Back to Docs
Enterprise Guide
Production-ready compliance, multi-tenancy, self-hosted deployment, and audit trail capabilities for regulated industries and large organizations.
SOC 2 Compliance
The @waymakerai/aicofounder-soc2package automates SOC 2 evidence collection and report generation. It maps CoFounder's guardrails, audit logs, CI scan results, and dashboard metrics to the five AICPA Trust Service Categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
import {
EvidenceCollector,
SOC2ReportGenerator,
} from '@waymakerai/aicofounder-soc2';
// Step 1: Collect evidence from CoFounder sources
const collector = new EvidenceCollector();
// Collect from dashboard metrics
await collector.collectFromDashboard({
totalRequests: 450000,
blockedRequests: 1200,
piiDetections: 3400,
injectionAttempts: 89,
complianceViolations: 12,
avgResponseTime: 1200,
uptime: 99.95,
period: { startDate: '2025-01-01', endDate: '2025-12-31' },
});
// Collect from audit logs
await collector.collectFromAuditLog({
timestamp: '2025-06-15T10:30:00Z',
eventType: 'data_access',
severity: 'info',
actor: 'user-123',
action: 'read',
resource: 'agent-config',
outcome: 'success',
details: { ip: '10.0.0.1' },
});
// Collect from CI scans
await collector.collectFromCIScan({
scanId: 'scan-2025-001',
timestamp: '2025-06-15T08:00:00Z',
repository: 'my-org/my-app',
branch: 'main',
passed: true,
findings: 3,
criticalFindings: 0,
details: {},
});
// Collect from guard reports
await collector.collectFromGuardReport({
guardType: 'openclaw',
period: { startDate: '2025-01-01', endDate: '2025-12-31' },
totalChecks: 450000,
violations: 1200,
falsePositives: 23,
topFindings: [
{ type: 'pii_email', count: 2100, severity: 'high' },
{ type: 'injection_direct', count: 45, severity: 'critical' },
],
});
// Step 2: Generate the SOC 2 report
const generator = new SOC2ReportGenerator({
organizationName: 'Acme Corp',
systemName: 'AI Customer Service Platform',
systemDescription: 'LLM-powered customer support with guardrails',
auditPeriod: {
startDate: '2025-01-01',
endDate: '2025-12-31',
},
trustServiceCategories: [
'security',
'availability',
'processing_integrity',
'confidentiality',
'privacy',
],
exportFormat: 'html',
includeEvidence: true,
includeTestResults: true,
auditorName: 'Jane Doe, CPA',
auditorFirm: 'Big Four Audit LLP',
});
const report = await generator.generate(collector.getEvidence());
console.log(report.overallStatus); // 'effective'
console.log(report.controls.length); // Number of controls tested
console.log(report.exceptions); // Any control exceptions
// Export the report
await generator.exportReport(report, './reports/soc2-2025.html');Multi-Tenant Setup
The @waymakerai/aicofounder-multi-tenant package provides tenant isolation for SaaS applications. Each tenant gets their own guard configuration, compliance rules, budget limits, and audit trail.
import { createMultiTenantManager } from '@waymakerai/aicofounder-multi-tenant';
const tenantManager = createMultiTenantManager({
// Default configuration for all tenants
defaults: {
guard: {
pii: 'redact',
injectionSensitivity: 'medium',
toxicity: 'warn',
},
budget: {
limit: 100,
period: 'month',
},
},
});
// Register tenants with custom configurations
await tenantManager.registerTenant({
id: 'tenant-healthcare',
name: 'HealthCo',
config: {
guard: {
pii: 'block', // Stricter PII handling
injectionSensitivity: 'high',
compliance: ['hipaa'],
},
budget: {
limit: 500,
period: 'month',
},
allowedModels: ['claude-sonnet-4-20250514'],
dataResidency: 'us-east-1',
},
});
await tenantManager.registerTenant({
id: 'tenant-fintech',
name: 'FinanceApp',
config: {
guard: {
pii: 'redact',
compliance: ['sec', 'pci', 'sox'],
},
budget: {
limit: 1000,
period: 'month',
},
dataResidency: 'eu-west-1',
},
});
// Get tenant-specific guard instance
const guard = tenantManager.getGuard('tenant-healthcare');
const result = await guard.check(userMessage, context);
// Get tenant-specific dashboard
const dashboard = tenantManager.getDashboard('tenant-healthcare');
const metrics = await dashboard.getSummary({ period: 'day' });
// Tenant isolation: each tenant's data is completely separate
const healthcoCost = await tenantManager.getTenantCost('tenant-healthcare');
const fintechCost = await tenantManager.getTenantCost('tenant-fintech');HIPAA Deployment Checklist
When deploying AI applications that handle Protected Health Information (PHI), ensure all of the following CoFounder configurations are in place.
