Intelligence LayerPowered by Onyx AI Labs

Compass.
Regulatory intelligence,
citation-backed.

One API call. Dozens of regulatory frameworks. Citation-backed answers with a cryptographic audit trail. The regulatory reasoning layer your compliance platform has been missing.

73K+
Cited obligations — one API call away
Seconds
Regulatory Q&A — not hours of research
Ed25519
Signed audit receipts on every response
Any
Cloud · on-prem · air-gapped deployment
Why Not Just Use ChatGPT?

Citation-grounded answers.
Not hallucinated guesses.

Generic LLMs are trained on the internet — which means they "know" things that are outdated, incomplete, or simply wrong about your regulatory obligations. They hallucinate section numbers, invent requirements, and produce confident answers with no verifiable source.

Compass is different. It uses RAG retrieval from 73K+ cited obligations across 20+ frameworks — meaning every answer is grounded in the actual regulatory text, not generated from memory. Every response includes citations you can verify. Every API call produces an Ed25519 signed receipt for non-repudiation.

For regulated industries, the difference is not academic. A hallucinated compliance answer can mean a failed audit, a missed deadline, or enforcement action. Compass eliminates that risk by design.

🎯

RAG, Not Recall

Compass retrieves from a curated, validated corpus of 73K+ obligations — it doesn't generate from training data. The answer comes from the regulation, not the model's memory.

📖

Cited, Not Claimed

Every response includes specific citations — section, paragraph, source document. Click through to the original text and verify for yourself.

✍️

Signed, Not "Trust Us"

Every API call produces an Ed25519 signed receipt. Verify independently that the response came from Compass, unmodified, with no trust in Onyx AI Labs required.

🛡️

Defensible, Not "The AI Said So"

When your auditor asks for proof, Compass gives you a signed, cited, timestamped trail. Generic AI gives you a screenshot and a shrug.

Architecture

Three layers of
regulatory intelligence.

Compass combines a purpose-trained model, a structured knowledge base, and cryptographic verification — each layer independently verifiable.

LAYER 01

Compass Model

Purpose-trained regulatory reasoning engine.

  • Fine-tuned on regulatory corpora with citation-grounded output
  • Proprietary — no usage restrictions, no vendor lock-in
  • Deployable on-premises or air-gapped — zero telemetry option
  • GGUF quantized for local execution on consumer hardware
LAYER 02

Compass Knowledge

Structured regulatory corpus updated quarterly.

  • Tens of thousands of normalized regulatory records
  • Cross-framework relationships and conflict detection
  • Citation-level provenance for every obligation
  • Curated and validated — not scraped, not auto-generated
LAYER 03

Compass Intelligence

Cryptographic governance and audit infrastructure.

  • Ed25519-signed governance receipts for every API call
  • Merkle-batched — thousands verifiable from a single root hash
  • Independently verifiable — no trust in Onyx AI Labs required
  • Complete audit trail with non-repudiation for regulatory reporting

A beam of light through the fog. Every answer grounded in the real text.

Cryptographic Governance

Trust through
mathematics.

Every API response is cryptographically signed. You get a receipt you can store, share, and verify independently using our published public key. Non-repudiation, no trust model.

Thousands of signed receipts batched into Merkle trees, producing a single root hash per batch. Verify any response with a compact proof — efficient at enterprise scale.

Ed25519 Signed Receipts

Every API response is signed with Ed25519. Store, share, and verify independently using our published public key — no trust required, no reliance on Onyx AI Labs.

Merkle-Batched Audit Trail

Thousands of signed receipts batched into Merkle trees, producing a single root hash per batch. Verify any response with a compact proof — efficient at enterprise scale.

API

Four endpoints,
one compliance engine.

Standard REST API with OpenAPI spec. One API key unlocks all capabilities.

POST/query

Natural language compliance Q&A

Ask any regulatory question and receive a grounded answer with chapter-and-verse source citations.

POST/extract-obligations

Extract structured obligations

Parse dense regulatory documents into machine-readable requirement records with normalized formatting.

POST/generate-controls

Generate mapped controls

Compass proposes security and operational controls, each mapped to one or more regulatory mandates with traceability.

GET/governance/verify

Independent receipt verification

Upload any Compass API receipt and verify its Ed25519 signature against our public key — no trust required.

Coverage

Broad regulatory coverage.
Any environment.

From US federal regulations to EU governance directives. Compass works with the actual regulatory text, not summaries.

NIST 800-171v3NIST CSF 2.0NIST AI RMFCMMC 2.0PCI DSS v4.0.1HIPAASOC 2GDPREU AI ActDORANIS2CIS Controls v8.1UK Cyber EssentialsEssential Eight12 CFR (Banking)SureStep AI Governance
☁️

Cloud

AWS, GCP, Azure

🔒

Dedicated Cloud

Single-tenant, isolated

🖥️

On-Premises

Your hardware, your control

🛡️

Air-Gapped

No internet. Ever.

Partial list. All frameworks shown are publicly available regulatory texts. Additional frameworks and proprietary mappings available upon request.

Who It's For

Built for regulated
industries.

Defence & Government

Defence contractors, federal agencies, and DoD suppliers navigating CMMC 2.0, NIST 800-171, and evolving compliance mandates. Air-gapped deployment ready.

Financial Services

Banking, capital markets, and insurance. Regulatory frameworks include PCI DSS, 12 CFR, FFIEC, and increasing AI governance requirements from OSFI E-23 and supervisory bodies.

Healthcare

Providers, payers, and health tech companies managing HIPAA compliance alongside emerging AI-specific regulatory frameworks for clinical decision support systems.

NVIDIA Inception Program Member

Built on the
NVIDIA stack.

Compass is built and deployed on the NVIDIA stack — DGX hardware, TensorRT-LLM inference acceleration, and NIM microservices for production deployment.

FAQ

Frequently asked
questions.

What regulatory frameworks does Compass cover?

Compass covers 20+ frameworks including NIST 800-171v3, NIST CSF 2.0, NIST AI RMF, CMMC 2.0, PCI DSS v4.0.1, HIPAA, SOC 2, GDPR, EU AI Act, DORA, NIS2, CIS Controls v8.1, UK Cyber Essentials, Essential Eight, 12 CFR (Banking), and the SureStep AI Governance Framework.

Can Compass run on-premises or in an air-gapped environment?

Yes. Compass is packaged as a Docker application you deploy on your own infrastructure — cloud, dedicated cloud, on-premises, or fully air-gapped. No data leaves your environment. Zero telemetry option available.

How does Compass's cryptographic verification work?

Every API response is signed with Ed25519. Responses are batched into Merkle trees, producing a single root hash that proves integrity across thousands of interactions. You can independently verify any response using our published public key — no trust required, no reliance on Onyx AI Labs.

What industries is Compass built for?

Compass is designed for regulated industries where compliance failures carry real consequences — financial services, healthcare, and defence/government. If 'the AI ate my homework' isn't an acceptable answer for your auditors, Compass is built for you.
Proof

Built on real
regulatory expertise.

Compass is grounded in 18 years of GRC advisory work. These engagements shaped the regulatory corpus and citation architecture behind the API.

Ready to see Compass
in action?

Schedule a demo. We'll walk through your compliance workflows with citation verification, cryptographic receipts, and audit trails against your actual regulatory requirements.

Request a Demo