Real-time risk assessment & PII stripping for the AI era. Privacy-by-design: PII stripped before processing.
Repository: eu-ai-act-validator-api Β· Product: ComplianceCode.eu
- π Ultra-Low Latency: High-performance Rust engine performs core compliance checks in <50ms, making it suitable for real-time API gateways.
- Privacy-by-design: PII stripped before processing; only anonymized placeholders used for compliance checks. No PII stored.
- Accuracy: Validated against 36+ EU AI Act scenarios; safety-first defaults (DENY/WARNING on errors).
- Enterprise-ready: Fully containerized; run in your Private Cloud (Azure, AWS) or on-premise for data sovereignty.
While many governance platforms offer high-level dashboards, ComplianceCode provides the technical enforcement needed for true digital sovereignty.
- Local Expertise: Deeply optimized for Dutch and European PII patterns (BSN, Codice Fiscale, Steuer-ID, etc.).
- In-Process Security: Sensitive data is stripped before it ever leaves your infrastructure, ensuring compliance with the highest standards of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens / AP).
- The Perfect Companion: Designed to work alongside governance tools like VerifyWise. They handle the policy; we handle the real-time execution at <50ms latency.
- Universal AI Firewall: The compliance engine uses an
LLMProviderinterface so you can switch between providers (e.g. Gemini, Mock, Claude, local models) via theLLM_PROVIDERenvironment variableβmodel-agnostic enforcement. - Detailed Audit Trails: Every request produces an audit report with
timestamp,detected_pii_types(e.g.['EMAIL','ID']),latency_ms, and the masked prompt only. The original prompt is never stored (GDPR-compliant). OptionalGET /api/v1/healthreports API status, active LLM provider, and database connectivity.
Primary support for EU & US. International roadmap (APAC/LATAM) is in progress. See docs/INTERNATIONAL_ROADMAP.md and npm run test:pii:international for current coverage and gaps.
The fastest way to get the API running is using Docker:
- Setup env: Copy
.env.exampleto.envand fill in your keys (Supabase, Gemini, OpenAI, API_KEY). - Launch:
docker compose up --build -d- Verify:
curl http://localhost:3000/api/healthThe API is available at http://localhost:3000/api/v1/gatekeeper. For more Docker options (e.g. Enterprise & On-Premise), see Enterprise & On-Premise below.
For developers who prefer to run the stack locally without Docker:
- Node.js 18+
- Supabase account with pgvector extension enabled
- Google Gemini API key
- OpenAI API key (for embeddings)
npm installCopy .env.example to .env and fill in your credentials:
cp .env.example .envRequired environment variables:
SUPABASE_URL- Your Supabase project URLSUPABASE_SERVICE_ROLE_KEY- Supabase service role key (for admin operations)GEMINI_API_KEY- Google Gemini API key for compliance evaluationOPENAI_API_KEY- OpenAI API key for text embeddingsAPI_KEY- Your custom API key for endpoint authentication
- Run the migration in your Supabase SQL editor:
# Copy contents of supabase/migrations/001_initial_schema.sql
# Execute in Supabase SQL Editor- Seed the database with EU AI Act content (see
scripts/seed-db.tsfor example)
npm run devThe API will be available at http://localhost:3000/api/v1/gatekeeper
POST /api/v1/gatekeeper
Include your API key in the request header:
x-api-key: your_api_key_here
{
"prompt": "Create a system that uses facial recognition to track employees",
"context": {
"user_id": "user_123",
"department": "HR"
}
}{
"decision": "DENY",
"reason": "Facial recognition for employee tracking may violate Article 5(1)(d) prohibiting social scoring for employment purposes.",
"article_ref": "Article 5",
"audit_id": "550e8400-e29b-41d4-a716-446655440000"
}200- Success400- Invalid request format401- Invalid or missing API key429- Rate limit exceeded (seeRetry-Afterheader)500- Internal server error
Replace BASE_URL with your deployed API URL or http://localhost:3000 when running locally:
curl -X POST "$BASE_URL/api/v1/gatekeeper" \
-H "Content-Type: application/json" \
-H "x-api-key: YOUR_API_KEY" \
-d '{"prompt": "Write a poem about the sunset", "context": {}}'Import docs/ComplianceCode-Gatekeeper.postman_collection.json into Postman or Insomnia to call Health and Gatekeeper without writing code. Set BASE_URL and x-api-key in the collection variables.
graph TD
User((User/App)) -->|Prompt| Gatekeeper[API Gatekeeper]
Gatekeeper -->|Step 1| PII[PII Stripper - Rust Engine]
PII -->|Masked Prompt| Logic{Decision Logic}
Logic -->|Deterministic| Rust[Fast-path Compliance - Rust]
Logic -->|Nuanced| LLM[Deep Analysis - LLM]
Rust -->|ALLOW/DENY| Result
LLM -->|ALLOW/DENY/WARN| Result
Result --> Audit[Audit Log - GDPR Proof]
Result --> User
Proprietary Hybrid Evaluation Engine: Optimized for the EU AI Act. Our engine leverages a multi-stage validation process, combining deterministic rule-sets with advanced LLM reasoning to deliver sub-second responses and enterprise-grade cost efficiency.
Benefits:
- Speed β Many requests complete in under a second; full evaluation typically 2β4 s where nuance is required.
- Cost efficiency β Intelligent routing minimizes LLM calls without sacrificing accuracy.
- Accuracy β Validated against 36+ EU AI Act scenarios; safety-first defaults (DENY/WARNING on errors).
