Comp AI

Overview

Comp AI is an open-source compliance automation platform designed to help organizations achieve and maintain SOC 2, ISO 27001, HIPAA, and GDPR compliance. It automates evidence collection, manages policies, maps controls across frameworks, and streamlines audit preparation, reducing manual compliance work and improving security posture.

Installation & Setup

Prerequisites

Docker and Docker Compose (recommended for self-hosted)
Node.js 18+ (for local development)
PostgreSQL 14+ (for data persistence)
Git for cloning the repository

Self-Hosted Deployment via Docker

# Clone the Comp AI repository
git clone https://github.com/complianceai/compai.git
cd compai

# Copy environment configuration
cp .env.example .env

# Edit .env with your settings
nano .env

# Start services with Docker Compose
docker-compose up -d

# Run database migrations
docker-compose exec api npm run migrate

# Access the dashboard at http://localhost:3000

Local Development Setup

# Install dependencies
npm install

# Initialize database
npm run db:init

# Start development server
npm run dev

# Start in watch mode with hot reload
npm run dev:watch

Configuration Files

File	Purpose
`.env`	Environment variables (database, API keys, SMTP)
`config/frameworks.yaml`	Framework definitions and control mappings
`config/policies.yaml`	Organization policy templates
`config/integrations.yaml`	Cloud provider and tool credentials

Framework Configuration

SOC 2 Type II Setup

# Initialize SOC 2 framework
comp-ai framework init --type soc2 --scope service-organization

# Configure trust service criteria
comp-ai framework configure soc2 \
  --cc (security|availability|processing-integrity|confidentiality|privacy)

# Specify audit period
comp-ai framework set-period soc2 \
  --start-date 2024-01-01 \
  --end-date 2024-12-31

ISO 27001 Configuration

# Initialize ISO 27001 framework
comp-ai framework init --type iso27001

# Define asset inventory
comp-ai assets add --name "Database Servers" \
  --type infrastructure \
  --criticality high

# Map organizational scope
comp-ai scope define --departments IT,Security,HR \
  --locations "US-East,EU-West"

HIPAA Compliance Setup

# Initialize HIPAA framework
comp-ai framework init --type hipaa \
  --organization-type covered-entity

# Configure security rules
comp-ai hipaa configure \
  --require-encryption true \
  --audit-log-retention 90 \
  --access-control strict

# Define PHI data locations
comp-ai data-inventory add --classification PHI \
  --location "Cloud Database" \
  --access-restricted true

# Initialize GDPR framework
comp-ai framework init --type gdpr \
  --region EU

# Configure data processing agreements
comp-ai gdpr set-dpa \
  --processor "Cloud Provider Name" \
  --scc-version sccc2021

# Define data subjects and purposes
comp-ai gdpr add-purpose \
  --name "Marketing Communications" \
  --legal-basis legitimate-interest

Evidence Collection Automation

Automated Evidence Sources

Source	Framework	Collection Interval
AWS CloudTrail	SOC 2, ISO 27001	Real-time
GCP Audit Logs	SOC 2, ISO 27001	Real-time
Azure Activity Log	SOC 2, ISO 27001	Real-time
Git Commits	ISO 27001	Hourly
VPN Access Logs	HIPAA, ISO 27001	Continuous
Backup Reports	All	Daily
Vulnerability Scans	All	Weekly
Patch Management	All	Real-time

Enable Evidence Collectors

# Enable AWS evidence collection
comp-ai evidence enable aws \
  --access-key-id ${AWS_ACCESS_KEY} \
  --secret-access-key ${AWS_SECRET_KEY} \
  --regions us-east-1,eu-west-1

# Enable GCP evidence collection
comp-ai evidence enable gcp \
  --project-id my-gcp-project \
  --service-account-key /path/to/key.json

# Enable Azure evidence collection
comp-ai evidence enable azure \
  --tenant-id ${AZURE_TENANT_ID} \
  --subscription-id ${AZURE_SUBSCRIPTION_ID}

Evidence Mapping

# Map evidence to controls
comp-ai evidence map \
  --evidence-id "aws-cloudtrail-123" \
  --control-id "CC6.1" \
  --framework soc2

# Bulk map evidence by pattern
comp-ai evidence map-bulk \
  --pattern "vpc-*" \
  --control-id "CC9.2" \
  --framework iso27001

Evidence Validation

# Validate evidence for completeness
comp-ai evidence validate --framework soc2

# Generate evidence gap report
comp-ai evidence gaps --framework iso27001 --export pdf

Policy Management and Templates

Create and Manage Policies

# Create new policy from template
comp-ai policy create --template "access-control" \
  --name "Access Control Policy v2.0" \
  --framework iso27001

# List all policies
comp-ai policy list --framework all

# Update policy version
comp-ai policy update --policy-id "POL-001" \
  --version "2.1" \
  --change-log "Updated MFA requirements"

