CRP™ Product Ecosystem Design

Four Products.
One Dependency Chain.

The protocol is open and free. Revenue flows from the platform layer — exactly how HTTP drives Cloudflare, AWS, and Vercel. Here's how every CRP touchpoint converts to recurring revenue.

⚖️
CRP Comply
comply.crprotocol.io
The compliance platform. Transforms CRP protocol headers and audit trails into EU AI Act, ISO 42001, GDPR, and NIST evidence packs. The destination every other product funnels to.
● Live — needs upgrade
🔀
CRP Gateway
gateway.crprotocol.io
Managed hosted sidecar. The AI equivalent of Cloudflare — sits in front of every LLM call, emits all 58 headers, enforces safety policies, routes to providers. Zero SDK install required.
◐ Build next
🔭
CRP Visualise
visualise.crprotocol.io
Live visual tracing of AI calls, context windows, agent chains, risk nodes, and provenance DAGs. For developers, security teams, and auditors who need to see what's happening — not just read logs.
○ Plan & build
🔍
CRP Scan (GitHub)
GitHub Marketplace
GitHub Action and VS Code extension. Scans repos for ungoverned AI calls, generates SARIF findings with header gap analysis, links every finding back to CRP Comply for remediation.
◐ Build with Gateway

§2 · What Makes CRP Different

Competitors like Vanta, Regulativ, ISMS.online, and GDPR Register are fundamentally document-generation tools — you fill in a questionnaire, they produce a PDF. They have no connection to your actual AI system at runtime. CRP's entire architecture is inverted: it generates compliance evidence automatically from live protocol data.

Competitors (Vanta, Regulativ, Kertos)
Document-generation compliance tools
You fill in questionnaires — manual, periodic work
Disconnected from actual AI runtime — snapshots, not live
No provenance — evidence is assertions, not cryptographic proof
No hallucination detection — can't detect what they don't measure
One-size frameworks — not built for the AI call as the unit of compliance
Compliance as a project — scheduled audits, not continuous
CRP Comply + Protocol
Live, protocol-driven compliance infrastructure
Evidence generated automatically from every AI call — zero manual work
CRP headers carry real-time risk, provenance, and classification data
HMAC-SHA256 tamper-evident chain — cryptographically verifiable
DPE 13-module hallucination detection is a core protocol feature
Per-call EU AI Act classification — each response knows its risk class
Continuous compliance — every call is an audit event, not a scheduled snapshot
The moat: The dependency between CRP headers and CRP Comply evidence is architectural, not contractual. A Vanta customer can switch to Regulativ with a CSV export. A CRP Comply customer's evidence pack is generated from a live HMAC chain that only exists inside the CRP protocol. Switching means losing your entire continuous compliance history — and starting over with manual questionnaires.

§3 · The Dependency Architecture

The protocol is free and open. But every valuable feature that matters in production — managed hosting, compliance evidence, visual tracing, audit export, certified evidence packs — exists only in the platform layer. Here's how each touchpoint creates the next dependency.

Entry
crp-scan (GitHub)
"3 ungoverned AI calls found"
Links to CRP Comply to fix them
Trigger
CRP Comply
"Connect your AI calls to generate evidence"
Needs live data → Gateway
Upgrade
CRP Gateway
Self-host SDK
CRP Protocol
"Headers emitted, audit trail growing"
Need to make sense of the data
Visualise
CRP Visualise
"EU AI Act audit coming up"
Need certified evidence pack
Certify
CRP Comply Pro/Ent
Auditor
Third-party auditor
"Share Visualise session / evidence pack"
Auditor needs CRP Visualise access
Expand
CRP Visualise (Auditor)
"Auditor uses CRP for their own clients"
Auditor becomes a reseller
Channel
Partner/Reseller

§4 · CRP Comply — Redesigned

Currently CRP Comply generates FRIA, DPIA, transparency declarations, and audit evidence from LLM-powered form flows using BYOK. That's the foundation. Here's what it needs to become: a live, continuous compliance engine that ingests CRP protocol headers and converts them into regulatory evidence automatically — with the document generation as just one output layer.

