Comp AI is an open-source (AGPLv3) compliance automation platform and self-hostable alternative to Vanta and Drata. It provides AI-native workflows for SOC 2, ISO 27001, HIPAA, GDPR, and 25+ other frameworks with automated evidence collection across 500+ integrations.
GitHub: https://github.com/trycompai/comp
Website: https://trycomp.ai
License: AGPLv3 (open-core model)
Stack: Next.js, TypeScript, Prisma, PostgreSQL
Self-Hosted Deployment
Docker Setup
# Clone the repository
git clone https://github.com/trycompai/comp.git
cd comp
# Copy environment template
cp .env.example .env
# Configure required environment variables
# Edit .env with database URL, auth secrets, etc.
# Start with Docker Compose
docker compose up -d
# Verify services are running
docker compose ps
# View logs
docker compose logs -f
Local Development Setup
# Clone and install dependencies
git clone https://github.com/trycompai/comp.git
cd comp
pnpm install
# Set up PostgreSQL database
# Ensure PostgreSQL is running locally or via Docker
docker run -d --name comp-db -e POSTGRES_PASSWORD=secret -p 5432:5432 postgres:16
# Configure environment
cp .env.example .env
# Edit .env: DATABASE_URL, NEXTAUTH_SECRET, etc.
# Run database migrations
pnpm db:migrate
# Seed initial data (frameworks, controls)
pnpm db:seed
# Start development server
pnpm dev
Environment Configuration
| Variable | Description |
|---|
DATABASE_URL | PostgreSQL connection string |
NEXTAUTH_SECRET | Authentication secret key |
NEXTAUTH_URL | Application base URL |
SMTP_HOST | Email server for notifications |
SMTP_PORT | Email server port |
SMTP_USER | Email authentication user |
SMTP_PASSWORD | Email authentication password |
ENCRYPTION_KEY | Key for encrypting sensitive data |
OPENAI_API_KEY | API key for AI-powered features |
Supported Compliance Frameworks
| Framework | Type | Description |
|---|
| SOC 2 Type I | Security audit | Point-in-time security controls assessment |
| SOC 2 Type II | Security audit | Ongoing security controls over a period |
| ISO 27001 | Information security | Information security management system |
| HIPAA | Healthcare | Health data privacy and security |
| GDPR | Data privacy | EU General Data Protection Regulation |
| SOX | Financial | Sarbanes-Oxley financial controls |
| PCI DSS | Payment security | Payment card industry data security |
| NIST CSF | Cybersecurity | Cybersecurity framework controls |
| NIST 800-53 | Federal security | Federal information systems security |
| CIS Controls | Security benchmarks | Center for Internet Security controls |
| CCPA | Data privacy | California Consumer Privacy Act |
| ISO 42001 | AI governance | AI management system standard |
| EU AI Act | AI regulation | European Union AI regulation |
Evidence Collection
Integration Categories
| Category | Examples |
|---|
| Cloud Providers | AWS, Azure, GCP, DigitalOcean |
| Identity Providers | Okta, Auth0, Azure AD, Google Workspace |
| Version Control | GitHub, GitLab, Bitbucket |
| HR Platforms | BambooHR, Gusto, Rippling, Deel |
| Ticketing Systems | Jira, Linear, Asana, Monday.com |
| Monitoring | Datadog, PagerDuty, Grafana |
| MDM / Endpoint | Jamf, Kandji, Microsoft Intune |
| Communication | Slack, Microsoft Teams |
Connecting Integrations
# Integrations are configured through the web UI
# Navigate to: Settings > Integrations
# For cloud providers, provide:
# - API credentials or IAM role ARN
# - Region/account identifiers
# - Scopes for data access
# AWS integration example setup:
# 1. Create IAM role with read-only policy
# 2. Configure trust relationship for Comp AI
# 3. Enter Role ARN in Comp AI integration settings
# GitHub integration:
# 1. Install Comp AI GitHub App on your org
# 2. Select repositories to monitor
# 3. Authorize requested permissions
Evidence Collection Tasks
| Task | Description |
|---|
| Auto-collect | Scheduled automatic evidence gathering from integrations |
| Manual upload | Upload screenshots, documents, or exports as evidence |
| API pull | Pull data via integration APIs on demand |