# Assign policy to departments
comp-ai policy assign --policy-id "POL-001" \
  --departments IT,Security

Policy Template Library

Template	Framework	Purpose
`access-control`	All	User and system access management
`incident-response`	All	Security incident procedures
`asset-management`	ISO 27001, SOC 2	Asset inventory and lifecycle
`encryption`	All	Data encryption standards
`vulnerability-management`	All	Vulnerability assessment and remediation
`change-management`	SOC 2, ISO 27001	Change approval and tracking
`business-continuity`	ISO 27001, SOC 2	Disaster recovery planning
`dpia`	GDPR	Data Protection Impact Assessment
`consent-management`	GDPR	Consent collection and proof
`data-retention`	GDPR, HIPAA	Data lifecycle and deletion

Policy Evidence Linkage

# Link policy to control
comp-ai policy link --policy-id "POL-001" \
  --control-id "A.9.2.1" \
  --framework iso27001

# Track policy acknowledgments
comp-ai policy ack list --policy-id "POL-001"

# Generate policy effectiveness report
comp-ai policy report --policy-id "POL-001" \
  --include-violations true

Control Mapping Across Frameworks

Framework Comparison

# Show control crosswalk
comp-ai controls crosswalk \
  --source-framework soc2 \
  --target-framework iso27001

# Map specific control
comp-ai controls map --control-id "CC6.1" \
  --from soc2 --to iso27001

# Export crosswalk matrix
comp-ai controls export-matrix \
  --frameworks soc2,iso27001,hipaa \
  --output csv

Control Coverage Analysis

SOC 2 CC	ISO 27001 A.	HIPAA §	GDPR Article
CC1.1	A.15.2.1	164.308(a)(1)	5(1)(a)
CC2.1	A.5.1.1	164.308(a)(2)	5(1)(b)
CC6.1	A.9.2.1	164.312(a)(2)	32(1)(b)
CC6.2	A.9.4.1	164.312(d)	32(1)(c)
CC9.2	A.12.6.1	164.312(b)	32(1)(d)

Control Implementation Status

# Check control implementation status
comp-ai controls status --framework soc2

# Mark control as implemented
comp-ai controls implement --control-id "CC6.1" \
  --evidence-id "POL-001,PROC-002" \
  --implementation-date 2024-03-15

# Track control maturity
comp-ai controls maturity --framework iso27001

Integration with Cloud Providers

AWS Integration

# Connect AWS account
comp-ai integrate aws \
  --access-key-id ${AWS_KEY} \
  --secret-access-key ${AWS_SECRET} \
  --external-id compliance-audit

# Enable specific AWS services
comp-ai integrate aws-enable \
  --services s3,ec2,rds,iam,cloudtrail \
  --auto-remediate false

# Sync AWS Config findings
comp-ai integrate aws-sync \
  --service config \
  --frequency hourly

GCP Integration

# Connect GCP project
comp-ai integrate gcp \
  --project-id my-project \
  --service-account-key /path/to/key.json

# Enable GCP logging
comp-ai integrate gcp-enable \
  --services logging,cloudaudit,compute,iam \
  --sink-dataset compliance_logs

Azure Integration

# Connect Azure subscription
comp-ai integrate azure \
  --tenant-id ${TENANT_ID} \
  --subscription-id ${SUB_ID} \
  --client-id ${CLIENT_ID} \
  --client-secret ${CLIENT_SECRET}

# Configure Azure Policy
comp-ai integrate azure-policies \
  --initiative "SOC2 Compliance" \
  --auto-remediate true

SaaS Tool Integrations

# Connect Okta for access logs
comp-ai integrate okta \
  --org-url https://org.okta.com \
  --api-token ${OKTA_TOKEN}

# Connect GitHub for code evidence
comp-ai integrate github \
  --org myorganization \
  --token ${GITHUB_TOKEN}

# Connect Slack for incident notifications
comp-ai integrate slack \
  --webhook-url ${SLACK_WEBHOOK}

Audit Preparation and Reporting

Generate Audit Reports

# Generate SOC 2 audit report
comp-ai audit report --framework soc2 \
  --period "2024-01-01:2024-12-31" \
  --format pdf \
  --output soc2-report.pdf

# Generate ISO 27001 audit readiness
comp-ai audit readiness --framework iso27001 \
  --include-gaps true \
  --format html

# Create executive summary
comp-ai audit summary --framework hipaa \
  --audience executive

Audit Evidence Collection

# Prepare evidence package for auditor
comp-ai audit evidence-package \
  --framework soc2 \
  --auditor-email auditor@firmname.com \
  --access-duration 30 \
  --output audit-package.zip

# Grant auditor portal access
comp-ai audit grant-access \
  --auditor "John Auditor" \
  --email auditor@firm.com \
  --frameworks soc2,iso27001 \
  --expires 2025-01-31

# Track auditor activity
comp-ai audit auditor-activity --auditor-id AUD-001

Compliance Dashboard

# Generate compliance score
comp-ai dashboard compliance-score \
  --frameworks soc2,iso27001,hipaa,gdpr

# Export dashboard data
comp-ai dashboard export \
  --metrics all \
  --format json \
  --output dashboard-data.json

Continuous Monitoring and Alerting

Configure Monitoring

# Enable real-time monitoring
comp-ai monitor enable \
  --frameworks soc2,iso27001 \
  --alert-threshold critical

# Set up alert rules
comp-ai alerts create \
  --name "Unauthorized Access Attempt" \
  --condition "failed_login_count > 5 in 15m" \
  --severity critical \
  --action slack

