SOC-2 Type 2 · Security + Confidentiality

Compliance work is deterministic work hiding in an AI costume.

A four-agent CrewAI stack that inventories your tech, drafts your policies, pulls your evidence, and answers your vendor questionnaires — so we can prove it's decoupleable and give it away.

01

The crew

Four seats. Each one does compliance work an LLM is currently doing at $30k / year at Vanta.
Assessor

Tech Stack Assessor

Maps your stack to applicable Trust Services Criteria. Produces the gap report — what applies, what's met, what's missing.

Author

Policy Writer

Drafts the 15 required SOC-2 policies tailored to your actual stack — Access Control, Incident Response, Change Management, and the rest.

Collector

Evidence Collector

Pulls automated evidence from AWS, GitHub, Okta, PagerDuty, Datadog. Timestamps, source attribution, cryptographic hashes.

Responder

Questionnaire Responder

Answers SIG-Core, CAIQ, and bespoke vendor questionnaires — using your policies + evidence + live posture.

Advisor · optional

Remediation Advisor

Prioritizes gap fixes by control criticality × severity. Handoff-ready remediation plan.

Note

Baseline is the point

These four agents run today with real LLM calls. The metrics they produce become the D-Coupler pass/fail checkpoints.

02

Run an assessment

Give us a customer profile. The crew kicks off, real API calls, output streams back.
Real Anthropic API calls · 1–3 minutes typical
Waiting...
03

Then the D-Coupler runs

The output above is the AI-version baseline. The decoupled Python version has to match or beat every metric — or it doesn't ship.

The whole point of building this AI-version is so we can decouple it. Every LLM call above maps to code: Policy Writer → Jinja templates + regex; Evidence Collector → raw API pulls, strip the LLM analysis layer; Questionnaire Responder → RAG over a structured Q&A corpus + rule-based composition, LLM only for genuinely novel questions; Assessor → decision tree on tech-stack signals. Est. 80–90% of runtime LLM calls decouple to code. What's left is the paid product. What we give away is the tool that produced it.