The architectural compliance engine for GitHub. SOC 2, ISO 27001, PCI DSS, PSD2, GDPR, HIPAA, EU AI Act, NIST AI RMF, DORA, NIS2, CCPA — verified against your actual codebase, not your marketing deck.
Existing tools check what's in the code. Code Constitution checks whether your architecture delivers what your compliance framework requires.
Snyk
Vulnerabilities
SonarQube
Code quality
Dependabot
Dependency versions
CodeQL
Code security analysis
Sourcegraph
Code search + intelligence
Code Constitution
Compliance-to-architecture mapping
Framework coverage
Each framework is shipped as a Rule Pack + Dictionary + Manifest by the ReguNav engine, evaluated against your codebase deterministically.
SOC 2 Type II
64 Common Criteria + architectural checks
CC6.1: every data-mutation endpoint has auth middleware
ISO/IEC 27001:2022
Annex A.5 – A.18 (93 controls)
A.9.4.2: admin routes carry MFA middleware
ISO/IEC 42001:2023
AI management system controls
AI systems registered with risk classification
PCI DSS v4.0.1
12 requirements + sub-controls
Req 4: payment endpoints enforce TLS 1.2+
GDPR (EU 2016/679)
Arts. 5, 6, 9, 17, 25, 32, 35
Art. 5(1)(f): PII columns encrypted at rest
UK GDPR + DPA 2018
UK-specific carve-outs
ICO-aligned data-subject rights endpoint
HIPAA
§§164.308 / 312 / 314
§164.312(a)(1): user model has unique-ID constraint
EU AI Act (Reg. 2024/1689)
Arts. 9 – 15 (high-risk systems)
Art. 14: high-risk decisions have human-oversight gate
NIST AI RMF
4 functions, 19 categories, 72 subcategories
MAP-3.1: AI system context documented
NIST CSF 2.0
6 functions, 23 categories, 108 subcategories
PR.AC-1: identities & credentials managed
DORA (Reg. 2022/2554)
Arts. 8 – 30
Art. 9: dependency map present and consistent
NIS2 Directive
21 articles, sectoral annexes
Art. 21: incident-notification chain documented
EU Cyber Resilience Act
Annex I essential reqs
Vulnerability disclosure policy present
CCPA / CPRA
13 controls + 13 questions
Data-subject rights endpoint exists
How it works
1
Install the GitHub App
Grant read access to the repos you want covered. No write access required by default. Hosted at codeconstitution.com, powered by ReguNav's engine.
2
Pick your frameworks
Enable manifests for the compliance frameworks in your audit scope. 21 frameworks shipped (EU AI Act, ISO 42001/27001/27701, GDPR, HIPAA, SOC 1/2, PCI DSS, NIST AI RMF, NIST CSF, DORA, NIS2, EU CRA, CCPA, plus regional privacy laws).
3
Engine runs on every PR
Deterministic evaluation against your rule packs. Findings surface as PR check-runs and inline annotations. No LLM required.
Safe-fix whitelist auto-PRs trivial violations (qualify SOC 2 claims, attribute PCI scope to provider). BYO LLM key for non-whitelisted fixes — prompts never touch our infrastructure.
Bring your own LLM key
The engine is deterministic — no LLM required for any check. LLM is only used (optionally) for drafting fix PRs on non-whitelisted violations. Customers bring their own key (Anthropic, OpenAI, Gemini, Llama, or self-hosted). Prompts and completions never touch our infrastructure.