CRP Comply¶
AI Governance & EU AI Act Compliance Platform
Product Identity¶
How It Works¶
Your Application Code
│
│ Change base_url to comply.crprotocol.io/v1
▼
┌─────────────────────────────────────────────────┐
│ CRP Comply (We Host) │
│ │
│ ┌─────────────┐ ┌──────────────────────────┐ │
│ │ Compliance │ │ 13+ CRP Security │ │
│ │ Proxy │──│ Subsystems: │ │
│ │ (OpenAI- │ │ • PII Scanner │ │
│ │ compatible) │ │ • Injection Detector │ │
│ └──────┬───────┘ │ • Risk Classifier │ │
│ │ │ • Audit Trail (HMAC) │ │
│ ┌──────┴───────┐ │ • Consent Manager │ │
│ │ Dashboard │ │ • Retention Manager │ │
│ │ • Audit logs │ │ • Data Lineage │ │
│ │ • Reports │ │ • Erasure Manager │ │
│ │ • DPIA │ │ • Provenance Engine │ │
│ │ • Evidence │ │ • Quality Grading │ │
│ └──────────────┘ └──────────────────────────┘ │
│ │
└──────────────────────┬──────────────────────────┘
│ Forwards to your LLM
▼
Your LLM Provider
(OpenAI / Anthropic / Ollama / etc.)
Why CRP Comply?¶
Most AI compliance tools generate static reports that go stale before they're signed. CRP Comply is different:
Evidence from reality, not paperwork
Every report CRP Comply generates is derived from real cryptographic audit trails, real risk assessments, and real data governance controls that CRP enforces at the protocol level. You don't describe what your system does — CRP Comply shows what it actually did.
| Traditional Compliance | CRP Comply |
|---|---|
| Hire consultants for 6 months | Generate reports in seconds |
| Static PDF documents | Live reports from real system data |
| Manual evidence gathering | One-click conformity evidence packs |
| Outdated by next quarter | Always reflects current system state |
| Disconnected from code | Built into your AI infrastructure |
| Costs $50K–$500K per system | Self-hosted or managed SaaS |
What It Covers¶
7 Regulatory Frameworks¶
| Framework | Coverage | Status |
|---|---|---|
| EU AI Act (2024/1689) | Art. 5–17 — all high-risk requirements | ✅ 8/8 controls implemented |
| ISO/IEC 42001:2023 | A.6.2.3–A.6.2.8, §9.1, §10.1 | ✅ 8/8 controls implemented |
| GDPR | Art. 7, 17, 30, 35 | ✅ Consent, erasure, records, DPIA |
| SOC 2 | CC7.2, CC7.3 | ✅ Monitoring + anomaly detection |
| HIPAA | §164.312(b) | ✅ Tamper-resistant audit controls |
| ISO 27001 | A.12.4 | ✅ Logging and monitoring |
| NIST AI RMF | GOVERN, MAP, MEASURE, MANAGE | ✅ All core functions |
EU AI Act — Article-by-Article¶
| Article | What Regulators Require | What CRP Comply Generates |
|---|---|---|
| Art. 6 | Risk classification | Multi-factor assessment across 12 AI system categories → MINIMAL / LIMITED / HIGH / UNACCEPTABLE |
| Art. 9 | Risk management system | Continuous monitoring via session-level audit trails with 8-layer defence-in-depth |
| Art. 10 | Data governance | 5-level data classification, PII detection, lineage tracking, retention policies, erasure support |
| Art. 11 | Technical documentation | Auto-generated structured documentation covering architecture, security, data governance, oversight |
| Art. 12 | Record-keeping | HMAC-SHA256 tamper-evident audit trail — 30+ event types, chain integrity verification |
| Art. 13 | Transparency | Machine-readable declaration: AI involvement, data processed, limitations, oversight provisions |
| Art. 14 | Human oversight | 4 configurable levels (NONE → INFORMED → APPROVAL → CONTROL) with halt-on-detection |
| Art. 15 | Accuracy, robustness, cybersecurity | AES-256-GCM, BLAKE3 integrity chains, 3-tier RBAC, injection detection, anti-poisoning |
| Art. 17 | Quality management | Tier grading (S/A/B/C/D), overhead tracking, resource metrics, envelope saturation |
Features¶
8 Compliance Generators¶
-
Risk Assessment
EU AI Act Art. 6 classification. Evaluates system category, data sensitivity, decision automation, fundamental rights impact, and safety criticality.
