Skip to main content

Executive Summary

Conformly.ai is an AI-powered automotive compliance analysis platform that automates the review of engineering work products against industry standards (ISO 26262, ASPICE, ISO/SAE 21434). The platform leverages LLM-based workflows, multimodal document processing, and real-time collaboration to reduce manual review effort by up to 70%.

System Architecture Overview

The architecture is organized into seven logical layers, each with clear responsibilities:
LayerComponentsPurpose
PresentationReact Web App, Marketing SiteUser interface and experience
API GatewayFastAPI, Supabase AuthREST API, authentication, authorization
Subscription & PaymentsStripe, Profile sync, ProtectedRoutePlan management, checkout, access gating
Workflow OrchestrationCelery, Redis, Celery BeatAsync task execution, job queuing, scheduled tasks
AI/ML EngineLangGraph, OpenAI, Gemini, LandingAI, FAISSDocument understanding, compliance evaluation, recommendations
Analysis EnginesGap, Completeness, Traceability, ChecklistDomain-specific compliance analysis logic
Data LayerSupabase Postgres, Supabase Storage, RealtimePersistence, file storage, real-time updates

Component Details

1. Presentation Layer

ComponentTechnologyPurpose
Web Application (conformly-frontend)React 18 + TypeScript + ViteFull-featured compliance dashboard with V-Model workflow, analysis results, traceability matrix, and export capabilities. Runs on port 8080 locally, deployed at beta.conformly.ai
Marketing Site (conformly-web)React + Vite + Framer MotionProduct portfolio showcasing features, pricing, and trial signup. Runs on port 5173 locally, deployed at www.conformly.ai
Key Frontend Capabilities:
  • 4 Review Engines accessible via V-Model workflow selector
  • Real-time progress tracking via WebSocket
  • PDF/HTML/CSV export for audit-ready reports
  • Shadcn/ui + Radix components with dark/light theme support
  • ProtectedRoute component for auth + subscription gating
  • Cross-project URL linking via environment variables (VITE_APP_URL, VITE_WEB_URL)

2. API Gateway

ComponentTechnologyPurpose
FastAPI Backend (conformly-core)Python 3.11+High-performance async REST API with automatic OpenAPI documentation. Runs on port 8000, deployed at beta-api.conformly.ai
AuthenticationSupabase JWTSecure token-based auth with user profiles and subscription management
AuthorizationPostgreSQL RLSMulti-tenant row-level security ensuring workspace isolation
API Endpoint Groups:
  • /auth/* — User profile, sync, and JWT refresh
  • /payments/* — Stripe Checkout session creation, webhook handling
  • /analysis/* — Trigger and monitor compliance analyses
  • /compliance/* — Completeness checks, checklist validation
  • /standards/* — CRUD for compliance standards
  • /work-products/* — Document upload and management
  • /traceability/* — Artifact and link management
  • /export/* — HTML/CSV/JSON report generation
  • /reports/* — Persisted reports with download

2.5. Subscription & Payments

ComponentTechnologyPurpose
Stripe CheckoutStripe APIHosted payment flow for Pro/Consultant plans
Payment WebhookFastAPI + Stripe SDKProcesses checkout.session.completed and customer.subscription.deleted events
Profile SyncPOST /auth/syncAuto-activates free plan or migrates pending paid subscriptions on login
ProtectedRouteReact componentFrontend gate that checks subscription_status before rendering app content
Subscription Flow: Profile Fields:
  • subscription_statusactive or inactive
  • subscription_planfree, pro, consultant, or null
  • Stored in the profiles table alongside user data

3. Workflow Orchestration (Pub/Sub)

ComponentTechnologyPurpose
Celery WorkersCelery + RedisDistributed task execution for long-running AI analyses (25-30 min max)
Celery BeatScheduled TasksCleanup, maintenance, and periodic reporting
RedisMessage BrokerJob queue and result backend for task state management
Task Flow:
  1. Frontend dispatches analysis request → API creates job record
  2. API enqueues task to Redis → Celery worker picks up
  3. Worker executes LangGraph workflow with progress callbacks
  4. Results persisted to Supabase → Realtime pushes status to UI
Real-time Events:
  • Analysis progress (0-100%)
  • Status transitions (pending → processing → completed)
  • New gap/recommendation alerts via Supabase Realtime WebSocket