| Webhook listener | Receive real-time evidence via incoming webhooks |
| Agent-based | Deploy lightweight agents for endpoint evidence |
Policy Management
Policy Generation
# AI-assisted policy generation via the dashboard:
# 1. Navigate to Policies section
# 2. Select framework (e.g., SOC 2)
# 3. Choose policy template category
# 4. AI generates draft based on your organization profile
# 5. Review, customize, and approve
# Common policy categories:
# - Information Security Policy
# - Access Control Policy
# - Data Classification Policy
# - Incident Response Plan
# - Business Continuity Plan
# - Acceptable Use Policy
# - Change Management Policy
# - Vendor Management Policy
# - Data Retention Policy
# - Password Policy
Policy Lifecycle
| Status | Description |
|---|
| Draft | Initial AI-generated or manually created policy |
| In Review | Sent to stakeholders for feedback |
| Approved | Accepted by policy owner and management |
| Published | Active and distributed to employees |
| Needs Update | Flagged for periodic review or change |
| Archived | Superseded or no longer applicable |
Control Implementation
Control Mapping
| Action | Description |
|---|
| Map controls to frameworks | Link organizational controls to framework requirements |
| Assign control owners | Designate responsible individuals per control |
| Set control frequency | Define testing cadence (daily, weekly, monthly, annual) |
| Link evidence | Associate evidence artifacts with controls |
| Cross-map controls | Map one control to multiple framework requirements |
Control Status Tracking
| Status | Meaning |
|---|
| Not Started | Control not yet implemented |
| In Progress | Implementation underway |
| Implemented | Control deployed, pending evidence |
| Effective | Control tested and operating effectively |
| Failing | Control not meeting requirements |
| Not Applicable | Control scoped out with justification |
Risk Assessment
Risk Register Workflow
# Risk assessment workflow in Comp AI:
# 1. Identify risks (manual entry or AI-suggested)
# 2. Categorize by domain (operational, technical, compliance)
# 3. Assess likelihood (1-5 scale)
# 4. Assess impact (1-5 scale)
# 5. Calculate inherent risk score
# 6. Define mitigating controls
# 7. Calculate residual risk score
# 8. Assign risk owner and review date
# 9. Monitor and update periodically
Risk Matrix
| Likelihood / Impact | Negligible | Minor | Moderate | Major | Critical |
|---|
| Almost Certain | Medium | High | High | Critical | Critical |
| Likely | Medium | Medium | High | High | Critical |
| Possible | Low | Medium | Medium | High | High |
| Unlikely | Low | Low | Medium | Medium | High |
| Rare | Low | Low | Low | Medium | Medium |
Audit Preparation
Readiness Checklist
| Step | Description |
|---|
| Gap analysis | Run framework gap analysis to find missing controls |
| Evidence review | Verify all required evidence is collected and current |
| Policy review | Ensure all policies are approved and published |
| Control testing | Validate controls are operating effectively |
| Personnel training | Confirm security awareness training completion |
| Vendor assessment | Review third-party vendor compliance status |
| Remediation | Address identified gaps before audit window |
| Auditor access | Configure read-only auditor portal access |
Auditor Portal
# Set up auditor access:
# 1. Navigate to Settings > Auditor Access
# 2. Create auditor user with read-only permissions
# 3. Select frameworks and scope for the audit
# 4. Share secure portal link with audit firm
# 5. Auditors can view evidence, controls, and policies
# 6. Track auditor requests and comments in-platform
Dashboard and Reporting
Key Metrics
| Metric | Description |
|---|
| Compliance score | Overall percentage of controls met per framework |
| Evidence freshness | Age of most recent evidence per control |
| Policy coverage | Percentage of required policies in place |
| Risk posture | Aggregate risk score across all categories |
| Task completion | Progress on remediation and implementation tasks |
