Workflows

A workflow is a staged assessment the gateway drives through your agent: scripted stages, required fields the agent can't skip, user-review gates, and a final cited report. The concept is covered in Tools vs workflows; this page is the catalogue and the lifecycle. Workflows are Team and Company tier.

The lifecycle — six tools

list_workflow_types()                    # what can I run?
start_workflow(workflow_type="dpia")     # returns workflow_id + first step
get_current_step(workflow_id)            # what the workflow needs next
submit_response(workflow_id, response)   # answer; repeat until stages pass
get_progress(workflow_id)                # where am I?
generate_report(workflow_id)             # the final deliverable

State persists on every submit_response resume_workflow(workflow_id) picks an active run back up days later, and list_workflows / cancel_workflow manage the set. A completed workflow is immutable; rerun it as a new one when circumstances change. Evidence documents attach via the document library (see Cite your documents) and bind to a run with register_document.

The catalogue

Eleven base types. list_workflow_types returns the live list with required parameters and jurisdiction variants — the table below is the orientation copy, not the contract.

workflow_typeWhat it produces
gap_analysis
Regulatory gap analysis
Control-by-control compliance assessment against a framework (NIS2, GDPR, DORA, ISO 27001), ending in a findings matrix and remediation roadmap.
dpia
Data Protection Impact Assessment
GDPR Article 35, one processing activity: screening, necessity and proportionality, per-risk CNIL-grid analysis, Article 36 determination.
fria
Fundamental Rights Impact Assessment
EU AI Act Article 27, one AI system + deployer pair: high-risk determination, Charter rights mapping, per-risk severity by affected group.
threat_model
STRIDE threat model
Security threat model over a reviewed data-flow diagram — six STRIDE specialists, enrichment from the threat-framework corpora, mitigation map.
linddun
LINDDUN privacy threat model
Privacy threats on a DFD with personal-data tagging, harm-band scoring against EDPB factors, mitigations mapped to PETs and GDPR Art. 25.
risk_assessment
Enterprise risk assessment
ISO 31000/31010 + NIST SP 800-30 anchored: scope-context-criteria, per-risk analysis and treatment, evaluation gate.
tender_review
Public tender review (bidder-side)
Per-lot, per-requirement coverage assessment of a tender against your bid posture. Jurisdiction variants (SE, NL) overlay procurement regimes.
tender_audit
Public tender audit (buyer-side)
Lawfulness review of a tender's requirements: proportionality, non-discrimination, transparency — the buyer-side sibling of tender review.
review
Document review
Free-form review of one uploaded document where every finding carries a paragraph-level, tamper-evident doc:// citation.
adversary_tabletop
Adversary tabletop exercise
Multi-turn, scored crisis simulation from a scenario pack, graded on behavioral and regulatory objectives, ending in an after-action report.
sora_operational_authorisation
SORA operational authorisation
Drone operational-authorisation determination chain following the EASA SORA methodology.

Variants

Base types take jurisdiction and domain overlays — a variant reuses the base machinery with a regime-specific stage set. Live examples: DPIA variants for Germany and Sweden, tender review/audit for Sweden and the Netherlands, a NIS2-scoped gap analysis, and a drone/UAS family (drone DPIA, drone threat model, operator compliance, product security conformity) plus OT/machinery equivalents. Ask your agent for list_workflow_types — variants appear under their base type.

Walkthroughs