Skip to main content
rogueai
Home / Portfolio / CyComply
Compliance

CyComply

DORA + securities-regulator RegTech for small investment firms and crypto-asset providers

Built by Rogue AI · DORA Register of Information + regulator obligation tracking, self-hosted · Self-hosted · Early-stage

Built solo as a scaffold-stage RegTech project in a self-hosted lab; the DORA Register of Information XBRL-CSV export is the first piece that validates clean, with the incident workflow still in progress.

CyComply — DORA + securities-regulator RegTech for small investment firms and crypto-asset providers

The problem

Small investment firms and crypto-asset service providers fall under DORA but rarely have a compliance engineering team. They still owe a DORA Register of Information on their ICT third parties, ICT-incident reporting against fixed regulatory clocks, and a way to keep track of what their securities regulator publishes and what currently applies to them. The Register has to be filed as an EBA-format XBRL-CSV package — easy to get subtly wrong by hand, and a heavyweight enterprise GRC suite is overkill for a firm of this size.

What I built

A self-hosted compliance cockpit covering the parts of DORA and securities-regulator oversight a small firm actually touches: a Register of Information that exports to an EBA-validated XBRL-CSV package, an ICT-incident view with the DORA reporting clock, a regulator circular/obligation tracker, and an AI copilot that answers 'what applies to me' questions grounded in the indexed circulars rather than from the model's own memory.

Architecture

Data-driven XBRL-CSV generator
The DORA Register of Information export is generated from verified EBA code maps and validated column templates, not hand-assembled. It produces a zipped package that validates clean against the EBA reporting taxonomy and logs each run as a submission record.
Prisma 7 + PostgreSQL domain model
A typed schema for firms, ICT third-party providers and contracts, incidents, obligations, designations and submission history — the structured source the Register and the copilot both read from. Prisma 7 runs through its PostgreSQL adapter.
RAG copilot over regulator circulars
Circulars are ingested and indexed, then the copilot answers obligation questions by retrieving the relevant source passages first and generating a grounded answer — so responses stay anchored to the document text a firm can actually be held to.
Local-first LLM with a routing switch
Generation defaults to a local Ollama model so nothing leaves the box. A provider switch can route the same calls through a self-hosted Claude bridge when a stronger model is wanted; retrieval always goes through the bridge's RAG endpoints so collection naming and embeddings stay consistent.
Custom JWT auth with abuse controls
Session is a short-lived HS256 JWT in an httpOnly cookie with bcrypt password hashing, Origin-header CSRF checks on mutations, a Redis sliding-window rate limiter, and per-email account lockout after repeated failed logins.
Hardened self-hosted Docker stack
Three containers — app, PostgreSQL, Redis — on an isolated network with all ports bound to loopback, all capabilities dropped, no-new-privileges, a read-only root filesystem with tmpfs scratch space, a least-privilege database role, and digest-pinned images.

Tech stack

Next.js 16Prisma 7PostgreSQLOllamaClaude bridge

What broke first

  • The DORA Register of Information XBRL-CSV export follows the EBA reporting taxonomy, which is EU-wide and identical across every national competent authority. There is no jurisdiction-specific file format to own, so the file format is never the moat — the workflow that produces a clean package is.

  • Validating against a published taxonomy is unforgiving in a useful way: the export either passes the official validator or it does not. Building the generator data-driven from verified code maps and validated column templates made it deterministic to test, rather than a pile of hand-tuned strings.

  • Grounding an AI copilot in the actual regulator circulars via retrieval beats letting a general model answer obligation questions from memory. Retrieval keeps answers anchored to the source text a small firm can be held to, and makes a wrong answer traceable to a real document.

Outcome

A working scaffold that proves the hard part end to end: a DORA Register of Information that exports to an EBA-valid XBRL-CSV package, plus a retrieval-grounded copilot over the regulator's own circulars. It is honest about its stage — no users, incident automation still to come, and the deliberate position that the value is the workflow and local distribution, not a proprietary file format.

Honest limits

Early-stage and candid about it. This is a scaffold-stage RegTech project built solo and run self-hosted in a local lab (the old VPS has been retired). The DORA Register of Information XBRL-CSV export is built and validates clean against the EBA taxonomy; the read views, dashboard counts, copilot and obligation tracker work; the ICT incident-clock automation and full submission workflow are still v1 work. The XBRL-CSV format follows the EBA standard — it is shared EU-wide, not a unique advantage. No paying users, no production-since claims, no invented metrics.

Related reading

← Back to portfolio