PII mode set to "block" or "redact" for all PHI types
pii: 'block'HIPAA compliance framework enabled
compliance: ['hipaa']Audit logging enabled at "verbose" level
audit: { enabled: true, level: 'verbose' }Data retention policy configured (max 6 years)
retention: { maxDays: 2190 }Encryption at rest and in transit enabled
encryptAtRest: true, encryptInTransit: trueAccess controls with role-based permissions
access: { requireAuth: true, allowedRoles: [...] }BAA (Business Associate Agreement) in place with cloud providers
N/A - contractual requirementSOC 2 report generation configured
@waymakerai/aicofounder-soc2Security monitoring alerts enabled for PHI access
alerts: [{ type: 'security', enabled: true }]Model output reviewed for PHI before returning to users
guardToolCalls: true (guard both input and output)GDPR Deployment Checklist
For applications processing data of EU residents, configure CoFounder to meet GDPR requirements.
PII detection and redaction enabled for all personal data types
pii: 'redact'GDPR compliance framework enabled
compliance: ['gdpr']Data subject request support (right to access, erasure, portability)
allowExport: true, allowDeletion: trueConsent tracking enabled
requireConsent: truePurpose limitation configured
purposes: ['customer_support', 'analytics']Data retention limits set
retention: { maxDays: 365 }EU data residency for processing and storage
dataResidency: 'eu-west-1'Audit trail for all data processing activities
requireAuditLog: trueData Processing Agreement (DPA) with sub-processors
N/A - contractual requirementPrivacy impact assessment documented
N/A - organizational requirementAudit Trail Requirements
CoFounder maintains a comprehensive audit trail of all AI interactions. Each audit entry records the action type, user, result, violations, timing, and metadata. Audit data feeds into SOC 2 evidence collection and compliance reporting.
import { createOpenClawSkill } from '@waymakerai/aicofounder-openclaw';
const skill = createOpenClawSkill({
pii: 'redact',
compliance: ['hipaa', 'gdpr'],
audit: {
enabled: true,
level: 'verbose', // 'minimal' | 'standard' | 'verbose'
maxEntries: 100000, // Max entries in memory (flush to storage)
},
});
// Every guard check creates an audit entry
// AuditEntry structure:
// {
// timestamp: 1705334400000,
// action: 'input_guard', // input_guard | output_guard | tool_guard | command | compliance_check
// channel: 'web',
// userId: 'user-123',
// sessionId: 'sess-abc',
// result: 'redacted', // allowed | blocked | warned | redacted
// violations: 2,
// processingTimeMs: 12,
// details: { piiTypes: ['email', 'phone'], ... }
// }
// Get audit log
const auditLog = skill.getAuditLog();
console.log(auditLog.length); // Total entries
// Filter audit entries
const blockedEntries = auditLog.filter(
entry => entry.result === 'blocked'
);
// Get guard report (aggregated statistics)
const report = skill.getReport();
console.log(report.totalChecks); // 45,000
console.log(report.blocked); // 120
console.log(report.warned); // 340
console.log(report.passed); // 44,540
console.log(report.redacted); // 890
console.log(report.piiByType); // { email: 500, phone: 200, ssn: 5, ... }
console.log(report.injectionAttempts); // 89
console.log(report.totalCost); // $1,234.56
console.log(report.budgetRemaining); // $765.44Self-Hosted Deployment
Deploy CoFounder in air-gapped environments with local model endpoints. The @waymakerai/aicofounder-core package includes utilities for generating Kubernetes manifests, Docker Compose files, and health monitoring for self-hosted deployments.
