Skip to content

CRP Comply

AI Governance & EU AI Act Compliance Platform

EU AI Act enforcement begins August 2, 2026

Fines up to €35 million or 7% of global turnover. CRP Comply generates the compliance evidence regulators require — from your actual AI system behaviour, not consultant PDFs.

Get Started →

Why CRP Comply?

Most AI compliance tools generate static reports that go stale before they're signed. CRP Comply is different:

Evidence from reality, not paperwork

Every report CRP Comply generates is derived from real cryptographic audit trails, real risk assessments, and real data governance controls that CRP enforces at the protocol level. You don't describe what your system does — CRP Comply shows what it actually did.

Traditional Compliance CRP Comply
Hire consultants for 6 months Generate reports in seconds
Static PDF documents Live reports from real system data
Manual evidence gathering One-click conformity evidence packs
Outdated by next quarter Always reflects current system state
Disconnected from code Built into your AI infrastructure
Costs $50K–$500K per system Self-hosted or managed SaaS

What It Covers

7 Regulatory Frameworks

Framework Coverage Status
EU AI Act (2024/1689) Art. 5–17 — all high-risk requirements ✅ 8/8 controls implemented
ISO/IEC 42001:2023 A.6.2.3–A.6.2.8, §9.1, §10.1 ✅ 8/8 controls implemented
GDPR Art. 7, 17, 30, 35 ✅ Consent, erasure, records, DPIA
SOC 2 CC7.2, CC7.3 ✅ Monitoring + anomaly detection
HIPAA §164.312(b) ✅ Tamper-resistant audit controls
ISO 27001 A.12.4 ✅ Logging and monitoring
NIST AI RMF GOVERN, MAP, MEASURE, MANAGE ✅ All core functions

EU AI Act — Article-by-Article

Article What Regulators Require What CRP Comply Generates
Art. 6 Risk classification Multi-factor assessment across 12 AI system categories → MINIMAL / LIMITED / HIGH / UNACCEPTABLE
Art. 9 Risk management system Continuous monitoring via session-level audit trails with 8-layer defence-in-depth
Art. 10 Data governance 5-level data classification, PII detection, lineage tracking, retention policies, erasure support
Art. 11 Technical documentation Auto-generated structured documentation covering architecture, security, data governance, oversight
Art. 12 Record-keeping HMAC-SHA256 tamper-evident audit trail — 30+ event types, chain integrity verification
Art. 13 Transparency Machine-readable declaration: AI involvement, data processed, limitations, oversight provisions
Art. 14 Human oversight 4 configurable levels (NONE → INFORMED → APPROVAL → CONTROL) with halt-on-detection
Art. 15 Accuracy, robustness, cybersecurity AES-256-GCM, BLAKE3 integrity chains, 3-tier RBAC, injection detection, anti-poisoning
Art. 17 Quality management Tier grading (S/A/B/C/D), overhead tracking, resource metrics, envelope saturation

Features

8 Compliance Generators

  • Risk Assessment

    EU AI Act Art. 6 classification. Evaluates system category, data sensitivity, decision automation, fundamental rights impact, and safety criticality.

    Try it

  • Compliance Report

    Per-control implementation status across EU AI Act and ISO 42001. Compliance score with implementation evidence for every control.

    Generate

  • DPIA Generator

    Full GDPR Art. 35 Data Protection Impact Assessment with risk categories, CRP-native mitigations, and residual risk analysis.

    Generate DPIA

  • Transparency Declaration

    Art. 13 machine-readable document covering AI involvement, data practices, system limitations, and oversight provisions.

    Generate

  • Technical Documentation

    Art. 11 structured documentation for national competent authorities — architecture, data governance, security, human oversight.

    Generate

  • Session Audit

    Per-session compliance analysis: audit trail integrity, PII detections, injection attempts, quality scores, findings, recommendations.

    Audit session

  • Conformity Evidence Pack

    All compliance artifacts in a single export. Hand this to a regulator or auditor — risk assessment, compliance report, DPIA, technical docs, transparency declaration, and session audit.

    Generate pack

  • Signed Certificate (Cloud)

    Digitally signed compliance certificate from AutoCyber AI. Verifiable online at crprotocol.io/verify/. Covers EU AI Act, ISO 42001, and GDPR Art. 35.

    Learn about Cloud

Web Dashboard

A full-featured React + TypeScript dashboard with 9 pages:

  • Dashboard — real-time compliance overview
  • Risk Assessment — interactive risk classification wizard
  • Compliance Report — control-by-control status with evidence
  • DPIA — guided Data Protection Impact Assessment
  • Transparency — auto-generated Art. 13 declarations
  • Technical Docs — one-click Art. 11 documentation
  • Session Audit — upload and analyse CRP session files
  • Evidence Pack — generate regulator-ready bundles
  • Settings — API key management, tier configuration

REST API

14 endpoints at /api/v1/ with interactive OpenAPI docs at /api/docs:

