Open‑Source Compliance Platform Comp AI Launches to Automate SOC 2, ISO 27001, HIPAA & GDPR for Start‑ups
What Happened — Comp AI, an AGPL‑v3‑licensed “open‑core” platform, was released on GitHub to automate evidence collection, policy authoring, and device‑level controls for SOC 2, ISO 27001, HIPAA and GDPR. It positions itself as a free alternative to commercial compliance SaaS such as Vanta and Drata.
Why It Matters for TPRM —
- Open‑source code can be inspected for hidden back‑doors, reducing supply‑chain risk.
- Automated evidence reduces manual audit effort, shortening the vendor onboarding timeline.
- The platform’s API and cloud integrations (AWS, GCP, Azure) enable seamless embedding into existing third‑party risk workflows.
Who Is Affected — SaaS vendors, fintech start‑ups, health‑tech firms, and any organization that must demonstrate SOC 2, ISO 27001, HIPAA or GDPR compliance.
Recommended Actions —
- Review Comp AI’s source code and licensing terms before adopting.
- Validate that the Device Agent’s control checks align with your security baselines.
- Map the platform’s evidence outputs to your existing audit evidence repository.
Technical Notes — The core (≈99 % of the code) is open source; a small commercial module adds enterprise features. The AI Policy Editor uses natural‑language prompts to draft policies, while the Automated Evidence engine builds scheduled data‑collection scripts. The Device Agent runs on macOS 14+, Windows 10+, and Ubuntu 20.04+, checking disk encryption, AV, password policy and screen‑lock timeout. No personal data, browsing history, or file contents are harvested. The platform exposes a RESTful API for custom integrations and supports cloud‑native environments (AWS, GCP, Azure). Source: https://www.helpnetsecurity.com/2026/04/07/comp-ai-open-source-compliance-platform/