Sidecar service for PII scrubbing, DSR intake, consent ledger, retention scheduling, structured audit emission, and bias-math APIs.
v0 — pre-release; targets Phase 5, Q4 2026
DISCLAIMER
This toolkit is software. It identifies potential compliance gaps in code and provides runtime technical controls. It does not constitute legal advice and does not guarantee regulatory compliance. It does not appoint Data Protection Officers, execute Data Processing Agreements, conduct Privacy Impact Assessments, certify compliance with any law or standard, or replace organizational policy, legal counsel, staff training, or incident response processes.
Compliance with applicable laws — including but not limited to PIPEDA, Quebec Law 25, GDPR, CCPA/CPRA, CASL, and applicable AI regulations — is the responsibility of your organization and its qualified advisors. Outputs from this toolkit are technical findings, not legal determinations. Always engage qualified legal counsel for compliance decisions.
compliance-enforce is licensed under the GNU Affero General Public License v3.0.
The AGPL extends the GPL's copyleft to network use: if you modify this service and make it available over a network (including as a hosted SaaS product), you must make your modified source code available to users of that service (AGPL §13). This requirement is intentional. It ensures that operators who build on this enforcer contribute modifications back to the community, preventing proprietary forks of compliance-critical code.
Client SDKs (Python, TypeScript, Go, Java, .NET) that call the sidecar over HTTP/gRPC will be Apache-2.0 or MIT — only the sidecar service itself is AGPL. See compliance-catalog (CC-BY-4.0) and compliance-assess (Apache-2.0) for non-copyleft components.
compliance-enforce is a deployable HTTP/gRPC sidecar. Integrate it alongside your application to add technical compliance controls at runtime without modifying your core service logic.
| Endpoint group | Function |
|---|---|
/v1/scrub-pii |
PII detection and redaction via Microsoft Presidio |
/v1/audit/event |
Structured audit-event emission (structlog → your SIEM/log sink) |
/v1/dsr/* |
Data subject request intake, routing, and status tracking |
/v1/consent/* |
Consent receipt storage, lookup, and withdrawal recording |
/v1/retention/check |
Retention-window enforcement against configured schedules |
/v1/bias/four-fifths |
4/5ths rule bias quantification for NYC LL144 and similar |
/v1/policy/evaluate |
OPA/Rego policy evaluation for custom compliance rules |
- Does not transform consent receipts into legal sufficiency — consent legality is a legal determination.
- Does not certify or attest compliance with any regulation.
- Does not eliminate your organization's obligation to appoint a DPO, execute DPAs, or conduct PIAs.
- Does not perform the independent external bias audit required by NYC Local Law 144 (DCWP §5-300–304) — external auditors only.
compliance-enforce
├── HTTP/gRPC service boundary
├── Policy engine: OPA/Rego (policy rules as code)
├── PII engine: Microsoft Presidio (detection + redaction)
├── Fairness engine: Fairlearn (4/5ths rule math)
├── Audit emitter: structlog → OpenTelemetry collector
└── Storage adapters: pluggable (SQLite default; Postgres for production)
Language decision: Python or Go. This is locked in decisions/0005-enforcer-language.md (authored at the project root, not in this repo) at the start of Phase 5 (Week 1). When this repo is split out to github.com/arkoinc-ca/compliance-enforce, the canonical link will be https://github.com/arkoinc-ca/compliance-toolkit/blob/main/decisions/0005-enforcer-language.md. Do not begin implementation work before that decision record exists.
Client SDKs (Apache-2.0 / MIT) are planned for:
- Python
- TypeScript / JavaScript
- Go
- Java
- .NET (C#)
SDK repositories will be created under arkoinc-ca in Phase 5.
Language decision is now locked: Python 3.11+ asyncio + FastAPI (see decisions/0005-enforcer-language.md).
pip install -e ".[dev]"
compliance-enforce # starts HTTP server on 0.0.0.0:8888
# Or with uv:
uv sync && uv run compliance-enforce| Method | Path | Description |
|---|---|---|
| GET | /healthz |
Liveness probe |
| GET | /v1/info |
Service metadata + source URL |
| GET | /metrics |
Prometheus metrics |
| GET | /openapi.json |
OpenAPI 3.x spec |
| Env var | Default | Description |
|---|---|---|
COMPLIANCE_ENFORCE_SOURCE_URL |
GitHub URL | AGPL §13 source-link header |
COMPLIANCE_ENFORCE_STATE_BACKEND |
memory |
State backend: memory / postgres / redis |
COMPLIANCE_ENFORCE_HOST |
0.0.0.0 |
Bind host |
COMPLIANCE_ENFORCE_PORT |
8888 |
Bind port |
python scripts/export_openapi.py # writes openapi.json to repo rootpip install -e ".[dev]"
pytest -q
mypy src
ruff check src testsLicensed under AGPL-3.0. See the "Why AGPL-3.0?" section above. Client SDKs will carry permissive licenses (Apache-2.0 or MIT).