What needs to be added

📡
Live Protocol Ingestion
Comply receives CRP-Compliance-Audit-Trail-URI headers from every CRP call and automatically imports the event into the evidence chain. No manual upload — the protocol feeds Comply continuously.
PRO+
🏛️
Per-Call EU AI Act Classification
Every imported call carries CRP-Compliance-EU-AI-Act: LIMITED etc. Comply aggregates these into a live risk register — showing which AI systems are in which risk category, updated in real-time.
PRO+
🔐
HMAC Chain Verifier
Comply verifies the HMAC chain on import. A broken chain (CRP-Provenance-Chain-Integrity: BROKEN) raises an incident. Auditors can verify any evidence pack was not tampered with post-generation.
PRO+
📄
One-Click Evidence Pack
For any date range, system, or regulation: generate a downloadable, pre-filled FRIA, DPIA, Technical Documentation (Art. 11 EU AI Act), or ISO 42001 Annex B evidence pack — built from live protocol data, not questionnaires.
PRO+
⚠️
Continuous Compliance Alerts
Webhook-triggered alerts when CRP-Safety-Hallucination-Risk: CRITICAL, when EU AI Act risk class changes, when PII is detected in a call, or when a new AI system type is detected in the audit trail.
PRO+
🤝
Auditor Access & Sharing
Share a read-only, time-limited Comply session with an external auditor. They see the verified evidence chain, the risk register, the HMAC proofs. No PDF export — a live, verifiable session. They can't tamper with it.
ENTERPRISE
🌏
Multi-Regulation Dashboard
Single view of compliance posture across EU AI Act, GDPR, ISO 42001, NIST AI RMF, SOC 2, and Australian AI Ethics Framework simultaneously. Color-coded coverage: green = evidence exists, amber = gaps, red = violations.
PRO+
🔗
CRP Visualise Integration
Any compliance finding in Comply links directly to the CRP Visualise session that produced it — click from a FRIA document to the live trace of the specific AI calls that generated the evidence. Comply and Visualise are the same data, two views.
ENTERPRISE
The BYOK model needs a dual track: Keep BYOK for developers who want to self-host. But add CRP Gateway as the premium track — you connect CRP Gateway, and Comply gets data automatically without any SDK work. The Gateway is the upgrade path that makes Comply hands-off. BYOK requires developer effort; Gateway requires a credit card. That's the tier.

§5 · CRP Gateway — Expanded

The Gateway is the most important product CRP doesn't have yet. It is the hosted, managed version of the CRP sidecar — a reverse proxy that sits between your application and any LLM provider. Think Cloudflare Workers, but for AI calls. One DNS/endpoint change, and every AI call is governed.

Architecture: what the Gateway does

Inbound Request Handler
ENTRY LAYER
Receives AI requests from client. Reads CRP-Safety-Policy, CRP-Accept-Strategy, CRP-Session-Token from request headers. Authenticates API key (Gateway key, not LLM provider key). Starts audit event.
AuthPolicy parseSession restoreAudit start
Context Envelope Builder
CKF LAYER
Checks CRP-Context-If-Match — returns 304 if ETag matches and facts unchanged. Otherwise runs 3-phase fact selection, builds envelope, sets CRP-Context-ETag, packs context into LLM request.
ETag check3-phase packCKF queryQuality tier
Provider Router
DISPATCH LAYER
Selects dispatch strategy from CRP-Accept-Strategy or auto-detects from TaskIntent. Routes to OpenAI, Anthropic, Gemini, Azure OpenAI, Ollama, or Bedrock. Strips all CRP headers before forwarding (Axiom 4). Manages provider credentials — clients never touch LLM keys.
Provider vaultStrategy selectHeader stripFailover
DPE Safety Engine
ANALYSIS LAYER
Runs the 13-module DPE on the LLM response. Scores hallucination risk. Applies regulatory amplifiers. Evaluates against CRP-Safety-Policy. If CRITICAL and halt-on CRITICAL set — returns HTTP 451 before response reaches client. Fires webhook to report-uri.
DPE 13-modulePolicy enforce451 haltWebhook fire
Header Injection
RESPONSE LAYER
Injects all 58 CRP headers onto the response. Signs session token. Updates HMAC chain. Emits CRP-Set-Session with updated state. Sets CRP-Compliance-Audit-Trail-URI deep-linking to CRP Comply for this call.
58 headersSession signHMAC extendComply link
Comply Export
COMPLIANCE LAYER
Streams the audit event to CRP Comply in real-time. Every call appears in the Comply evidence chain within seconds of completion. No batch uploads, no manual evidence collection. If Comply detects a new risk class or regulation trigger, it fires an alert back to the Gateway webhook.
Real-time streamComply pushBidirectional