Method Endpoint Description
GET /health Service health and version
POST /risk-assessment EU AI Act risk classification
POST /compliance-report Multi-framework compliance status
POST /compliance-report/markdown Compliance report as Markdown
POST /dpia GDPR Art. 35 DPIA
POST /transparency Art. 13 transparency declaration
POST /technical-docs Art. 11 technical documentation
POST /audit Session file compliance audit
POST /evidence-pack Complete conformity evidence
POST /full-report Full Markdown compliance report
POST /certificate Digitally signed certificate (Cloud)
POST /keys Create API key
GET /keys List API keys
DELETE /keys/{id} Revoke API key

Licensing Tiers

  • FreeSelf-hosted

    • Risk Assessment (Art. 6)
    • Basic Compliance Report

    $0

  • ProSelf-hosted

    Everything in Free, plus:

    • DPIA Generator (GDPR Art. 35)
    • Transparency Declaration (Art. 13)
    • Technical Documentation (Art. 11)
    • Session Audit (Art. 12)
    • Conformity Evidence Pack
    • PDF Export
    • Full Compliance Report

    Contact for pricing →

  • EnterpriseSelf-hosted

    Everything in Pro, plus:

    • Multi-user access
    • SSO (SAML / OIDC)
    • Webhooks & notifications
    • SIEM integration
    • Custom compliance frameworks

    Contact for pricing →

  • CloudManaged SaaS

    Everything in Enterprise, plus:

    • Digitally signed certificates
    • Managed hosting by AutoCyber AI
    • Automatic regulatory updates
    • 99.9% uptime SLA
    • Priority support
    • Data residency (AU / EU / US)
    • "CRP Certified" trust badge
    • Audit-ready infrastructure

    Contact for pricing →

Cloud Tier — Official & Trusted

The Cloud tier is the officially hosted, AutoCyber AI-managed deployment. It delivers what self-hosted tiers cannot:

Capability Detail
Signed Certificates HMAC-SHA256 digitally signed compliance certificates verifiable at crprotocol.io/verify/{id}
Always Current Regulatory changes (delegated acts, technical standards) reflected automatically
Audit-Ready Infra SOC 2 / ISO 27001 aligned infrastructure — your auditor doesn't need to assess your servers
Data Residency Choose hosting region: Australia, EU, or US
SLA-Backed 99.9% uptime guarantee with credit-backed remedies
CRP Certified Badge Display trusted certification on your products and marketing
Priority Support Direct access to the CRP compliance engineering team

Quick Start

Install

pip install crp-comply

Python API

from crp_comply import CRPComply

comply = CRPComply()

# Risk assessment (EU AI Act Art. 6)
assessment = comply.assess_risk(
    category="healthcare",
    processes_personal_data=True,
    makes_automated_decisions=True,
)
print(f"Risk: {assessment.risk_level.value}")  # → "high"

# Compliance report (EU AI Act + ISO 42001)
report = comply.compliance_report(risk_assessment=assessment)
print(f"Score: {report['summary']['compliance_score']}%")  # → "100.0%"

# DPIA (GDPR Art. 35)
dpia = comply.generate_dpia(
    system_name="Patient Triage AI",
    data_subjects="patients",
)
print(dpia.to_markdown())

# Evidence pack — hand this to a regulator
pack = comply.conformity_evidence_pack(
    system_name="Patient Triage AI",
    category="healthcare",
)

CLI

# Start the web dashboard + API server
crp-comply serve

# Risk assessment
crp-comply risk-assess --category financial --personal-data --automated-decisions

# Full Markdown report
crp-comply report --category healthcare

# DPIA
crp-comply dpia --system-name "Claims AI" --data-subjects "policyholders"

# Evidence pack
crp-comply evidence-pack --system-name "My AI" --output ./evidence.json

Docker

docker run -p 8400:8400 \
  -e CRP_COMPLY_JWT_SECRET=$(openssl rand -hex 32) \
  -v comply-data:/app/data \
  ghcr.io/constantinos-uni/crp-comply:latest

Visit http://localhost:8400 for the dashboard or http://localhost:8400/api/docs for the API.

Security

Control Implementation
Authentication API keys (SHA-256 hashed) + JWT tokens
Encryption AES-256-GCM at rest, HMAC-SHA256 binding
Path safety Session file access restricted to allow-listed directories
Input validation All requests validated via Pydantic schemas
Docker Non-root comply user, health checks
Secrets JWT secret via env variable, never committed

Who Is This For?

Role Problem Solution
AI Engineer Building LLM apps, no time for compliance Drop-in compliance — every CRP session is already audit-ready
Compliance Officer EU AI Act deadline approaching, need evidence One-click evidence packs, live compliance scoring
CTO Board wants AI governance, you want to ship Compliance-as-code — zero manual processes
Auditor Need to verify AI system compliance Tamper-evident audit trails, session reconstruction
Regulator Need standardised AI documentation Art. 11 tech docs, Art. 13 transparency, Art. 6 risk classification

Contact

CRP Comply is a product of AutoCyber AI Pty Ltd (ABN 22 697 087 166). Built on the Context Relay Protocol. "Context Relay Protocol" is a trademark of Constantinos Vidiniotis (application pending, IP Australia Class 9).