Ctrl+Alt+Comply — Unified Compliance Management | Mike Lombardo
In Production Self-Hosted Built with Claude Code
Ctrl+Alt+Comply logo

Ctrl+Alt+Comply

by Lombardo Systems

A self-hosted compliance management platform that unifies the regulatory frameworks a modern regulated business actually has to deal with — HIPAA, GDPR, ISO 9001, ISO 13485, ISO 27001, ISO 42001, NIST, 21 CFR Part 11, the EU AI Act, and more — into one workspace.

Frameworks 42 Side-by-side coverage
Requirements 2,452 Plain-language + evidence
AI Model Sonnet 4.5 via AWS Bedrock
Built By Mike L. with Claude Code
Confidential · Release 4ff0455
The Problem

Compliance work is a patchwork.

A modern healthcare-AI startup ends up touching HIPAA, GDPR, ISO 9001, ISO 13485, ISO 27001, ISO 42001, and the EU AI Act simultaneously. But every existing tool either covers one framework deeply or all of them shallowly.

Teams duplicate effort because they can't see that ISO 27001 A.5.1, ISO 9001 §7.5, NIST 800-53 AC-1, and HIPAA §164.308(a)(2) are all asking for the same controlled document. Auditors arrive and find the evidence scattered across SharePoint, Notion, and someone's email thread. The commercial GRC suites that solve this start at $50K/year — pricing most small-to-midsize regulated companies out of the conversation entirely.

Ctrl+Alt+Comply was built to close that gap: one workspace, every framework, audit-ready output — at a cost a single team can stomach.

The Approach

Topic-first, not framework-first.

Most compliance tools organize their requirement library by framework — a HIPAA section, an ISO section, a NIST section. Users navigate to the framework they're being audited against and work top-down through its requirements.

Ctrl+Alt+Comply inverts this. Requirements are grouped by what they actually ask for — access control, breach notification, training records, audit trails, change management — with the relevant framework controls stacked underneath each topic. Open the "Audit Trails & Logging" topic and you see the 21 CFR Part 11, ISO 27002, NIST 800-53, and HIPAA requirements side-by-side.

The practical result: one policy satisfies eight controls. Teams stop writing the same access control standard four different ways for four different audits.

How It Works

Eight modules, one workspace.

Each module addresses a specific point in the compliance lifecycle — discovery, mapping, planning, audit, evidence, and ongoing reference — without forcing teams to switch tools to switch tasks.

Compliance Explorer

Browse 40+ frameworks and ~2,000 requirements by topic or by framework. Every requirement carries a plain-language "What this means" explanation plus a numbered "Examples of acceptable evidence" checklist — so non-lawyers can actually use it.

Overlap Matrix

Visualize where requirements overlap across frameworks. See at a glance that one access-control policy can satisfy eight different controls — write the policy once, map it once, reuse forever.

Compliance Roadmap

Phase your adoption across five canonical phases — Strategic Foundation through Continuous Improvement — with topic-to-phase mapping built in. Visualize a realistic 12–24 month implementation timeline.

Audit Manager

Create scoped audits by framework or topic. Track per-requirement findings (Compliant / Partial / Non-Compliant / N/A), attach evidence references, manage CAPAs, and generate executive summaries.

Document Management System

Controlled lifecycle for SOPs, policies, work instructions, and forms — create, route for approval, assign required readers and training, capture electronic signatures (21 CFR Part 11), and audit every action. The Document Checker gap-analysis tool sits inside this module, letting you upload any document and assess it against any framework, offline or AI-powered via Claude.

DSAR Workbench

Intake, identity verification, and exemption handling for GDPR, CCPA, HIPAA, and DPDPA right-of-access flows. Built-in SLA tracking (including HIPAA's 30-day clock).

"Ask Lombardo"

Claude-powered chat assistant grounded in the platform's own requirement library — not the open internet. Answers cite the controls they reference. Knowledge base + FAQ live alongside.

Administration & Security

Role-based permissions, TOTP MFA, full audit log, AES-256-GCM encryption at rest, and AI usage cost tracking. Built on the same security primitives an auditor would expect to see.

The Signature Pattern

Regulation made scannable.

The visual centerpiece of the product: every requirement is rendered as a risk-coded header plus two stacked context boxes — one explaining the regulation in plain English, one listing what evidence actually satisfies it. The pattern below repeats across Explorer, Audit Manager, and Roadmap views.

