task, tasks } from '@trigger.dev/sdk';
 import axios from 'axios';
+import { generateAuditorContentTask } from '../auditor/generate-auditor-content';
 import { generateRiskMitigationsForOrg } from './generate-risk-mitigation';
 import { generateVendorMitigationsForOrg } from './generate-vendor-mitigation';
 import {
@@ -247,5 +248,11 @@ export const onboardOrganization = task({
     } catch (err) {
       logger.error('Error revalidating path', { err });
     }
+
+    // Generate auditor content in the background
+    await tasks.trigger<typeof generateAuditorContentTask>('generate-auditor-content', {
+      organizationId,
+    });
+    logger.info(`Triggered auditor content generation for organization ${organizationId}`);
   },
 });

From 3a4e9ee0b9c263b38865cedf254415ccd280237f Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 26 Nov 2025 13:54:44 -0500
Subject: [PATCH 7/7] chore(context-hub): enhance array item addition logic and
 UI feedback (#1843)

Co-authored-by: Mariano Fuentes <marfuen98@gmail.com>
---
 .../components/table/ContextColumns.tsx       | 151 ++++++++++++------
 apps/portal/tsconfig.json                     |   2 +-
 2 files changed, 104 insertions(+), 49 deletions(-)

diff --git a/apps/app/src/app/(app)/[orgId]/settings/context-hub/components/table/ContextColumns.tsx b/apps/app/src/app/(app)/[orgId]/settings/context-hub/components/table/ContextColumns.tsx
index 7f3d74605..8168e1922 100644
--- a/apps/app/src/app/(app)/[orgId]/settings/context-hub/components/table/ContextColumns.tsx
+++ b/apps/app/src/app/(app)/[orgId]/settings/context-hub/components/table/ContextColumns.tsx
@@ -117,12 +117,22 @@ function EditableAnswerCell({ context }: { context: Context }) {
 