| Integration health | Status of connected integration data feeds |
Report Generation
# Available report types:
# - Compliance posture summary (executive view)
# - Framework-specific readiness report
# - Evidence collection status report
# - Risk register export
# - Control effectiveness report
# - Vendor compliance summary
# - Audit trail / activity log
# Reports can be exported as PDF or CSV
# Scheduled reports can be emailed to stakeholders
Team and Role Management
Role-Based Access
| Role | Permissions |
|---|
| Owner | Full platform access, billing, user management |
| Admin | Manage frameworks, controls, integrations, users |
| Compliance Manager | Edit policies, controls, evidence, risk register |
| Control Owner | Manage assigned controls and evidence |
| Viewer | Read-only access to dashboards and reports |
| Auditor | Read-only access scoped to audit engagement |
Team Management
# User and team operations via dashboard:
# Settings > Team Members
# Invite team members by email
# Assign roles per user
# Set framework-specific access scopes
# Enable SSO via SAML or OIDC
# Configure MFA requirements
# Review access audit logs
API Usage
REST API Patterns
# API base URL (self-hosted)
BASE_URL="https://your-comp-instance.com/api/v1"
# Authentication: API key in header
curl -H "Authorization: Bearer YOUR_API_KEY" \
"$BASE_URL/frameworks"
# List compliance frameworks
curl -H "Authorization: Bearer YOUR_API_KEY" \
"$BASE_URL/frameworks"
# Get controls for a framework
curl -H "Authorization: Bearer YOUR_API_KEY" \
"$BASE_URL/frameworks/soc2/controls"
# Upload evidence artifact
curl -X POST \
-H "Authorization: Bearer YOUR_API_KEY" \
-F "file=@evidence-screenshot.png" \
-F "controlId=CC-1.1" \
-F "description=Access review Q1 2026" \
"$BASE_URL/evidence"
# Get compliance posture summary
curl -H "Authorization: Bearer YOUR_API_KEY" \
"$BASE_URL/reports/posture?framework=soc2"
# List tasks and remediation items
curl -H "Authorization: Bearer YOUR_API_KEY" \
"$BASE_URL/tasks?status=open"
Configuration and Customization
Organization Settings
| Setting | Description |
|---|
| Organization profile | Company name, industry, size, locations |
| Framework selection | Enable/disable applicable frameworks |
| Evidence retention | Set retention periods for collected evidence |
| Notification preferences | Email, Slack, or webhook alert configuration |
| Custom fields | Add organization-specific metadata to controls |
| Branding | Custom logo and colors for auditor portal |
| Data residency | Configure storage region for compliance data |
Notification Configuration
# Notification channels:
# - Email digests (daily/weekly compliance summary)
# - Slack integration (real-time alerts)
# - Webhook endpoints (custom integrations)
# Alert triggers:
# - Evidence expiring soon
# - Control status changes
# - New risks identified
# - Policy review due dates
# - Integration connection failures
# - Audit requests received
Database Management
# Database operations (self-hosted)
# Run pending migrations
pnpm db:migrate
# Reset database (caution: destroys data)
pnpm db:reset
# Generate Prisma client after schema changes
pnpm db:generate
# Open Prisma Studio for data inspection
pnpm db:studio
# Create a database backup
pg_dump -h localhost -U comp_user comp_db > backup.sql
# Restore from backup
psql -h localhost -U comp_user comp_db < backup.sql
Troubleshooting
| Issue | Solution |
|---|
| Integration sync failing | Check API credentials and rate limits in Settings |
| Evidence not collecting | Verify integration permissions and connectivity |
| Database migration errors | Run pnpm db:migrate and check PostgreSQL logs |
| Authentication issues | Verify NEXTAUTH_SECRET and NEXTAUTH_URL config |
| AI features not working | Confirm OPENAI_API_KEY is set and valid |
| Slow dashboard loading | Check PostgreSQL performance and indexing |
| Email notifications failing | Verify SMTP configuration and credentials |
| Docker container crashes | Check memory limits and review docker compose logs |