Live preview of the requirement view
● Critical HIPAA § 164.308(a)(1)(ii)(A)
Conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).
What This Means
You must formally identify, document, and analyze the threats that could compromise the ePHI your organization creates, receives, maintains, or transmits. The analysis must be repeatable, reviewable, and updated as your environment changes — not a one-time checkbox.
Examples of Acceptable Evidence
  1. A current risk assessment report dated within the last 12 months
  2. Asset inventory identifying all systems that process ePHI
  3. Threat & vulnerability catalog with severity ratings
  4. Risk register with named owners and treatment decisions
  5. Management review minutes documenting risk acceptance

Why this pattern matters.

Regulatory text is dense, lawyerly, and written for lawyers. Most compliance tools display it verbatim and leave interpretation to the user — which is fine if the user is general counsel, and useless if the user is the QA lead, the security engineer, or the founder doing their first audit.

Ctrl+Alt+Comply does the translation work upfront. Every one of the ~2,000 requirements in the library carries both layers: the legal text, the plain-language explanation, and the evidence checklist. The same pattern shows up in Audit Manager during an actual audit, so the explanation a team learned from while preparing is the same one they reference when their auditor asks the question.

  • Risk badges as content, not chrome. CRITICAL / MAJOR / MINOR ratings sit inline with every requirement ID, persisting across every view in the app. Audit prioritization becomes a visual decision.
  • Color tokens with consistent semantics. Blue = explanation. Green = evidence. Red / orange / green = risk. Users learn the visual vocabulary once.
  • Inline expansion, not page navigation. Accordion rows let auditors scan, dive in, and collapse without losing context. Especially useful during walk-throughs.
  • Neomorphic design system. Hand-rolled CSS custom properties — no Tailwind, no shadcn, no Material. Closer to a premium desktop app than a typical SaaS dashboard.
In the Product

Selected screens.

A walkthrough of the live application — from the neomorphic sign-in screen through the dashboard, framework browsing, audit workflow, knowledge base, roadmap, document control, audit log, security administration, framework data ingestion, AI usage telemetry, and the DSAR privacy workflow. Captured directly from the running production deployment on AWS.

The neomorphic doorway
Sign In
The neomorphic doorway
Soft-UI login screen with build release fingerprint — set the tone before users even reach the app.
Welcome back, Mike
Dashboard
Welcome back, Mike
Live counts on document control, audit status, DSARs, and compliance coverage across 42 frameworks / 2,452 requirements at a glance.
Every framework, navigable
Framework Viewer
Every framework, navigable
Pick a framework — see every requirement in numerical order with plain-language explanations and evidence checklists inline.
A requirement, in context
Audit Manager
A requirement, in context
The signature pattern in action — risk badge, plain-language explanation, evidence checklist, four-state compliance status. Used during the audit itself, not just prep.
Search, FAQ, or Ask Lombardo
Knowledge Base
Search, FAQ, or Ask Lombardo
Sectioned FAQ across Education, Finance, GxP, Healthcare, ISO, International, Risk Classification. Search or chat — answers grounded in the platform's own library.
Phased implementation plan
Compliance Roadmap
Phased implementation plan
1,200 requirements organized into 32 tasks across 5 canonical phases — Foundation through Continuous Improvement. Exportable to Excel for project planning.
Controlled SOPs with native preview
Document Control
Controlled SOPs with native preview
Word and PDF documents render in-app with version history, electronic signatures, and a Manifest export for auditor handoff.
Read, acknowledge, sign, audit
Document Workflows
Read, acknowledge, sign, audit
Required-reader assignment, threaded comments, version history with electronic signatures, and downloadable PDF (controlled), Word, or Manifest exports.
Every action, immutable
Audit Trail
Every action, immutable
Full action log with date/time, user, action, entity, and changes. Verify Integrity checks chain integrity. CSV and PDF export for evidence requests.
Built for auditors
Administration
Built for auditors
MFA enforcement, trusted-device grace periods, session timeout, role-based permissions, AI usage cost tracking — the security primitives an auditor expects to find.
Framework Data Import
Framework Data Import
Authoritative text, pulled at the source.
Pulls regulatory text directly from official public sources — the eCFR Versioner API for 21 CFR Parts 11, 210, 211, 820 and 58, plus NIST OSCAL for SP 800-53 Rev 5 — so the framework library is always grounded in the as-published authority, not in a vendor's interpretation.
Runs once at first boot and refreshes weekly by default. Re-runs are idempotent: only changed text is updated, leaving the audit trail clean and a fingerprint of what changed and when on every refresh.
Administration — AI Usage telemetry
Administration · AI Usage
Cost & usage transparency for the AI layer.
Built-in observability for every LLM call — total calls, input/output tokens, estimated cost (AWS Bedrock on-demand pricing), trended over the last 30 days and broken down by feature and by user. Release fingerprint sits next to the header so the data is tied to a specific build.
This is the kind of cost-and-usage transparency a regulated environment expects before approving an AI tool for production use. It doubles as evidence for AI governance — ISO/IEC 42001 §6.1.3 (AI risk treatment) and NIST AI RMF MEASURE 2.1 (monitoring and metrics).
Privacy Requests — DSAR workflow
Privacy Requests (DSAR)
One workflow, multiple jurisdictions.
Each privacy request gets a stable identifier, an SLA countdown, assignee management with locking, intake metadata (channel, type, jurisdiction), and an immutable per-request audit log. Built to handle GDPR, CCPA/CPRA, and HIPAA right-of-restriction requests on the same rails.
Sub-tabs cover Scope & Verification, Discovery, Redactions, Third-party involvement, Communications, Comments, and a Checklist — the operational artifacts an auditor or DPO actually asks for when reviewing how a request was handled.
Under the Hood