-
Compliance Report
Per-control implementation status across EU AI Act and ISO 42001. Compliance score with implementation evidence for every control.
-
DPIA Generator
Full GDPR Art. 35 Data Protection Impact Assessment with risk categories, CRP-native mitigations, and residual risk analysis.
-
Transparency Declaration
Art. 13 machine-readable document covering AI involvement, data practices, system limitations, and oversight provisions.
-
Technical Documentation
Art. 11 structured documentation for national competent authorities — architecture, data governance, security, human oversight.
-
Session Audit
Per-session compliance analysis: audit trail integrity, PII detections, injection attempts, quality scores, findings, recommendations.
-
Conformity Evidence Pack
All compliance artifacts in a single export. Hand this to a regulator or auditor — risk assessment, compliance report, DPIA, technical docs, transparency declaration, and session audit.
-
Signed Certificate (Cloud)
Digitally signed compliance certificate from AutoCyber AI. Verifiable online at
crprotocol.io/verify/. Covers EU AI Act, ISO 42001, and GDPR Art. 35.
Web Dashboard¶
A full-featured React + TypeScript dashboard with 9 pages:
- Dashboard — real-time compliance overview
- Risk Assessment — interactive risk classification wizard
- Compliance Report — control-by-control status with evidence
- DPIA — guided Data Protection Impact Assessment
- Transparency — auto-generated Art. 13 declarations
- Technical Docs — one-click Art. 11 documentation
- Session Audit — upload and analyse CRP session files
- Evidence Pack — generate regulator-ready bundles
- Settings — API key management, tier configuration
REST API¶
14 endpoints at /api/v1/ with interactive OpenAPI docs at /api/docs:
| Method | Endpoint | Description |
|---|---|---|
| GET | /health |
Service health and version |
| POST | /risk-assessment |
EU AI Act risk classification |
| POST | /compliance-report |
Multi-framework compliance status |
| POST | /compliance-report/markdown |
Compliance report as Markdown |
| POST | /dpia |
GDPR Art. 35 DPIA |
| POST | /transparency |
Art. 13 transparency declaration |
| POST | /technical-docs |
Art. 11 technical documentation |
| POST | /audit |
Session file compliance audit |
| POST | /evidence-pack |
Complete conformity evidence |
| POST | /full-report |
Full Markdown compliance report |
| POST | /certificate |
Digitally signed certificate (Cloud) |
| POST | /keys |
Create API key |
| GET | /keys |
List API keys |
| DELETE | /keys/{id} |
Revoke API key |
Pricing¶
-
Free
- 100 proxy requests/mo
- 2 frameworks (EU AI Act, GDPR)
- Risk Assessment (Art. 6)
- Basic Compliance Report
- PII scanning (7 categories)
- Injection detection (21 patterns)
- 7-day audit retention
$0/mo — Sign Up →
-
Pro
Everything in Free, plus:
- 10,000 proxy requests/mo
- All 7 regulatory frameworks
- DPIA Generator (GDPR Art. 35)
- Transparency Declaration (Art. 13)
- Technical Documentation (Art. 11)
- Session Audit (Art. 12)
- Conformity Evidence Pack
- Right to Erasure (GDPR Art. 17)
- Data classification
- Chain verification
- 90-day audit retention
- Email support
$149/mo — Subscribe →
-
Enterprise
Everything in Pro, plus:
- 100,000 proxy requests/mo
- EU AI Act Art. 6 risk classification
- DPIA generation
- Human oversight controls
- RBAC with rate limiting
- Regulatory export
- Custom compliance frameworks
- SSO (SAML / OIDC)
- 1-year audit retention
- 99.9% uptime SLA
- Priority support + Slack
$699/mo — Subscribe →
-
Cloud
Everything in Enterprise, plus:
- Unlimited proxy requests
- Digitally signed certificates
- ML-enhanced PII & injection scanning
- Automated regulatory export
- Dedicated infrastructure
- 7-year audit retention
- Data residency (AU / EU / US)
- 99.95% uptime SLA
- Dedicated Customer Success Manager
- "CRP Certified" trust badge
$1,999/mo — Contact Sales →
Cloud Tier — Official & Trusted¶
The Cloud tier is the officially hosted, AutoCyber AI-managed deployment. It delivers what self-hosted tiers cannot:
| Capability | Detail |
|---|---|
| Signed Certificates | HMAC-SHA256 digitally signed compliance certificates verifiable at crprotocol.io/verify/{id} |
| Always Current | Regulatory changes (delegated acts, technical standards) reflected automatically |
| Audit-Ready Infra | SOC 2 / ISO 27001 aligned infrastructure — your auditor doesn't need to assess your servers |
| Data Residency | Choose hosting region: Australia, EU, or US |
| SLA-Backed | 99.9% uptime guarantee with credit-backed remedies |
| CRP Certified Badge | Display trusted certification on your products and marketing |
| Priority Support | Direct access to the CRP compliance engineering team |
Quick Start¶
1. Sign Up¶
Visit comply.crprotocol.io and create your account.