# Configure SLA monitoring
comp-ai monitor sla \
  --metric "control-effectiveness" \
  --target 95 \
  --measurement-period monthly

Alert Configuration

Alert Type	Trigger	Default Action
Unimplemented Controls	Control has no evidence	Email security team
Stale Evidence	Evidence older than 30 days	Slack notification
Policy Violations	Non-compliance detected	Escalate to manager
Access Anomalies	Unusual access patterns	Block + alert
Certification Expiry	< 90 days to expiration	Email team lead

Compliance Metrics

# View compliance metrics dashboard
comp-ai metrics dashboard --frameworks all

# Export metrics for analytics
comp-ai metrics export \
  --start-date 2024-01-01 \
  --end-date 2024-12-31 \
  --output metrics.csv

# Generate trend analysis
comp-ai metrics trends \
  --metric "control-coverage" \
  --period quarterly

CLI Commands Reference

Framework Commands

Command	Purpose
`comp-ai framework init --type [soc2\|iso27001\|hipaa\|gdpr]`	Initialize a compliance framework
`comp-ai framework status`	Show framework status and completeness
`comp-ai framework export`	Export framework configuration
`comp-ai framework import --file config.yaml`	Import framework configuration

Evidence Commands

Command	Purpose
`comp-ai evidence list`	List all collected evidence
`comp-ai evidence enable [provider]`	Enable evidence source
`comp-ai evidence validate`	Validate evidence completeness
`comp-ai evidence gaps`	Show evidence gaps by control

Policy Commands

Command	Purpose
`comp-ai policy create --template [name]`	Create policy from template
`comp-ai policy list`	List all policies
`comp-ai policy assign`	Assign policy to teams
`comp-ai policy acknowledge`	Track policy acceptance

Control Commands

Command	Purpose
`comp-ai controls list`	List all controls
`comp-ai controls map`	Map controls across frameworks
`comp-ai controls implement`	Mark control as implemented
`comp-ai controls evidence`	Link control to evidence

Audit Commands

Command	Purpose
`comp-ai audit report`	Generate audit report
`comp-ai audit readiness`	Check audit readiness
`comp-ai audit evidence-package`	Prepare auditor package
`comp-ai audit grant-access`	Grant auditor portal access

API Usage

Authentication

# Get API token
comp-ai api get-token --expires-in 3600

# Use token in requests
curl -H "Authorization: Bearer ${API_TOKEN}" \
  https://api.compai.local/v1/frameworks

API Endpoints

Endpoint	Method	Purpose
`/v1/frameworks`	GET	List frameworks
`/v1/controls`	GET	List all controls
`/v1/evidence`	GET, POST	Manage evidence
`/v1/policies`	GET, POST, PUT	Manage policies
`/v1/audit/report`	POST	Generate report
`/v1/integrations`	GET, POST	Manage integrations

Example API Calls

# Get control details
curl -H "Authorization: Bearer ${TOKEN}" \
  https://api.compai.local/v1/controls/CC6.1

# Submit evidence
curl -X POST -H "Authorization: Bearer ${TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{"control_id":"CC6.1","evidence_type":"screenshot","value":"..."}' \
  https://api.compai.local/v1/evidence

# Get compliance status
curl -H "Authorization: Bearer ${TOKEN}" \
  https://api.compai.local/v1/compliance/status?framework=soc2

Multi-Framework Crosswalking

Unified Control View

# Show all controls across all frameworks
comp-ai crosswalk view --mode unified

# Compare framework requirements
comp-ai crosswalk compare \
  --framework1 soc2 \
  --framework2 iso27001 \
  --output comparison.html

# Identify overlapping controls
comp-ai crosswalk overlap --frameworks soc2,iso27001,hipaa

Control Mapping Matrix

# Generate control equivalency matrix
comp-ai crosswalk matrix \
  --frameworks soc2,iso27001,hipaa,gdpr \
  --format xlsx \
  --output control-matrix.xlsx

# Map custom controls
comp-ai crosswalk map-custom \
  --control-id "CUSTOM-001" \
  --maps-to "CC6.1,A.9.2.1,164.312(a)(2)"

Best Practices

Compliance Strategy

Start with risk assessment: Identify high-impact controls first
Integrate early: Connect cloud providers before evidence collection
Automate evidence: Minimize manual evidence gathering
Regular review: Run compliance checks monthly, not quarterly
Documentation: Maintain clear audit trails for all changes
Team training: Ensure staff understand their policy responsibilities

Maintenance and Updates

# Update framework definitions
comp-ai framework update --type soc2 --version latest

# Refresh all evidence sources
comp-ai evidence refresh --all

# Run compliance health check
comp-ai health check --frameworks all

Security Best Practices

Use OAuth2 for all integrations
Enable audit logging for all platform activities
Rotate API tokens quarterly
Encrypt evidence at rest and in transit
Restrict auditor access by framework and duration
Use network policies to limit database access