Workflows
A workflow is a staged assessment the gateway drives through your agent: scripted stages, required fields the agent can't skip, user-review gates, and a final cited report. The concept is covered in Tools vs workflows; this page is the catalogue and the lifecycle. Workflows are Team and Company tier.
The lifecycle — six tools
list_workflow_types() # what can I run?
start_workflow(workflow_type="dpia") # returns workflow_id + first step
get_current_step(workflow_id) # what the workflow needs next
submit_response(workflow_id, response) # answer; repeat until stages pass
get_progress(workflow_id) # where am I?
generate_report(workflow_id) # the final deliverableState persists on every submit_response — resume_workflow(workflow_id) picks an active run back up days later, and list_workflows / cancel_workflow manage the set. A completed workflow is immutable; rerun it as a new one when circumstances change. Evidence documents attach via the document library (see Cite your documents) and bind to a run with register_document.
The catalogue
Eleven base types. list_workflow_types returns the live list with required parameters and jurisdiction variants — the table below is the orientation copy, not the contract.
| workflow_type | What it produces |
|---|---|
gap_analysisRegulatory gap analysis | Control-by-control compliance assessment against a framework (NIS2, GDPR, DORA, ISO 27001), ending in a findings matrix and remediation roadmap. |
dpiaData Protection Impact Assessment | GDPR Article 35, one processing activity: screening, necessity and proportionality, per-risk CNIL-grid analysis, Article 36 determination. |
friaFundamental Rights Impact Assessment | EU AI Act Article 27, one AI system + deployer pair: high-risk determination, Charter rights mapping, per-risk severity by affected group. |
threat_modelSTRIDE threat model | Security threat model over a reviewed data-flow diagram — six STRIDE specialists, enrichment from the threat-framework corpora, mitigation map. |
linddunLINDDUN privacy threat model | Privacy threats on a DFD with personal-data tagging, harm-band scoring against EDPB factors, mitigations mapped to PETs and GDPR Art. 25. |
risk_assessmentEnterprise risk assessment | ISO 31000/31010 + NIST SP 800-30 anchored: scope-context-criteria, per-risk analysis and treatment, evaluation gate. |
tender_reviewPublic tender review (bidder-side) | Per-lot, per-requirement coverage assessment of a tender against your bid posture. Jurisdiction variants (SE, NL) overlay procurement regimes. |
tender_auditPublic tender audit (buyer-side) | Lawfulness review of a tender's requirements: proportionality, non-discrimination, transparency — the buyer-side sibling of tender review. |
reviewDocument review | Free-form review of one uploaded document where every finding carries a paragraph-level, tamper-evident doc:// citation. |
adversary_tabletopAdversary tabletop exercise | Multi-turn, scored crisis simulation from a scenario pack, graded on behavioral and regulatory objectives, ending in an after-action report. |
sora_operational_authorisationSORA operational authorisation | Drone operational-authorisation determination chain following the EASA SORA methodology. |
Variants
Base types take jurisdiction and domain overlays — a variant reuses the base machinery with a regime-specific stage set. Live examples: DPIA variants for Germany and Sweden, tender review/audit for Sweden and the Netherlands, a NIS2-scoped gap analysis, and a drone/UAS family (drone DPIA, drone threat model, operator compliance, product security conformity) plus OT/machinery equivalents. Ask your agent for list_workflow_types — variants appear under their base type.
Walkthroughs
- Your first gap analysis — the full tutorial, including the search-driven Premium alternative.
- DPIA — stages and the report you get back.
- Threat modeling — the STRIDE workflow, DFD-first.