Open-source, self-hosted
Free software, AGPL. Runs on my infrastructure. During the engagement responses do not leave my perimeter; at closure the exported dataset stays with the client. No third-party SaaS in the middle.
Tools · Assessment and questionnaires
LimeSurvey
Open-source platform for structured questionnaires, around for fifteen years, used by universities, public bodies and organizations for complex surveys. I use it as the operational engine for compliance assessments.
The questionnaire guides. The platform tracks. Evidence remains.
In 30 seconds
Individual code, adaptive sections, exportable dataset.
LimeSurvey handles structured surveys with thousands of respondents. I configure it with proprietary questionnaires to conduct compliance assessments: each participant gets an individual access code, responses are anchored to evidence documents, sections activate based on the organization's profile, and at closure the exported dataset stays with the client.
Why this choice
Four properties that matter for an assessment
Individual tracked access
Access code per respondent, with configurable expiration. Identity, timestamp and modification history for each response. Complete audit trail, exportable.
Adaptive sections
Conditional branching: the questionnaire adapts to the organization's profile. Sector, size, role determine which sections activate and which are skipped. No useless questions to the respondent.
Open export formats
CSV, JSON, SPSS, R, Excel. No lock-in: the client can keep analyzing data with their own tools after closure. The platform is the container, the data is theirs.
When it makes sense
Real use cases
- Compliance assessments (NIS2, ISO 27001, DORA, GDPR) on wide perimeter
- Structured internal surveys with many respondents (organizational audits, evaluations)
- Data collection where traceability matters: who answered what, when
- Questionnaires with conditional sections and complex branching
- Long-running surveys where responses are revisited and updated over time
When it does NOT make sense
Honest limits
- It is not an analytics tool: data has to be exported for advanced analysis
- It does not replace an enterprise GRC platform for continuous compliance
- Admin UI is functional but dated: advanced setups require learning
- For short and lightweight surveys it is oversized — a simple form is enough
The value is not in the tool
It is in the questionnaire above and the analysis that follows.
LimeSurvey does one thing very well: collect structured responses in a tracked way. The value of a compliance assessment is not in the platform but in two things above it: the questionnaire design (which controls, organized in which areas, with which pointed regulatory anchors), and the analysis of responses (cross-section correlation, gap analysis, drafting of deliverables). The tool is the container, the method is the content.
Installation
Docker for base setup, docker-compose stack for production.
Single Docker container for test environments, or docker-compose stack with dedicated MariaDB or PostgreSQL for production. Plugin system for extensions (SSO via SAML/OIDC, custom export, application hooks). Backup via database dump. For assessment environments with sensitive data, the typical configuration includes TLS-only, admin IP allowlist, encrypted external backup and immutable logs.
See how I use it in assessments
The Compliance page describes in detail how the platform integrates in the process: questionnaires anchored to regulation, 0–5 maturity model, deliverables for the board.