Use Case

Automated Due Diligence: "Compliance as Code" for Startups

For engineering-led startups, vendor risk assessments are a distraction, but failing SOC2 or GDPR is not an option. This solution lets you treat compliance like code. By automating the document discovery and analysis "grunt work" inside GitHub, your team can handle due diligence without hiring a dedicated risk manager. It packages everything perfectly for your external counsel or fractional CISO to simply "validate and sign," saving thousands in billable hours.

This is a complete "Compliance Application" orchestrated via GitHub Actions and available to clone on GitHub. The intelligence is powered by five distinct Rightbrain tasks running in the background (Discovery, Classification, Legal Analysis, Security Analysis, and Risk Reporting). You can inspect, test, and refine each of these individual tasks directly in your Rightbrain Dashboard.

Step-by-Step Guide

1.One-Time Setup: Train Your AI Risk Manager

Before running your first audit, you configure the "Lens" through which the AI views every vendor. By editing a simple company_profile.json file, you define:

Risk Tolerance: (e.g., "We are a seed-stage startup; accept operational risks but block privacy risks.")
Hard Requirements: (e.g., "Vendors processing PII must have SOC 2 Type II.")
Strategy: (e.g., "Legal bandwidth is low, prioritize insurance requirements over indemnity negotiation.")
Task Customisation (Optional): What works for the average company may not work for you. You (or your lawyer) can define the specific legal risks to flag in the tasks. Your CTO can map the controls they expect from vendors (e.g., SOC2) into the security checklist.

How it works

2. Create issue Engineers submit a new vendor request via a standard GitHub Issue. No clunky procurement portals, just the tools they already use.

3. Automated Spidering & Discovery The system acts as your junior analyst. It doesn't just read the provided URL; it spiders through the vendor’s site to find buried DPAs, SOC2 reports, and Sub-processor lists. It categorises them, flags missing items, and attaches them to the issue automatically.

4. Discrete Legal & Security Analysis The workflow executes specialized parallel tasks. One model extracts legal liabilities (indemnities, termination rights), while another audits security controls (ISO evidence, encryption). This creates a structured, factual record before any judgment is made.

5. Synthesized Risk Call A 'Risk Reporter' task aggregates the raw findings and grades the vendor against your specific risk appetite (e.g., "Startup Tolerance"). It produces a concise Executive Summary that highlights only what matters.

6. Validation & Commit Once approved, the system adds the vendor to your suppliers database, generates a permanent, version-controlled audit log in Markdown, committing the final terms directly to your repo, for ease of review by auditors and legal counsel.

Key Benefits

Zero-Headcount Due Diligence: Automate the research phase so you don't need a full-time compliance hire.
Reduce External Counsel Costs: Stop paying lawyers to find documents. Pay them only to validate the pre-packaged risk summary.
GitHub-Native Audit Trails: Keep your compliance artifacts version-controlled alongside your code.

Pro tips

Outsource the stamp, not the work: Use this workflow to prepare a "decision package" for a fractional CISO or external counsel. It turns a 2-week billable project into a 1 hour review.
Standardise the intake: Use the GitHub Issue template to force engineers to provide the right context (data types, usage) upfront.
Iterate on your prompts: Because the AI tasks are defined in code (JSON), you can tweak the system prompts instantly. Just realised that you need better IP indemnities? Just edit the Rightbrain task.

Log in

Book Demo

Ready to ship your next AI feature?

Book demo

Use Case

Automated Due Diligence: "Compliance as Code" for Startups

For engineering-led startups, vendor risk assessments are a distraction, but failing SOC2 or GDPR is not an option. This solution lets you treat compliance like code. By automating the document discovery and analysis "grunt work" inside GitHub, your team can handle due diligence without hiring a dedicated risk manager. It packages everything perfectly for your external counsel or fractional CISO to simply "validate and sign," saving thousands in billable hours.

This is a complete "Compliance Application" orchestrated via GitHub Actions and available to clone on GitHub. The intelligence is powered by five distinct Rightbrain tasks running in the background (Discovery, Classification, Legal Analysis, Security Analysis, and Risk Reporting). You can inspect, test, and refine each of these individual tasks directly in your Rightbrain Dashboard.

Step-by-Step Guide

1.One-Time Setup: Train Your AI Risk Manager

Before running your first audit, you configure the "Lens" through which the AI views every vendor. By editing a simple company_profile.json file, you define:

Risk Tolerance: (e.g., "We are a seed-stage startup; accept operational risks but block privacy risks.")
Hard Requirements: (e.g., "Vendors processing PII must have SOC 2 Type II.")
Strategy: (e.g., "Legal bandwidth is low, prioritize insurance requirements over indemnity negotiation.")
Task Customisation (Optional): What works for the average company may not work for you. You (or your lawyer) can define the specific legal risks to flag in the tasks. Your CTO can map the controls they expect from vendors (e.g., SOC2) into the security checklist.

How it works

2. Create issue Engineers submit a new vendor request via a standard GitHub Issue. No clunky procurement portals, just the tools they already use.