2. Connect Your LLM¶
In the dashboard, go to Setup and enter your LLM provider credentials:
- OpenAI — API key (
sk-...) - Anthropic — API key (
sk-ant-...) - Custom — Any OpenAI-compatible endpoint (Ollama, vLLM, LM Studio, etc.)
Your API key is encrypted at rest with AES-256-GCM and is only used to forward requests to your chosen provider.
3. Change One Line of Code¶
Point your existing OpenAI client at CRP Comply — that's it:
# Before — direct to OpenAI
import openai
client = openai.OpenAI(api_key="sk-...")
# After — route through CRP Comply proxy
client = openai.OpenAI(
api_key="sk-...",
base_url="https://comply.crprotocol.io/v1",
default_headers={"X-API-Key": "crc_your_comply_key"},
)
# Same API — now with full compliance coverage
response = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Analyse this contract..."}],
)
# Response includes X-CRP-Comply-Record-ID header for audit trail
Every request now flows through 13+ CRP security subsystems automatically.
4. Use the Dashboard¶
Access audit trails, compliance reports, DPIAs, evidence packs, and real-time compliance metrics — all from your browser at comply.crprotocol.io.
5. REST API¶
Access the full compliance API at https://comply.crprotocol.io/api/docs — interactive OpenAPI documentation included.
CLI Tool¶
CRP Comply includes a command-line interface for offline compliance operations:
# Start the CRP Comply server locally
crp-comply serve --port 8400
# Generate EU AI Act + ISO 42001 compliance report
crp-comply report --format markdown
# Run EU AI Act Art. 6 risk assessment
crp-comply risk-assess --category healthcare --personal-data --json
# Generate GDPR Art. 35 DPIA
crp-comply dpia --system-name "Patient Triage AI" --format markdown
# Generate EU AI Act Art. 13 transparency declaration
crp-comply transparency
# Generate Art. 11 technical documentation
crp-comply technical-docs --category healthcare
# Audit a persisted CRP session file
crp-comply audit /path/to/session.json --format markdown
# Generate complete conformity evidence pack for regulators
crp-comply evidence-pack --system-name "My AI System" --output evidence.json
Security¶
| Control | Implementation |
|---|---|
| Authentication | API keys (SHA-256 hashed) + JWT tokens |
| Encryption | AES-256-GCM at rest, HMAC-SHA256 binding |
| Path safety | Session file access restricted to allow-listed directories |
| Input validation | All requests validated via Pydantic schemas |
| Docker | Non-root comply user, health checks |
| Secrets | JWT secret via env variable, never committed |
Who Is This For?¶
| Role | Problem | Solution |
|---|---|---|
| AI Engineer | Building LLM apps, no time for compliance | Drop-in compliance — every CRP session is already audit-ready |
| Compliance Officer | EU AI Act deadline approaching, need evidence | One-click evidence packs, live compliance scoring |
| CTO | Board wants AI governance, you want to ship | Compliance-as-code — zero manual processes |
| Auditor | Need to verify AI system compliance | Tamper-evident audit trails, session reconstruction |
| Regulator | Need standardised AI documentation | Art. 11 tech docs, Art. 13 transparency, Art. 6 risk classification |
Contact¶
-
General Enquiries
-
Enterprise & Licensing
-
Security
CRP Comply is a product of AutoCyber AI Pty Ltd (ABN 22 697 087 166). Built on the Context Relay Protocol. "Context Relay Protocol" is a trademark of Constantinos Vidiniotis (application pending, IP Australia Class 9).