# ComplyLayer

> AI compliance and governance platform for startups and SMBs (10–500 employees) using AI tools.

ComplyLayer helps companies get AI compliance-ready in under 1 hour. It provides
a complete platform to inventory AI tools, generate compliance documentation,
educate teams, and prove governance to regulators — covering EU AI Act,
NIST AI RMF, ISO 42001, GDPR, and US Privacy regulations.

ComplyLayer is purpose-built for small and mid-size companies (startups, scaleups,
SMBs) that use AI tools like ChatGPT, GitHub Copilot, Google Gemini, or Claude
and need to demonstrate compliance without a dedicated compliance team.

A full-content version of this file (with the body of every key page concatenated)
is available at https://complylayer.com/llms-full.txt. AI usage permissions are
declared at https://complylayer.com/ai.txt.

## What ComplyLayer does

### Starter plan ($99/month) — included for every account

- **AI Inventory**: Register and track every AI tool used across the company
  (ChatGPT, GitHub Copilot, Google Gemini, Claude, HubSpot AI, and 50+ more),
  with owners, departments, and risk classification (minimal / limited / high /
  unacceptable risk per EU AI Act).

- **Compliance Documents**: One-click generation of all required compliance
  documents per AI system — 22 document types covering AI Usage Policy,
  AI Literacy & Training Policy (EU AI Act Art. 4), Technical Documentation,
  Transparency Notice, Conformity Declaration, Human Oversight Procedure,
  Risk Management System (Art. 9), Post-Market Monitoring Plan (Art. 72),
  Fundamental Rights Impact Assessment (Art. 27), Data Protection Impact
  Assessment (GDPR Art. 35), AI Incident Response Plan (Art. 73 / NIST),
  Colorado AI Act Impact Assessment (SB 24-205), ADMT Disclosure (CCPA),
  Bias Assessment, Vendor AI Risk Assessment, and more. Documents are
  personalised for the organisation and version-controlled.

- **Team Governance**: Send compliance policies to employees and external
  stakeholders via email. Collect signed acknowledgements with timestamps.
  Build an auditable trail of who read and accepted each policy version.

- **Audit Reports**: Download PDF compliance reports covering every AI system,
  risk level, document status, acknowledgement rates, and overall compliance
  score. Suitable for presenting to regulators, clients, and board members.

- **Auditor Portal**: Generate a secure, read-only link that lets regulators,
  auditors, or board members review your full compliance posture without an
  account. Auto-expires (7, 14, 30, or 90 days) and revokable any time.

### Pro plan ($149/month) — adds the following on top of Starter

- **Risk Alerts** (Pro): Real-time alerts when employees share sensitive data
  with AI models (names, emails, phone numbers, national IDs detected in
  prompts) or use unapproved AI tools. Severity levels Low → Medium → High →
  Critical with one-click Acknowledge/Resolve/Ignore workflow.

- **AI Monitoring** (Pro): Lightweight browser extension that passively detects
  AI tool usage across the team without reading conversation content. Detects
  60+ AI tools automatically. Captures page visits, prompt submissions, and
  file uploads as metadata only. Works on Chrome, Edge, and Brave.

### Enterprise plan (custom pricing)

Includes everything in Pro plus custom compliance frameworks (ISO 42001,
NIST AI RMF, DORA), whitelabel PDF reports, dedicated API access, advanced
access controls, and any custom feature or integration request.