Why clients use Gateway over self-hosted SDK

🔑
LLM Key Vault
Gateway holds all LLM provider credentials. Your application has one key — the Gateway key. Rotate LLM providers without touching application code. Eliminate LLM key exposure in environment variables.
PRO+
🌐
One Endpoint, Any Provider
Point your app at gateway.crprotocol.io/v1/chat. Gateway routes to OpenAI, Anthropic, Gemini, Ollama — based on strategy, cost, or latency. Switch providers with a single config change, zero code change.
PRO+
📊
Automatic Comply Feed
Self-hosted SDK requires you to wire Comply integration manually. Gateway does it automatically — every call streams to your Comply account. No BYOK needed, no SDK config. Comply works out of the box.
PRO+
Zero-Install Safety
No Python, no npm, no Docker. Change your OpenAI base URL to Gateway. Every AI call in every language is now governed. Works with LangChain, LlamaIndex, raw fetch() — anything that calls an OpenAI-compatible endpoint.
FREE TIER
OpenAI SDK — one line change to use CRP Gatewaypython
# Before: direct OpenAI
from openai import OpenAI
client = OpenAI(api_key="sk-...")

# After: CRP Gateway (one change, full governance)
from openai import OpenAI
client = OpenAI(
    api_key="crp_gw_key_...",  # Gateway key, not OpenAI key
    base_url="https://gateway.crprotocol.io/v1"
)
# That's it. Every response now carries all 58 CRP headers.
# Comply account gets the audit event. Safety policy enforced.
# Works with LangChain, LlamaIndex, AutoGen — anything OpenAI-compatible.

§6 · CRP Visualise — New Product

This is the highest-leverage new product in the ecosystem — and justifiably the most expensive. Every AI system is a black box to the people who need to govern it: CTOs, security teams, compliance officers, and auditors. CRP Visualise makes the black box transparent — as a live, interactive visual environment.

The insight: A compliance officer cannot read HMAC chains and JSON logs. An auditor cannot trace agent behaviour from a CSV export. But they can understand a node graph showing exactly which AI calls happened, what risk each produced, how context flowed between them, and where human oversight was triggered. Visualise is what offloads the auditor's entire investigative workload onto a screen.

What Visualise shows

CRP Visualise — Session crp_sess_7f3a · Live
Trace Risk Provenance Comply
Application
my-app
connected
CRP Gateway
gateway
Quality: A
Window 1
dispatch_push
LOW · 0.14
Window 2
dispatch_reflexive
HIGH · 0.51 ↑
Window 3
dispatch_agentic
LOW · 0.18
CRP Comply
evidence chain
3 events
Oversight Event
human-review
Art.14 triggered
LOW risk call
HIGH risk call
Oversight triggered
Agentic dispatch
Live · 3 windows · Safety budget: 0.63

