A TypeScript library for AI governance and compliance tracking. Answers the question: what regulations apply to my AI system, and can I prove we've met them?
ComplyTrail takes a questionnaire about your AI system and maps it to the compliance requirements that actually apply — EU AI Act, GDPR, HIPAA, NIST AI RMF, ISO 42001, CCPA, and more. It then tracks evidence collection, deadlines, and generates audit-ready export packets.
Core workflow:
- Wizard — Answer questions about your AI system (does it handle PII? is it high-risk under the EU AI Act? does it make automated decisions?). The wizard maps your answers to applicable requirements using confidence-scored rules.
- Evidence — Upload or link artifacts to each requirement. Evidence is versioned and immutable. Reviews require a second actor (separation of duties).
- Deadlines — Track due dates per requirement. Get reminder events at T-30/T-14/T-7/T-1/overdue windows. Escalate overdue items to managers.
- Audit packet — Export a structured packet containing the requirement summary, evidence index, and project-scoped activity log. Ready to hand to an auditor.
19 templates across the major frameworks:
| Framework | Templates |
|---|---|
| EU AI Act | Conformity assessment, Annex IV technical docs, post-market monitoring, transparency disclosure, model card, AI literacy training, GPAI transparency report |
| GDPR | Data inventory, DPIA, automated decision-making rights notice |
| HIPAA | Business Associate Agreement, incident response plan |
| NIST AI RMF | Organizational profile, adversarial robustness testing |
| ISO 42001 | Data inventory, vendor assurance |
| CCPA/CPRA | Automated decision-making opt-out |
| General | Human review checkpoint, bias/fairness testing, data lineage & provenance |
npm install complytrailimport { ComplyTrailApi } from "complytrail";
const api = new ComplyTrailApi();
// Run the wizard — answers drive requirement mapping
const result = api.runWizard(
"project-id",
{
// Required
handlesPii: true,
highRiskDecisioning: false,
modelProvider: "third_party",
hasHumanOversight: true,
markets: ["eu", "us"],
// Optional — unlock more specific framework routing
euAiActRiskTier: "limited",
makesAutomatedDecisions: true,
deploymentSector: ["healthcare"],
hasGpaiComponent: false,
trainingDataContainsPii: true,
},
"actor-id",
"owner",
new Date().toISOString(),
);
console.log(result.requirements); // ProjectRequirement[]
console.log(result.warnings); // compliance warnings (not errors)
// Upload evidence
api.evidence.upload({
artifactKey: "privacy-policy-v3",
uploaderId: "editor-1",
mimeType: "application/pdf",
sizeBytes: 48_000,
content: "...",
at: new Date().toISOString(),
});
// Link evidence to a requirement
const link = api.evidence.linkToRequirement({
requirementId: result.requirements[0].id,
artifactKey: "privacy-policy-v3",
linkedBy: "editor-1",
at: new Date().toISOString(),
});
// Review it (reviewer must be a different actor)
api.evidence.reviewLink(link.id, "accepted", "Meets GDPR Art. 13 requirements", "reviewer-2", "owner", new Date().toISOString());
// Transition requirement status (state machine enforced)
api.updateRequirementStatus(result.requirements[0].id, "in_progress", "owner-1", new Date().toISOString());
// Export audit packet
const packet = api.packet.exportPacket({
projectId: "project-id",
requirements: api.wizard.listBoard("project-id"),
links: api.evidence.listAllLinks(),
at: new Date().toISOString(),
});Required at publish:
| Field | Type | Description |
|---|---|---|
handlesPii |
boolean |
System processes personal data at inference time |
highRiskDecisioning |
boolean |
System makes or substantially influences high-stakes decisions |
modelProvider |
"internal" | "third_party" |
Who provides the model |
hasHumanOversight |
boolean |
Human review exists for outputs |
markets |
string[] |
Deployment markets ("eu", "us", "us-ca", etc.) |
Optional (unlock additional framework routing):
euAiActRiskTier, deploymentSector, affectedPopulation, makesAutomatedDecisions, trainingDataContainsPii, sensitiveDataCategories, dataResidencyRegions, aiSystemPurpose, modelType, hasGpaiComponent, operatesInRealtime, modelUpdateFrequency, humanOversightType, modelExplainabilityLevel, adversarialTestingPerformed, hasIncidentResponsePlan, existingCertifications, procuresAiFromMarketplace
Requirements follow a defined state machine — no skipping steps:
not_started → in_progress → ready_for_review → accepted
↕ ↕
blocked ←─────────┘
Use api.updateRequirementStatus(requirementId, newStatus, actorId, at) for all transitions. Invalid transitions throw.
In-memory by default. All state lives in-memory. ComplyTrail is a library, not a database. Wrap the services with your own repository layer (SQLite, Postgres, etc.) and inject it. The service constructors accept the audit and telemetry services as dependencies.
Authentication is the caller's responsibility. actorId and role are trusted inputs. Verify them before calling.
Audit log is append-only. Events are never mutated. Evidence reviews are immutable once accepted or rejected. These properties hold as long as consumers don't bypass the services.
Rules are function-based. MappingRule.when is a (answers: WizardAnswers) => boolean — expressive but not serializable. A declarative rule DSL is planned.
npm install
npm test # vitest — 87 tests
npm run build # tsc