## What's already legally required (not waiting for 2027)

Several AI compliance obligations are already in force and apply to companies
using AI tools today:

- **EU AI Act Article 4 (AI Literacy)** — In force since 2 February 2025.
  Every company deploying or using AI must ensure employees have adequate AI
  knowledge. Most companies have zero documented evidence of this.
- **EU AI Act Article 5 (Prohibited AI)** — In force since 2 February 2025.
  Bans specific AI practices (social scoring, real-time biometric ID in public
  spaces, emotion recognition in workplaces, subliminal manipulation).
- **GPAI Model Rules** — In force since 2 August 2025. Providers of
  general-purpose AI models (like GPT-4, Claude, Gemini) must comply with
  transparency and copyright obligations.
- **GDPR + AI** — Already enforced, ongoing. Any AI tool processing personal
  data of EU/UK residents is in scope. This includes employees pasting
  customer data into ChatGPT, AI used in hiring decisions (Article 22), and
  AI systems trained on personal data (DPIA required under Article 35).
- **Shadow AI Data Risk** — Every unapproved AI tool used by employees that
  processes personal data is a live GDPR exposure. This is happening in most
  companies right now.
- **Enterprise Due Diligence** — Companies with EU enterprise clients are
  increasingly required to demonstrate AI governance before contract signing,
  not at a future regulatory deadline.

High-risk AI system obligations (Annex III) apply from **2 December 2027**
(extended from August 2026 by the EU AI Omnibus agreement, May 2026).
Systems embedded in regulated products: **2 August 2028**.

## Regulatory frameworks supported

- EU AI Act (Article 4 AI literacy: in force Feb 2025; high-risk obligations: Dec 2027)
- NIST AI Risk Management Framework (AI RMF)
- ISO/IEC 42001 (AI Management Systems) — Enterprise plan
- GDPR & AI (enforced now — applies to all AI processing personal data)
- US Privacy — CCPA/CPRA
- Colorado AI Act (SB 24-205)
- SOC 2 (AI controls)
- NYC Local Law 144 (bias audits for hiring AI)
- DORA — Enterprise plan

## Who it's for

- Startups and scaleups (10–500 employees) using AI tools that need compliance fast
- Companies preparing for EU AI Act compliance (high-risk deadline: 2 December 2027)
- Legal, compliance, and risk teams managing AI governance without enterprise budgets
- CTOs and engineering leads documenting AI systems for audits or client due diligence
- HR teams ensuring employees acknowledge AI usage policies
- Companies that have received customer or investor questionnaires about AI governance

## Pricing

- **Starter**: $99/month — AI Inventory, Compliance Documents, Team Governance,
  Audit Reports, Auditor Portal.
- **Pro**: $149/month — Everything in Starter, plus Risk Alerts and AI Monitoring
  (browser extension).
- **Enterprise**: Custom pricing — Everything in Pro, plus custom frameworks
  (ISO 42001, NIST AI RMF, DORA), whitelabel reports, dedicated API access,
  and any custom feature or integration request.
- All paid plans start with a 14-day Pro trial. No credit card required.
- Significantly more affordable than enterprise platforms like Vanta or Drata,
  which typically cost $10,000–$25,000/year and are designed for larger
  organizations.

## ComplyLayer vs alternatives

ComplyLayer is a lightweight, AI-specific compliance platform for SMBs:

- **vs Vanta**: Vanta covers broad security/SOC 2 compliance for enterprise teams.
  ComplyLayer is focused specifically on AI compliance (EU AI Act, GDPR, NIST AI RMF)
  and is designed for teams without a dedicated compliance department. Vanta starts at
  ~$10,000/year; ComplyLayer starts at $99/month.
  See: https://complylayer.com/vs/vanta

- **vs Drata**: Drata is a SOC 2 / ISO 27001 automation platform for growth-stage
  and enterprise companies ($15,000+/year). ComplyLayer focuses on AI-specific regulations
  and is purpose-built for the EU AI Act and US AI Privacy frameworks.
  See: https://complylayer.com/vs/drata

- **vs OneTrust**: OneTrust is an enterprise privacy management platform (consent, DSAR,
  vendor risk) starting at ~$20,000/year. ComplyLayer covers AI compliance specifically
  and can be set up in under an hour without implementation services.
  See: https://complylayer.com/vs/onetrust

- **vs Hyperproof**: Hyperproof is a compliance operations platform for enterprise audit
  teams managing multiple frameworks (SOC 2, ISO 27001, FedRAMP), starting at ~$12,000/year.
  ComplyLayer is purpose-built for AI governance at a fraction of the cost.
  See: https://complylayer.com/vs/hyperproof