Views available in Visualise

🕸️
Session Trace Graph
Live node graph of every AI call in a session. Nodes sized by token usage, coloured by risk level, connected by context continuation edges. Click any node to inspect its full header set and DPE report.
PRO+
📈
Risk Timeline
Time-series view of hallucination risk and safety budget across a session or organisation. Identify patterns: which prompt types produce HIGH risk, which users trigger oversight, which systems are risk hot-spots.
PRO+
🔗
Provenance DAG
The Window DAG rendered as a navigable graph. Trace exactly how context flowed from Window 1 through fan-out to N sub-agents and back via fan-in. Click any window to see which facts from the CKF were used.
ENTERPRISE
🏛️
Compliance Map View
Overlay regulatory classification on the session graph. Each node shows its EU AI Act risk class, which ISO 42001 controls it satisfies, and whether it triggered any GDPR obligations. Designed for auditors.
ENTERPRISE
🤖
Agent Loop Inspector
For agentic sessions: shows each agent's cognitive phase (ANALYZE → PLAN → EXECUTE), loop depth, safety budget at each hop, and which tool calls fired. See exactly where autonomous AI made decisions.
ENTERPRISE
🎬
Session Replay
Replay any past session frame-by-frame. Pause at any window. See exactly what context was in the envelope at that moment. Invaluable for incident investigation — reconstruct exactly what an AI system saw and said.
ENTERPRISE
Why Visualise is high-cost justified: A single compliance audit of an AI system costs an enterprise €20,000–€100,000 in consultant time. CRP Visualise reduces that to hours by giving the auditor a navigable, verifiable, live view of the entire system. At €500–€2,000/month, it pays for itself in the first audit. That's the pricing conversation — not "what does the software cost" but "what does the audit currently cost you."

§7 · GitHub Extension — The Top of the Funnel

The GitHub Action is the widest-reach product in the ecosystem. It touches every developer, in every repo, inside their existing workflow. Its job is one thing: create a CRP Comply account. Everything else flows from there.

The free/paid split

crp-scan Free
$0 /forever
Any developer · Any repo
Detects AI integration points (OpenAI, Anthropic, LangChain, etc.)
Identifies ungoverned calls (missing CRP wrapper)
SARIF output — renders in GitHub Security tab
PR annotations showing which lines need governance
Links every finding to CRP Comply signup
Header gap analysis (which specific headers are missing)
Auto-remediation PR generation
EU AI Act pre-classification of detected AI systems
CRP Comply evidence sync
crp-scan Pro
$29 /repo/mo
Teams with CRP Comply account
Everything in Free
Full header gap analysis — which of 58 headers each call is missing
Auto-remediation PR: generates the CRP wrapper code for each finding
EU AI Act pre-classification of every detected AI system
CRP Comply sync — findings appear in your Comply evidence dashboard
Block merge on configurable risk levels
Weekly governance report emailed to team
GitHub Action — free tier output linking to ComplySARIF annotation
src/api/chat.py:47UNGOVERNED_AI_CALL [HIGH]
  Unwrapped OpenAI call. No CRP governance.

  What you're missing:
  · Hallucination risk monitoring (CRP-Safety-*)
  · Tamper-evident audit trail (CRP-Provenance-HMAC)
  · EU AI Act classification (CRP-Compliance-EU-AI-Act)
  · Continuous compliance evidence (CRP-Compliance-Audit-Trail-URI)

  Fix this in 2 minutes:
  → Connect CRP Gateway: gateway.crprotocol.io (free tier available)
  → Generate your evidence pack: comply.crprotocol.io