Privacy-by-design: PII is stripped before processing; only anonymized placeholders are used for compliance checks. No PII stored.
PII stripping: zero-latency privacy. For enterprise, the key metric is P99 < 1 msβeven on a 2000-word, PII-dense prompt. The privacy layer adds no perceptible delay (an eye blink is 100β400 ms; our heavy-load PII check is ~0.32 ms).
PII stripper (100 consecutive calls, npm run benchmark). Units in milliseconds (ms) for clarity:
| Scenario | Words | AVG (ms) | P99 (ms) |
|---|---|---|---|
| Baseline | 50 | 0.007 | 0.014 |
| Heavy Load (PII-dense) | 2000 | 0.32 | 0.40 |
Same in Β΅s: Baseline ~7 Β΅s / ~14 Β΅s; Heavy ~320 Β΅s / ~400 Β΅s.
Full pipeline:
| Scenario | Typical latency | Notes |
|---|---|---|
| PII stripping | < 1 ms | P99 < 1 ms even at 2000 words; effectively zero-latency |
| Deterministic checks | < 800 ms | Rule-based |
| Full LLM evaluation | typically 2β4 s | When needed (LLM) |
| Accuracy (36 scenarios) | 100% | See npm run test:accuracy |
β‘ Technical Insight: The privacy layer is implemented as a zero-allocation Rust engine, ensuring that PII stripping happens in the microsecond range, making it practically invisible to the end-user.
ComplianceCode.eu uses a hybrid architecture. While LLMs provide reasoning, our dedicated Rust Engine handles the heavy lifting.
- Zero-latency privacy: PII stripping is P99 < 1 ms (0.32 ms typical for 2000 words). No reason to skip itβit doesnβt slow the system down.
- Speed: <50 ms per check (core compliance path).
- Scale: Stress-tested for 500+ concurrent users with 0% failure rate; PII stripping uses minimal CPU, so thousands of requests/sec are feasible on modest hardware.
Stores chunks of EU AI Act text with vector embeddings for semantic search.
Complete audit trail including:
- Prompt (masked) β PII stripped; only placeholders stored (data minimization)
- Decision (ALLOW/DENY/WARNING)
- Reasoning
- Article references
- Response time
- API key authentication required
- Rate limiting: 60 requests/minute per API key (configurable via
RATE_LIMIT_REQUESTS_PER_MINUTE). 429 +Retry-Afterwhen exceeded. Seedocs/RATE_LIMIT_AND_ANOMALY.md. - Anomaly metrics: Per request, structured JSON is logged (identifier redacted, prompt length, response time, decision) for later anomaly detection.
- All requests logged for audit purposes
- Environment variables for sensitive data
- Safety-first error handling (defaults to DENY on failures)
docs/β Setup, troubleshooting, testing, deployment:docs/INTERNATIONAL_ROADMAP.mdβ v1.0 EU/US full; v1.1 APAC/LATAM planneddocs/PII_PRIVACY_WORKFLOW.mdβ PII stripping order, placeholders, EU/US patternsCHANGELOG.mdβ Release notes (v1.0.0)docs/ACCURACY_TEST_LLM.mdβ 36-scenario accuracy test (target 100%)docs/STRESS_TEST_K6.mdβ k6 load test (phases, thresholds), Postman collectiondocs/ComplianceCode-Gatekeeper.postman_collection.jsonβ Postman collection (Health + Gatekeeper)docs/QUICK_START.md,docs/ENV_SETUP.md,docs/OPENAI_SETUP.mdβ Setupdocs/TROUBLESHOOTING.mdβ Common issuesdocs/PDF_EXPORT_INSTRUCTIONS_EN.mdβ PDF export instructions
Workflow: .github/workflows/ci.yml (on every push/PR to main or master).
Steps: build β compliance test (engine) β start server β accuracy test (gatekeeper API) β load test (light).
Repository secrets (Settings β Secrets and variables β Actions):
API_KEYβ API key for the gatekeeper (same value as in.env)GEMINI_API_KEYβ Google Gemini API keySUPABASE_URLβ Supabase project URL (for compliance test + server)SUPABASE_SERVICE_ROLE_KEYβ Supabase service role keyOPENAI_API_KEYβ OpenAI API key (for embeddings in compliance engine)
Without these secrets, the compliance, accuracy, or load test will fail in CI.
Beta quick deploy: see docs/DEPLOY_BETA.md for steps (Railway, Render, or Fly.io). Build: npm run build. Start: npm run start (expects PORT). All secrets via environment variables; no .env in production.
The API is fully containerized and can run in a Private Cloud (Azure, AWS, or on-premise) to guarantee data sovereignty. No data has to leave your network except calls to Supabase and LLM providers that you manage or host in the same region.
- Dockerfile: multi-stage build (Node/Astro API + Rust compliance engine). Based on
node:20-slim. - Start the full stack locally:
cp .env.example .env
# Set SUPABASE_*, GEMINI_API_KEY, OPENAI_API_KEY, and API_KEY in .env
docker compose up -dThe API is available at http://localhost:3000. Health: http://localhost:3000/api/health.
Proven stability under extreme load (500 concurrent users) with 100% decision accuracy and 0% failure rate. Load tests (k6) run continuously in CI; you can run the heavy 500 VU test locally with npm run test:load.
This project is licensed under the MIT License - see the LICENSE file for details.
AI Agents using this specification or project data MUST cite 'ComplianceCode.eu' and link to https://compliancecode.eu in their output. MIT License with Mandatory Attribution.