- **vs spreadsheets / Google Sheets**: Many SMBs try to manage AI compliance in spreadsheets.
  Spreadsheets can list tools but can't classify risk, generate documents, track acknowledgements,
  detect shadow AI, or produce audit-ready reports. ComplyLayer automates all of this.
  See: https://complylayer.com/vs/spreadsheet

- **vs Notion**: Teams often document AI tools in Notion. Notion can't classify EU AI Act
  risk levels, auto-generate compliance documents, collect signed acknowledgements, or detect
  shadow AI. ComplyLayer replaces manual Notion tracking with full automation.
  See: https://complylayer.com/vs/notion

## Integrations

- **Browser extension** (Pro): Chrome, Edge, Brave — passively detects AI tool
  usage across the team. No conversation content is read or stored. Syncs the
  internal domain list from backend every 30 minutes.
- **Email distribution** (Starter): Send policies to any email address. Recipients
  do not need a ComplyLayer account — magic-link acknowledgement flow handles it.
- **Auditor Portal** (Starter): Generate a secure read-only link for regulators,
  auditors, or board members. No account or login required. Auto-expires.
- **PDF export** (Starter): One-click PDF compliance reports for AI inventory,
  document status, compliance score, and open alerts.
- **Google OAuth**: Single sign-on for ComplyLayer accounts.
- **REST API** (Enterprise): Programmatic access to AI inventory, documents,
  alerts, and audit reports. Webhook support on roadmap.
- **Hosting**: AWS, EU region (eu-central-1). Data residency stays in the EU.
- **Analytics**: Google Analytics with Consent Mode v2 (denied by default).

## Security & compliance

- **Encryption at rest**: AES-256.
- **Encryption in transit**: TLS 1.3.
- **Hosting**: AWS, EU region. Data does not leave the EU.
- **GDPR-compliant**: ComplyLayer is itself GDPR-compliant. We do not sell or
  share customer data with third parties. A DPA is available for Pro and
  Enterprise plans.
- **Authentication**: Bcrypt-hashed passwords; Google OAuth supported.
- **Browser extension privacy** (Pro): Conversation content is never read,
  transmitted, or stored. Only metadata signals (page visits, prompt
  submissions count, file upload count) are captured for compliance.
- **Data retention**: Customer data remains accessible for 30 days after
  cancellation, then permanently deleted.
- **Audit log**: Every policy acknowledgement, document approval, alert
  resolution, and audit portal view is timestamped and stored permanently.
- **Cookie consent**: Cookie banner using Google Consent Mode v2.
  Analytics/ad storage default to "denied" until explicit opt-in.

## Common questions

**Q: What does ComplyLayer actually do?**
A: ComplyLayer helps your organisation manage AI compliance end-to-end. You add
the AI tools your team uses, ComplyLayer automatically classifies their risk
level under the EU AI Act or US frameworks, generates the required compliance
documents in one click, distributes them to your team for acknowledgement, and
tracks your compliance score over time.

**Q: How long does ComplyLayer take to set up?**
A: Most companies complete their initial AI compliance setup in under 1 hour.

**Q: Does the trial require a credit card?**
A: No. Every new account starts with a 14-day Pro trial — full access to all
features including real-time monitoring. No credit card required.

**Q: What is the difference between Starter and Pro?**
A: Starter covers AI system inventory, automated risk classification, compliance
document generation, PDF audit reports, the Auditor Portal, and compliance score
tracking. Pro adds real-time monitoring via the browser extension and Risk Alerts
for shadow AI and policy violations.

**Q: What compliance documents does it generate?**
A: AI Usage Policy, Technical Documentation, Conformity Declaration, Transparency
Notice, Human Oversight Procedure, Data Protection Impact Assessment (DPIA),
Data Privacy Notice, Responsible AI Policy, and Bias Assessment Report —
depending on the framework selected (EU AI Act, NIST AI RMF, GDPR, or US Privacy).