   // Add new item to array
   const addArrayItem = () => {
-    if (arrayValue && arrayValue.length > 0) {
-      // Clone the structure of the first item with empty values
-      const template = Object.keys(arrayValue[0]).reduce(
-        (acc, key) => ({ ...acc, [key]: '' }),
-        {},
-      );
+    if (arrayValue) {
+      let template: Record<string, string>;
+      if (arrayValue.length > 0) {
+        // Clone the structure of the first item with empty values
+        template = Object.keys(arrayValue[0]).reduce((acc, key) => ({ ...acc, [key]: '' }), {});
+      } else {
+        // For empty arrays, infer structure from question or use default
+        if (
+          context.question.toLowerCase().includes('c-suite') ||
+          context.question.toLowerCase().includes('executive')
+        ) {
+          template = { name: '', title: '' };
+        } else {
+          template = { name: '', value: '' };
+        }
+      }
       setArrayValue([...arrayValue, template]);
     }
   };
@@ -137,37 +147,44 @@ function EditableAnswerCell({ context }: { context: Context }) {
   if (isEditing) {
     // Render array editor (like cSuite)
     if (arrayValue) {
-      const keys = arrayValue.length > 0 ? Object.keys(arrayValue[0]) : [];
       return (
         <div className="flex flex-col gap-3">
           <div className="space-y-2">
-            {arrayValue.map((item, index) => (
-              <div key={index} className="flex items-center gap-2 p-2 rounded-md bg-muted/30">
-                {keys.map((key) => (
-                  <input
-                    key={key}
-                    type="text"
-                    value={item[key] || ''}
-                    onChange={(e) => updateArrayItem(index, key, e.target.value)}
-                    placeholder={key}
-                    className="flex-1 px-2 py-1 text-sm rounded border border-input bg-background"
-                    disabled={status === 'executing'}
-                  />
-                ))}
-                {arrayValue.length > 1 && (
-                  <Button
-                    type="button"
-                    variant="ghost"
-                    size="icon"
-                    className="h-7 w-7 text-muted-foreground hover:text-destructive"
-                    onClick={() => removeArrayItem(index)}
-                    disabled={status === 'executing'}
-                  >
-                    <Trash2 className="h-3.5 w-3.5" />
-                  </Button>
-                )}
-              </div>
-            ))}
+            {arrayValue.length === 0 && (
+              <p className="text-sm text-muted-foreground italic">
+                No items. Click "Add Item" to start.
+              </p>
+            )}
+            {arrayValue.map((item, index) => {
+              const keys = Object.keys(item);
+              return (
+                <div key={index} className="flex items-center gap-2 p-2 rounded-md bg-muted/30">
+                  {keys.map((key) => (
+                    <input
+                      key={key}
+                      type="text"
+                      value={item[key] || ''}
+                      onChange={(e) => updateArrayItem(index, key, e.target.value)}
+                      placeholder={key}
+                      className="flex-1 px-2 py-1 text-sm rounded border border-input bg-background"
+                      disabled={status === 'executing'}
+                    />
+                  ))}
+                  {arrayValue.length > 1 && (
+                    <Button
+                      type="button"
+                      variant="ghost"
+                      size="icon"
+                      className="h-7 w-7 text-muted-foreground hover:text-destructive"
+                      onClick={() => removeArrayItem(index)}
+                      disabled={status === 'executing'}
+                    >
+                      <Trash2 className="h-3.5 w-3.5" />
+                    </Button>
+                  )}
+                </div>
+              );
+            })}
           </div>
           <Button
             type="button"
@@ -180,11 +197,25 @@ function EditableAnswerCell({ context }: { context: Context }) {
             + Add Item
           </Button>
           <div className="flex items-center gap-2">
-            <Button size="sm" variant="outline" onClick={handleCancel} disabled={status === 'executing'}>
+            <Button
+              size="sm"
+              variant="outline"
+              onClick={handleCancel}
+              disabled={status === 'executing'}
+            >
               Cancel
             </Button>
-            <Button size="sm" variant="default" onClick={handleSave} disabled={status === 'executing'}>
-              {status === 'executing' ? <Loader2 className="h-4 w-4 animate-spin mr-1" /> : <Check className="h-4 w-4 mr-1" />}
+            <Button
+              size="sm"
+              variant="default"
+              onClick={handleSave}
+              disabled={status === 'executing'}
+            >
+              {status === 'executing' ? (
+                <Loader2 className="h-4 w-4 animate-spin mr-1" />
+              ) : (
+                <Check className="h-4 w-4 mr-1" />
+              )}
               Save
             </Button>
           </div>
@@ -213,11 +244,25 @@ function EditableAnswerCell({ context }: { context: Context }) {
             ))}
           </div>
           <div className="flex items-center gap-2">
-            <Button size="sm" variant="outline" onClick={handleCancel} disabled={status === 'executing'}>
+            <Button
+              size="sm"
+              variant="outline"
+              onClick={handleCancel}
+              disabled={status === 'executing'}
+            >
               Cancel
             </Button>
-            <Button size="sm" variant="default" onClick={handleSave} disabled={status === 'executing'}>
-              {status === 'executing' ? <Loader2 className="h-4 w-4 animate-spin mr-1" /> : <Check className="h-4 w-4 mr-1" />}
+            <Button
+              size="sm"
+              variant="default"
+              onClick={handleSave}
+              disabled={status === 'executing'}
+            >
+              {status === 'executing' ? (
+                <Loader2 className="h-4 w-4 animate-spin mr-1" />
+              ) : (
+                <Check className="h-4 w-4 mr-1" />
+              )}
               Save
             </Button>
           </div>
@@ -236,11 +281,25 @@ function EditableAnswerCell({ context }: { context: Context }) {
           disabled={status === 'executing'}
         />
         <div className="flex items-center gap-2">
-          <Button size="sm" variant="outline" onClick={handleCancel} disabled={status === 'executing'}>
+          <Button
+            size="sm"
+            variant="outline"
+            onClick={handleCancel}
+            disabled={status === 'executing'}
+          >
             Cancel
           </Button>
-          <Button size="sm" variant="default" onClick={handleSave} disabled={status === 'executing'}>
-            {status === 'executing' ? <Loader2 className="h-4 w-4 animate-spin mr-1" /> : <Check className="h-4 w-4 mr-1" />}
+          <Button
+            size="sm"
+            variant="default"
+            onClick={handleSave}
+            disabled={status === 'executing'}
+          >
+            {status === 'executing' ? (
+              <Loader2 className="h-4 w-4 animate-spin mr-1" />
+            ) : (
+              <Check className="h-4 w-4 mr-1" />
+            )}
             Save
           </Button>
         </div>
@@ -315,11 +374,7 @@ function DeleteCell({ context }: { context: Context }) {
   return (
     <AlertDialog open={deleteOpen} onOpenChange={setDeleteOpen}>
       <AlertDialogTrigger asChild>
-        <Button
-          variant="ghost"
-          size="icon"
-          className="text-destructive hover:bg-destructive/10"
-        >
+        <Button variant="ghost" size="icon" className="text-destructive hover:bg-destructive/10">
           <Trash2 className="h-4 w-4" />
         </Button>
       </AlertDialogTrigger>
diff --git a/apps/portal/tsconfig.json b/apps/portal/tsconfig.json
index e3283a6b7..babcc8908 100644
--- a/apps/portal/tsconfig.json
+++ b/apps/portal/tsconfig.json
@@ -15,7 +15,7 @@
     "moduleResolution": "bundler",
     "resolveJsonModule": true,
     "isolatedModules": true,
-    "jsx": "react-jsx",
+    "jsx": "preserve",
     "incremental": true,
     "plugins": [
       {