3. Automated Spidering & Discovery The system acts as your junior analyst. It doesn't just read the provided URL; it spiders through the vendor’s site to find buried DPAs, SOC2 reports, and Sub-processor lists. It categorises them, flags missing items, and attaches them to the issue automatically.

4. Discrete Legal & Security Analysis The workflow executes specialized parallel tasks. One model extracts legal liabilities (indemnities, termination rights), while another audits security controls (ISO evidence, encryption). This creates a structured, factual record before any judgment is made.

5. Synthesized Risk Call A 'Risk Reporter' task aggregates the raw findings and grades the vendor against your specific risk appetite (e.g., "Startup Tolerance"). It produces a concise Executive Summary that highlights only what matters.

6. Validation & Commit Once approved, the system adds the vendor to your suppliers database, generates a permanent, version-controlled audit log in Markdown, committing the final terms directly to your repo, for ease of review by auditors and legal counsel.

Key Benefits

Zero-Headcount Due Diligence: Automate the research phase so you don't need a full-time compliance hire.
Reduce External Counsel Costs: Stop paying lawyers to find documents. Pay them only to validate the pre-packaged risk summary.
GitHub-Native Audit Trails: Keep your compliance artifacts version-controlled alongside your code.

Pro tips

Outsource the stamp, not the work: Use this workflow to prepare a "decision package" for a fractional CISO or external counsel. It turns a 2-week billable project into a 1 hour review.
Standardise the intake: Use the GitHub Issue template to force engineers to provide the right context (data types, usage) upfront.
Iterate on your prompts: Because the AI tasks are defined in code (JSON), you can tweak the system prompts instantly. Just realised that you need better IP indemnities? Just edit the Rightbrain task.

Log in

Book Demo

Ready to ship your next AI feature?

Book demo

Use Case

Automated Due Diligence: "Compliance as Code" for Startups

For engineering-led startups, vendor risk assessments are a distraction, but failing SOC2 or GDPR is not an option. This solution lets you treat compliance like code. By automating the document discovery and analysis "grunt work" inside GitHub, your team can handle due diligence without hiring a dedicated risk manager. It packages everything perfectly for your external counsel or fractional CISO to simply "validate and sign," saving thousands in billable hours.

This is a complete "Compliance Application" orchestrated via GitHub Actions and available to clone on GitHub. The intelligence is powered by five distinct Rightbrain tasks running in the background (Discovery, Classification, Legal Analysis, Security Analysis, and Risk Reporting). You can inspect, test, and refine each of these individual tasks directly in your Rightbrain Dashboard.

Step-by-Step Guide

1.One-Time Setup: Train Your AI Risk Manager

Before running your first audit, you configure the "Lens" through which the AI views every vendor. By editing a simple company_profile.json file, you define:

Risk Tolerance: (e.g., "We are a seed-stage startup; accept operational risks but block privacy risks.")
Hard Requirements: (e.g., "Vendors processing PII must have SOC 2 Type II.")
Strategy: (e.g., "Legal bandwidth is low, prioritize insurance requirements over indemnity negotiation.")
Task Customisation (Optional): What works for the average company may not work for you. You (or your lawyer) can define the specific legal risks to flag in the tasks. Your CTO can map the controls they expect from vendors (e.g., SOC2) into the security checklist.

How it works

2. Create issue Engineers submit a new vendor request via a standard GitHub Issue. No clunky procurement portals, just the tools they already use.

3. Automated Spidering & Discovery The system acts as your junior analyst. It doesn't just read the provided URL; it spiders through the vendor’s site to find buried DPAs, SOC2 reports, and Sub-processor lists. It categorises them, flags missing items, and attaches them to the issue automatically.

4. Discrete Legal & Security Analysis The workflow executes specialized parallel tasks. One model extracts legal liabilities (indemnities, termination rights), while another audits security controls (ISO evidence, encryption). This creates a structured, factual record before any judgment is made.

5. Synthesized Risk Call A 'Risk Reporter' task aggregates the raw findings and grades the vendor against your specific risk appetite (e.g., "Startup Tolerance"). It produces a concise Executive Summary that highlights only what matters.

6. Validation & Commit Once approved, the system adds the vendor to your suppliers database, generates a permanent, version-controlled audit log in Markdown, committing the final terms directly to your repo, for ease of review by auditors and legal counsel.

Key Benefits

Zero-Headcount Due Diligence: Automate the research phase so you don't need a full-time compliance hire.
Reduce External Counsel Costs: Stop paying lawyers to find documents. Pay them only to validate the pre-packaged risk summary.
GitHub-Native Audit Trails: Keep your compliance artifacts version-controlled alongside your code.

Pro tips

Outsource the stamp, not the work: Use this workflow to prepare a "decision package" for a fractional CISO or external counsel. It turns a 2-week billable project into a 1 hour review.
Standardise the intake: Use the GitHub Issue template to force engineers to provide the right context (data types, usage) upfront.
Iterate on your prompts: Because the AI tasks are defined in code (JSON), you can tweak the system prompts instantly. Just realised that you need better IP indemnities? Just edit the Rightbrain task.

Log in

Book Demo

Ready to ship your next AI feature?

Book demo