4. AI/ML Engine

ComponentTechnologyPurpose
LangGraphLangChain OrchestrationStateful multi-step AI workflows with conditional logic
OpenAI GPT-4oLLMRequirement extraction, compliance evaluation, recommendation generation
Google GeminiMultimodal LLMDocument understanding with vision capabilities
LandingAI ADEVision AIPDF parsing with visual grounding and bounding-box evidence
TavilyWeb AgentStandards research and reference lookup
FAISSVector StoreSemantic search for requirement matching and similarity
AI Workflow Stages:
  1. Document Parsing — LandingAI extracts structured content from PDFs
  2. Embedding Generation — FAISS indexes requirements for semantic search
  3. Standards Matching — LLM compares work products against standard clauses
  4. Gap Detection — Identifies missing, partial, or non-compliant content
  5. Recommendation Generation — Produces actionable remediation steps

5. Analysis Engines (4 Core Review Actions)

EnginePurposeKey Outputs
Gap AnalysisDetects missing content vs. standardsGaps by severity (critical/high/medium/low), recommendations
Completeness CheckVerifies required document sections existSection status (complete/partial/missing/placeholder), completeness score
Traceability CheckEnforces V-Model requirement flowOrphan detection, broken chain alerts, ASIL inconsistencies
Checklist ValidationApplies internal review checklists (ASPICE/FuSa/Cybersecurity)Pass/Fail/Missing/NA per item, pass rate
V-Model Traceability Chain: 
Safety Goals (SG) → Functional Safety Req (FSR) → Technical Safety Req (TSR) → Design → Test → Evidence
Gap Types Detected by Traceability Engine:
  • orphan_upstream — Artifact has no parent/source link
  • orphan_downstream — Artifact has no child/implementation link
  • missing_verification — Requirement has no test coverage
  • missing_evidence — Test has no evidence/documentation
  • broken_chain — Gap in the V-Model chain
  • asil_inconsistency — ASIL level mismatch in linked artifacts

6. Data Layer

ComponentTechnologyPurpose
Supabase PostgresManaged PostgreSQLWorkspaces, standards, work products, analyses, gaps, recommendations
Supabase StorageS3-compatiblePDF uploads, generated reports, visualization images
Supabase RealtimeWebSocketPushes analysis progress and status updates to UI without polling
FAISS Vector StoreLocal/ExternalRequirement embeddings for semantic similarity search
Core Data Model:
  • profiles — User profiles with subscription_status, subscription_plan, and role (created automatically by handle_new_user() trigger)
  • pending_subscriptions — Pre-signup Stripe payments awaiting user claim
  • workspaces — Multi-tenant project containers
  • standards — Uploaded compliance standards with parsed content
  • work_products — Engineering documents (SyRS, TSR, SSR, etc.)
  • compliance_analyses — Analysis runs with results JSON
  • compliance_gaps — Detected gaps with severity and status
  • recommendations — AI-generated remediation suggestions
  • traceability_artifacts — Extracted requirements, safety goals, tests
  • traceability_links — Relationships between artifacts

Supported Standards

StandardDomainTypical Work Products
ISO 26262Functional SafetySafety Plan, HARA, Safety Goals, FSC, TSC
ASPICEProcess ImprovementSyRS, SRS, SAD, SDD, Test Plans
ISO/SAE 21434CybersecurityTARA, Cybersecurity Goals, Threat Scenarios

Processing & Pub/Sub Summary

  • Job dispatch: Celery + Redis handles long‑running analysis tasks; backend creates jobs and enqueues processing
  • Realtime updates: Supabase Realtime publishes progress/status for compliance_analyses and engine result tables (e.g., completeness_results, checklist_results), enabling UI progress bars without polling
  • Evidence visualization: Analysis persists image overlays (bounding boxes) in Storage; served via streaming endpoints

Key Design Decisions

Backend

  • FastAPI: High performance, async support, automatic OpenAPI docs
  • Celery + Redis: Background task processing for long-running analyses (up to 30 min timeout)
  • Supabase: Managed PostgreSQL with RLS and built-in authentication
  • LangGraph: Stateful AI workflows with conditional logic for compliance analysis
  • Structured Exports: Engine outputs persisted to dedicated tables for deterministic HTML/CSV/JSON exports

Frontend

  • React + TypeScript: Type-safe, component-based UI
  • Vite: Fast build tooling with hot module replacement
  • TanStack Query: Server state management with caching
  • Shadcn/ui + Radix: Modern, accessible UI components
  • Recharts: Data visualization for compliance dashboards

AI/ML

  • LangGraph: Orchestrate multi-step AI workflows with state persistence
  • OpenAI GPT-4o: LLM evaluation for extraction, compliance checks, and recommendations
  • Google Gemini: Multimodal document understanding with vision capabilities
  • FAISS: Vector similarity search for requirement matching
  • Tavily: Web research agent for standards lookup
  • LandingAI ADE: Vision-based document parsing with visual grounding and bounding-box evidence

