🛡️ archetype: regulated

Ship in regulated industries without the Big-4 retainer.

Building under HIPAA, SOX, GDPR, DORA, or NIS2? GreatCTO auto-detects the regulated archetype and ships SOC2, HIPAA PHI handling + BAA, SOX ITGC, DORA Article 16, and NIS2 Article 21 gates from day one.

$ npx great-cto init Back to home ↗
What you avoid

The 5 regulated-industry bugs that cost audits.

Without GreatCTO

  • PHI in application logs — HIPAA breach notification
  • SOX SoD violated — same engineer codes + deploys
  • DORA Article 16 ICT incident process missing
  • NIS2 Article 21 controls absent — €10M fine risk
  • ISO27001 SoA stale 18 months — re-certification denied
  • $500k+ fine · auditor leaves · re-cert delay.

With GreatCTO

  • regulated-reviewer covers HIPAA PHI + BAA at gate
  • SoD enforced via CI: separate review + deploy roles
  • DORA Article 16 incident playbook + drill schedule
  • NIS2 Article 21 controls auto-mapped to PRs
  • ISO27001 SoA re-validated at every dependency bump
  • Audit-ready continuously · no Big-4 retainer.
Auto-applied gates

Detected: PROJECT.md flag archetype: regulated or compliance: [hipaa, sox]
regulated archetype.

Compliance auto-suggested: soc2 · hipaa · sox · dora · nis2 · iso27001. Specialist agents activated:

01 · regulated-reviewer

DORA + NIS2 + ISO27001

DORA ICT risk (Articles 5 & 16) · NIS2 Article 21 controls · ISO27001 SoA gap analysis · SOX ITGC (access control, change management, SoD) · HIPAA PHI handling + BAA requirements.

02 · security-officer

Continuous compliance

Every commit checked against active framework. SBOM generated. Vulnerability disclosure process. Breach notification readiness.

03 · db-migration-reviewer

Audit-safe migrations

PII column handling · access logs · retention enforcement · rollback path mandatory · change ticket linked.

04 · senior-dev

Audit trail

Every gate approval written to ~/.great_cto/decisions.md — append-only ADR log, queryable across projects, auditor-ready.

Domain pack overlays

Likely to overlay on regulated.

Packs auto-attach when CLI detects pack-specific signals (e.g. twilio in deps → voice-pack). Each pack adds its own reviewer agents + human gates on top of the base archetype pipeline.

+ Clinical AI
FDA GMLP + SaMD classification + EU AI Act medical
+ Climate MRV
GHG Protocol, Verra, SBTi, CSRD, CBAM + biosecurity (DURC, IGSC HSP v2)
+ Drug Discovery
ChEMBL versioning, applicability domain, ALCOA+, SiLA2, IQ/OQ/PQ
Real-world examples

Companies operating as regulated.

20 startups in this space. Click for full pack mapping.

Ginkgo Bioworks
Programming cells at scale
publicUS
ICON plc
Global CRO for clinical trials
publicIE
Climeworks
Direct air capture pioneer
growthCH
GOOD Meat (Eat Just)
Cultivated meat
growthUS
Medable
Decentralized clinical-trial platform
series-dUS
Perfect Day
Precision-fermentation dairy proteins
series-dUS
Charm Industrial
Bio-oil carbon removal
series-bUS
Curebase
End-to-end clinical-trial execution via software
series-bUS
Heirloom Carbon
Mineralization-based direct air capture
series-bUS
Planet A Foods
Next-generation food ingredients
series-bDE
Kingdom Supercultures
Foods enhanced with microbes
series-aUS
Abalone Bio
Antibody drugs others cannot develop
seedUS
Alga Biosciences
Reduces methane emissions from cattle
seedUS
Anthrogen
Fuels + plastics from atmospheric carbon
seedUS
Birch Biosciences
Plastic recycling via engineered enzymes
seedUS
Future Fields
Recombinant proteins via insect bioreactors
seedCA
Olio Labs
Combination therapeutics for difficult diseases
seedUS
om therapeutics
AI-driven manufacturing of medicines at scale
seedUS
ParcelBio
Next-generation mRNA medicines
seedUS
Persist AI
Long-lasting drug formulations 50% faster
seedUS

Listed companies operate in this space. Inclusion is based on publicly available product descriptions and does not imply endorsement of or by GreatCTO.

30 seconds

Drop into any regulated-industry repo.

$ npx great-cto init
no signup·runs locally·pay your own API