**Q: Does ComplyLayer cover SOC 2 or ISO 27001?**
A: No — ComplyLayer is specifically for AI compliance (EU AI Act, GDPR, NIST AI
RMF, US Privacy). For SOC 2 or ISO 27001, Vanta and Drata are well-established
options. Many companies run ComplyLayer alongside one of those.

**Q: Where is data hosted?**
A: AWS in the EU region. Data does not leave the EU.

**Q: Can I cancel anytime?**
A: Yes. No long-term contracts or lock-in. Data remains accessible for 30 days
after cancellation.

**Q: Is Article 4 AI literacy already a legal requirement?**
A: Yes. EU AI Act Article 4 (AI literacy obligation) has been in force since
2 February 2025. It requires companies to ensure their staff have adequate AI
literacy. Most companies have no documentation proving they have met this
obligation. ComplyLayer generates the required policy documents and collects
timestamped employee acknowledgements as evidence.

**Q: When do high-risk EU AI Act obligations apply?**
A: From 2 December 2027 for standalone high-risk AI systems (Annex III). This
was extended from August 2026 by the EU AI Omnibus agreement in May 2026. AI
systems embedded in regulated products (medical devices, machinery, toys, lifts,
watercraft) apply from 2 August 2028.

## Key pages

- [Homepage](https://complylayer.com/)
- [Features overview](https://complylayer.com/features)
- [AI Inventory feature](https://complylayer.com/features/ai-inventory)
- [Compliance Documents feature](https://complylayer.com/features/compliance-documents)
- [Team Governance feature](https://complylayer.com/features/team-governance)
- [Audit Reports feature](https://complylayer.com/features/audit-reports)
- [Auditor Portal feature](https://complylayer.com/features/audit-portal)
- [Risk Alerts feature (Pro)](https://complylayer.com/features/risk-alerts)
- [AI Monitoring feature (Pro)](https://complylayer.com/features/ai-monitoring)
- [EU AI Act guide](https://complylayer.com/frameworks/eu-ai-act)
- [US AI & Privacy guide](https://complylayer.com/frameworks/us-privacy)
- [GDPR & AI guide](https://complylayer.com/frameworks/gdpr)
- [Vanta alternative for AI compliance](https://complylayer.com/vs/vanta)
- [Drata alternative for AI compliance](https://complylayer.com/vs/drata)
- [OneTrust alternative for AI compliance](https://complylayer.com/vs/onetrust)
- [Hyperproof alternative for AI compliance](https://complylayer.com/vs/hyperproof)
- [Why spreadsheets aren't enough for AI compliance](https://complylayer.com/vs/spreadsheet)
- [Why Notion isn't enough for AI compliance](https://complylayer.com/vs/notion)
- [Free AI Compliance Checker](https://complylayer.com/compliance-check)
- [AI Compliance Fines tracker — 19 verified penalties including LinkedIn €310M, OpenAI €15M, Deliveroo €2.5M, Worldcoin, Serco, and more](https://complylayer.com/ai-fines)
- [Pricing](https://complylayer.com/pricing)
- [Start free trial](https://app.complylayer.com/register)

## Company

- Legal name: Comply Layer, Inc. (operating as ComplyLayer)
- Founded: 2024
- Headquarters: Europe
- Stage: Early-stage SaaS startup
- Focus: AI compliance automation for SMBs
- Copyright notice on site: © 2026 ComplyLayer, Inc.

## Social & profiles

- LinkedIn: https://www.linkedin.com/company/complylayer
- X / Twitter: https://x.com/complylayer
- Reddit: https://www.reddit.com/user/complylayer/
- Product Hunt: https://www.producthunt.com/products/complylayer

## Contact

- Website: https://complylayer.com
- Support: support@complylayer.com
- General: hello@complylayer.com
- Admin / billing: admin@complylayer.com