  Pro: get auto-remediation PR + Comply sync → crprotocol.io/github-pro

§8 · The Conversion Funnel

1
Developer installs crp-scan
Free GitHub Action. Finds ungoverned AI calls. Every finding links to comply.crprotocol.io. Zero friction, no account required to install.
100% free
2
Developer signs up for CRP Comply free tier
Clicking a scan finding goes to Comply with the detected AI system pre-populated. Free tier: 1 AI system, 100 calls/day, 30-day audit history. BYOK LLM key for document generation. Real value, no cost.
Free tier
3
Comply free tier hits limits
Second AI system detected. Audit history exceeds 30 days. EU AI Act audit coming up. Team member needs access. Every limit is designed to hit at the moment compliance becomes real and urgent.
Natural upgrade
4
Comply Pro — live protocol data
$149/mo. Unlimited AI systems, 1-year audit history, full evidence pack generation (FRIA, DPIA, Technical Documentation), continuous alerts, 5 team seats. To get live data automatically — upgrade to Gateway.
$149/mo
5
CRP Gateway — zero-SDK governance
$0.002/call (100K calls/mo = $200). One endpoint change. All 58 headers. Automatic Comply feed. LLM key vault. Provider routing. For teams who want governance without SDK work — which is most teams.
$0.002/call
6
CRP Visualise — for audits and security teams
$499/mo per org. Live trace graphs, risk timelines, provenance DAG, compliance map. Triggered when: ISO 42001 audit starts, security team requests visibility, or CISO sees the demo. Auditor access is a separate line item.
$499/mo
7
Enterprise — CRP Comply + Gateway + Visualise bundle
Custom pricing from $2,000/mo. Dedicated Gateway instance, on-premises option, SSO, SIEM integration, quarterly compliance review call, certified evidence packs for EU AI Act authority submissions.
$2K+/mo

§9 · Pricing Architecture

Free
$0
Developers · Try it
crp-scan GitHub Action
CRP Comply: 1 AI system
100 calls/day audit trail
30-day history
BYOK document generation
Community support
Live protocol ingestion
Evidence pack download
CRP Gateway access
CRP Visualise
Pro
$149 /mo
Teams · Startups
Unlimited AI systems
Unlimited calls/day
1-year audit history
FRIA, DPIA, Tech Doc generation
Continuous compliance alerts
5 team seats
crp-scan Pro
Gateway access (pay/call)
CRP Visualise
Auditor sharing
Business
$499 /mo
Scale-ups · Compliance teams
Everything in Pro
CRP Visualise included
Auditor sharing (5 auditor seats)
5-year audit history
20 team seats
ISO 42001 control mapping
SIEM webhook integration
Priority support (4hr SLA)
Dedicated Gateway instance
On-premises deployment
Enterprise
Custom
Enterprise · Government
Everything in Business
Dedicated Gateway instance
On-premises / private cloud
Unlimited auditor seats
Unlimited seats
Custom regulation mapping
EU AI Act authority submission support
Quarterly compliance review
CRP certification program
SLA 99.99% uptime

Gateway add-on pricing (all tiers)

VolumePrice/callMonthly costTypical user
0 – 50K calls/mo$0.003Up to $150Early-stage startup
50K – 500K calls/mo$0.002$100 – $1,000Growing SaaS / scale-up
500K – 5M calls/mo$0.001$500 – $5,000Enterprise AI platform
5M+ calls/moNegotiatedCustomHyperscale / government

§10 · Revenue Model Summary

StreamProductModelTarget ARR potentialMargin
Comply SaaS CRP Comply Pro/Business/Enterprise $149–$499/mo + custom High 85%+
Gateway usage CRP Gateway per-call metering $0.001–0.003/call Very high at scale 70%+
Visualise SaaS CRP Visualise (included in Business+) Bundled / add-on $299 Medium · High ACV 90%+
GitHub Pro crp-scan Pro tier $29/repo/mo Medium · High volume 90%+
Enterprise contracts Custom deployment + compliance support $2K–$20K/mo Very high ACV 60%+
Certification "CRP-Compliant" cert for AI products $5K–$25K per cert Medium · grows with standard adoption 75%+
The number that matters: 1,000 companies on Comply Pro ($149/mo) = $1.79M ARR. 100 companies on Business ($499/mo) = $599K ARR. 50 enterprise contracts at $3K/mo = $1.8M ARR. 500M Gateway calls/mo at $0.002 = $12M ARR. The Gateway becomes the dominant revenue stream at scale — the same way Stripe's transaction fee, not its SaaS, is the business. CRP Comply gets customers. CRP Gateway gets revenue.
CRP™ Product Ecosystem Design · © 2025–2026 AutoCyber AI Pty Ltd
crprotocol.io · comply.crprotocol.io · gateway.crprotocol.io · visualise.crprotocol.io