import {
createSelfHostedManager,
createAirGappedConfig,
} from '@waymakerai/aicofounder-core';
// Configure for air-gapped deployment
const config = createAirGappedConfig({
localModelEndpoint: {
id: 'local-llm',
name: 'Local LLM (Ollama)',
provider: 'local',
baseUrl: 'http://localhost:11434',
models: ['llama3', 'mistral', 'codellama'],
capabilities: ['chat', 'completion'],
},
localVectorStore: {
id: 'local-qdrant',
provider: 'qdrant',
endpoint: 'http://localhost:6333',
},
licenseKey: process.env.COFOUNDER_LICENSE_KEY,
});
const manager = createSelfHostedManager(config);
// Validate the configuration
const { valid, errors } = manager.validateConfig();
if (!valid) {
console.error('Configuration errors:', errors);
process.exit(1);
}
// Generate deployment manifests
const k8s = manager.generateKubernetesManifests();
// Outputs: deployment.yaml, service.yaml, configmap.yaml, secrets.yaml
const docker = manager.generateDockerCompose();
// Outputs: docker-compose.yml with all services
// Health monitoring
const health = await manager.getHealthStatus();
console.log(health.overall); // 'healthy' | 'degraded' | 'unhealthy'
console.log(health.components);
// {
// llm: { status: 'healthy', latency: 120 },
// vectorStore: { status: 'healthy', latency: 5 },
// guard: { status: 'healthy' },
// dashboard: { status: 'healthy' },
// }Custom Compliance Rules
Beyond the built-in HIPAA, GDPR, CCPA, SEC, PCI, FERPA, and SOX presets, you can define custom compliance rules for industry-specific or organizational requirements.
import { ComplianceEnforcer } from '@waymakerai/aicofounder-compliance';
const enforcer = new ComplianceEnforcer({
strictMode: true,
rules: [
// Industry-specific: Insurance
{
id: 'insurance-disclaimer',
name: 'Insurance Disclaimer Required',
description: 'All insurance-related responses must include a disclaimer',
category: 'custom',
severity: 'high',
tags: ['insurance', 'regulatory'],
check: (input, output, context) => {
const isInsurance = /policy|claim|premium|coverage|deductible/i.test(output);
const hasDisclaimer = /not a guarantee|subject to terms/i.test(output);
return {
compliant: !isInsurance || hasDisclaimer,
action: isInsurance && !hasDisclaimer ? 'append' : 'allow',
replacement: isInsurance && !hasDisclaimer
? output + '\n\nDisclaimer: This information is for reference only and is not a guarantee of coverage. All policies are subject to terms and conditions.'
: undefined,
};
},
},
// Organization-specific: Brand compliance
{
id: 'brand-voice',
name: 'Brand Voice Compliance',
description: 'AI responses must not use competitor names or banned phrases',
category: 'custom',
severity: 'medium',
check: (input, output, context) => {
const competitors = ['CompetitorA', 'CompetitorB'];
const bannedPhrases = ['to be honest', 'as an AI'];
const issues: string[] = [];
competitors.forEach(c => {
if (output.includes(c)) issues.push(`Competitor mentioned: ${c}`);
});
bannedPhrases.forEach(p => {
if (output.toLowerCase().includes(p)) issues.push(`Banned phrase: ${p}`);
});
return {
compliant: issues.length === 0,
action: issues.length > 0 ? 'warn' : 'allow',
issues,
};
},
},
],
});Supported Compliance Frameworks
SOC 2
Trust Service Categories
HIPAA
Healthcare data protection
GDPR
EU data privacy
CCPA
California privacy
PCI DSS
Payment card security
SEC
Financial regulation
FERPA
Education data
SOX
Financial reporting