Built on familiar primitives.

Deliberately boring stack choices — proven libraries, single-process simplicity, and one Docker image to deploy. The fancy part is in the regulatory content, not the framework gymnastics.

Server
Node.js Express SQLite (sql.js) JWT Auth TOTP MFA Helmet Rate Limiting
Client
React 18 Vite react-router lucide-react Custom Neomorphic CSS
AI & Inference
AWS Bedrock Claude Sonnet 4.5 Prompt Caching Retrieval Grounding
Security
TLS 1.3 AES-256-GCM Encryption at Rest CSP Headers No Third-Party Trackers
Deploy & Ops
Docker docker-compose AWS EC2 (Ubuntu 24.04) Caddy Let's Encrypt Watchtower GHCR GitHub Actions (self-hosted runner)
Development
Claude Code VS Code GitHub
Built With Claude Code

One engineer plus Claude Code.

Ctrl+Alt+Comply was built in collaboration with Claude Code — Anthropic's CLI agent — not as a vibe-coded prototype, but as a real engineering partnership across the full stack.

Production Code

Wrote and refactored server routes, React pages, and the SQLite schema layer. Every diff was human-reviewed before merge. Architecture decisions stayed with the engineer.

Requirement Library

Plain-language explanations and evidence checklists for ~2,000 requirements across 40+ frameworks. Drafted by Claude, human-reviewed — months of legal writing that would have made this project unviable solo.

The Unglamorous Work

Idempotent database migrations. Encryption-at-rest plumbing. OCR-aware audit trail. Federated topic mappings. The infrastructure that ships products but never appears in demos.

Inside the Product, Too

"Ask Lombardo" and Document Checker call Claude Sonnet 4.5 via AWS Bedrock with prompt caching. The same model that helped build the platform is also the one users interact with at runtime.

Not "AI wrote my app." More like: AI compressed what would have been two years of solo work into months — without sacrificing the rigor the regulatory domain demands.
Status & Roadmap

Shipped, and what's next.

Today · In Production

Shipped

Live on AWS, deployed via Watchtower auto-rollouts, used in production.

  • 40+ regulatory frameworks; ~2,000 requirements with plain-language explanations + evidence examples
  • Audit workflow with CAPA tracking and executive-summary generation
  • "Ask Lombardo" AI chat, Document Checker, Overlap Matrix, Compliance Roadmap
  • DSAR workbench (HIPAA, GDPR, CCPA, India DPDPA, Australian APP)
  • MFA, encryption at rest, audit logging, role-based permissions
  • Deployed on AWS with auto-HTTPS and auto-deploy via Watchtower
Next · On the Roadmap

In Flight

What's currently being built or staged for the next release wave.

  • Multi-tenant SaaS mode (currently single-tenant self-hosted)
  • Evidence vault — direct upload + linkage of evidence artifacts to audit findings
  • Continuous control monitoring — connectors to AWS Config, Okta, GitHub for automated evidence collection
  • Customer-facing audit report export (branded PDF)
  • Additional frameworks: SOC 2, PCI-DSS 4.0, HITRUST, TISAX

Interested in a closer look?

Available for demos, partnership conversations, or to discuss how this approach could apply to your compliance program.

Reach out
© 2026 Michael Lombardo · Ctrl+Alt+Comply is a personal project
π