Scalability

ComponentScaling Strategy
APIHorizontal scaling behind load balancer
Celery WorkersIndependent worker scaling for analysis throughput
RedisRedis Cluster for high availability
DatabaseConnection pooling and read replicas
Vector StoreExternalized FAISS index path for independent scaling
CachingRedis for frequently accessed data and session state

Security Architecture

LayerControl
AuthenticationSupabase JWT with refresh tokens
AuthorizationPostgreSQL Row-Level Security (RLS) per workspace
Subscription Gatingcheck_active_subscription FastAPI dependency; ProtectedRoute frontend guard
TransportTLS 1.3 encryption in transit
StorageEncryption at rest (Supabase managed)
API SecurityRate limiting, CORS (ALLOWED_ORIGINS), input validation (Pydantic)
PaymentsStripe webhook signature verification (STRIPE_WEBHOOK_SECRET)
Multi-tenancyWorkspace isolation via RLS policies

Infrastructure & Deployment

ComponentDev ConfigurationProduction Configuration
Backend (conformly-core)Docker Compose with --reload on port 8000EC2 Docker (no --reload) behind nginx at beta-api.conformly.ai
Platform App (conformly-frontend)Vite dev server on port 8080Vercel at beta.conformly.ai
Marketing Site (conformly-web)Vite dev server on port 5173Vercel at www.conformly.ai
Data LayerSupabase cloud (shared)Supabase cloud (production project)
PaymentsStripe test mode (sk_test_)Stripe live mode (sk_live_)
Vector IndexesFAISS on disk (configurable path via FAISS_INDEX_PATH)Same
External AIOpenAI and Google GenAI APIs; LandingAI ADE for multimodal parsingSame
Deployment Options:
  • Development: Docker Compose (backend) + Vite dev servers (frontends)
  • Production: Dockerized backend on EC2 + Vercel frontends + Supabase cloud
  • Enterprise: Kubernetes with horizontal worker scaling

Key Differentiators

  1. Multi-Standard Support — ISO 26262, ASPICE, ISO 21434 in one platform
  2. 4 Integrated Review Engines — Gap, Completeness, Traceability, Checklist
  3. V-Model Native — Traceability analysis follows automotive development lifecycle
  4. Visual Evidence — LandingAI provides bounding-box grounding for audit trails
  5. Real-time Collaboration — WebSocket-based progress and status updates
  6. Export-Ready — HTML/CSV/JSON reports for OEM/supplier audits

Implementation References

Backend Services (conformly-core/app/services/):
  • AI Services: ai_services.py
  • Completeness Analysis: completeness_analysis.py
  • Checklist Validation: checklist_validation.py
  • Traceability Analysis: traceability_analysis.py
  • Artifact Extraction: artifact_extraction.py
  • Job Service: job_service.py (Celery/Redis task management)
Backend API Endpoints (conformly-core/app/api/v1/):
  • Auth & Sync: auth.py/auth/me, /auth/sync, /auth/refresh
  • Payments: payments.py — Stripe Checkout, webhooks
  • Analysis: analysis.py — Gap analysis, evidence mapping
  • Compliance: compliance.py — Completeness, checklist
  • Traceability: traceability.py — V-Model chain, matrix
  • Export: export.py — HTML/CSV/JSON
Backend Core (conformly-core/app/core/):
  • Auth: auth.py — JWT verification, SupabaseAuth, UserProfile hydration
  • Config: config.py — Environment variable loading (CORS, Stripe, etc.)
Backend Models (conformly-core/app/models/):
  • User: user.pyUserProfile, UserProfileResponse (includes subscription_status, subscription_plan)
Platform Frontend (conformly-frontend/src/):
  • Protected Route: components/ProtectedRoute.tsx — Auth + subscription gating
  • Signup: pages/Signup.tsx — User registration
  • Subscribe: pages/Subscribe.tsx — Subscription required page
  • Compliance Workflow: pages/ComplianceWorkflow.tsx — V-Model workflow
  • Dashboard: pages/Dashboard.tsx
  • API Types: api/types.tsUserProfile interface
Marketing Site (conformly-web/src/):
  • Navigation: components/Navigation.tsx — Links to platform via VITE_APP_URL
  • Hero: components/Hero.tsx — CTA buttons linking to platform
Database (conformly-core/schema.sql):
  • profiles table with handle_new_user() trigger
  • Role CHECK constraint (admin, engineer, manager, viewer)
Email Templates (conformly-core/email-templates/):
  • confirm-email.html — Branded email confirmation
  • reset-password.html — Branded password reset

Backend Overview

Learn more about the backend API architecture

Review Actions

Deep dive into the 4 core analysis engines