Compair uncovers key hidden connections instantly and weeds out conflicts before they become problems, whether your team runs in the cloud, on-prem, or locally.
Security policy bans raw content logs, but ops monitoring proposes storing full payloads.
LoggingSecurityOps
security-logging.mdops-monitoring.md
Files
Requirements overview
Project Atlas is a release-alignment workspace for teams shipping a coordinated update. This overview is a working snapshot of the v1 scope.
Scope
Ingest markdown, docx, and PDF with passage anchors
Surface conflicts and drift across docs and meeting notes
Export evidence packs as CSV or JSON (no PDF in v1)
Non-goals
Real-time integrations
Automated approvals
PDF audit packages
Open questions
Default retention for uploaded documents (proposal: 30 days)
Who owns alert threshold changes?
Notification requirements
Goal: reviewers should see high-confidence conflicts quickly without losing context.
User stories
As a reviewer, I want priority alerts when score >= 0.85.
As a lead, I want a digest view for medium alerts (0.60 - 0.84) grouped by topic.
As a contributor, I want each alert to cite at least two sources with snippets.
Acceptance criteria
Priority list updates within 2 seconds after a sync.
Alerts without two sources remain in digest until confirmed.
Integrations
Phased plan for v1 and v1.1.
Phase 1 (beta): Gmail import for notification context, inbound only.
Phase 2: Outlook import after pilot validation.
Phase 3: Discord channels for decision logs.
Notes
No real-time webhook processing in v1.
Polling hourly is acceptable for beta.
OAuth scopes should be read-only.
Product roadmap
Planning snapshot for Project Atlas. Dates are illustrative.
Q2
Desktop sync and offline review
CLI for batch uploads
Priority alert workflow polish
Q3
Enterprise pilot with audit evidence pack
Outlook integration (beta)
Admin reporting
Q4
Unified reporting and compliance exports
Workspace analytics and trend views
Dependencies: retention policy, export format decisions, and pilot feedback.
Positioning
Project Atlas is positioned as a release-alignment layer for teams whose documentation drifts between meetings, specs, and policies.
Primary audience: engineering managers and compliance leads who own cross-team sign-off.
Messaging guidance
Do say: "surface conflicts across many docs" and "show evidence with sources"
Do not say: "automatically resolves conflicts" or "guarantees compliance"
Kickoff notes (2024-09-12)
Attendees: Rina, Paolo, Mei, Jordan
Agenda: scope, roles, and first pilot timeline.
Notes
Goal is to reduce release review time by half.
Start with a single workspace and 2-3 teams.
Decide on alert threshold after initial dry run.
Action items
Rina: draft requirements overview
Paolo: outline desktop sync flow
Mei: gather pilot docs
Enterprise call (2024-09-20)
Client feedback focused on auditability.
Key requirements
Audit package must be PDF for external auditors.
Retention must be 24 months for regulated teams.
SSO required before broad rollout.
Open items
Confirm if CSV/JSON exports are acceptable interim.
Determine whether PDF export can ship after pilot.
Weekly sync (2024-10-03)
Status
Desktop sync prototype running in staging
Alert scoring tuning in progress
Decisions
Enterprise pilot will assume 24-month retention.
Add a digest view to reduce noise.
Blockers
Export format for audit package still unresolved.
Need clarity on retention exceptions.
Architecture
System sketch for Project Atlas.
Flow
Local sync agent indexes documents and sends deltas.
Ingestion service extracts passages and metadata.
Scoring service compares passages and emits alerts.
Northwind Health is consolidating security and compliance policies for the new data platform. This overview describes scope and ownership.
Scope includes data retention, logging, access control, and residency.
Owners
Compliance: Maya R.
Security: Eliot P.
Legal: Nadia C.
Next milestone: draft review with leadership in November.
Data retention policy
Policy statement: production data is retained for 90 days unless a legal hold is approved.
Retention tiers
Standard workspaces: 90 days
Regulated workspaces: exception only with written approval
Logs: 180 days of metadata only
Rationale: minimize exposure while meeting core operational needs.
Logging policy
Do not store raw payloads or customer document text in logs.
Allowed
Request IDs, timestamps, and hashes
Error codes and latency metrics
Debug window
Metadata-only debug logging may be enabled for up to 24 hours with approval.
Access control policy
Requirements
SSO and MFA for all staff access
Role-based access with least privilege
Vendor access is time-bound and audited
Break-glass access must be approved by security and documented within 24 hours.
Data residency policy
EU tenant data must remain in EU regions end-to-end (storage, processing, backups).
US regions may process US data only. Cross-region replication is not permitted.
Exceptions require a signed DPA addendum and explicit customer consent.
Incident response policy
Severity definitions and response windows.
Critical incidents
Notify customers within 24 hours.
Retain incident records for 24 months.
Response checklist
Contain and preserve evidence.
Notify legal and compliance.
Run a post-incident review within 10 business days.
Master services agreement (draft)
Hosting location
Services are provided from US-based infrastructure by default.
EU hosting is available upon request and may affect pricing.
Audit rights: annual audit notice with 30-day scheduling window.
Data processing addendum
Processors may operate in US and EU regions with SCCs for EU transfers.
Subprocessors must notify Northwind Health 30 days before changes.
Data will be processed only for the purposes defined in the MSA.
Retention addendum
For regulated workspaces, Northwind Health requires 24-month retention of customer content and related evidence.
This addendum supersedes the standard retention policy for covered workspaces.
Subprocessor list
Current subprocessors
Log aggregation: US-West
Email delivery: US-East
Analytics: EU-Central
Change notice required at least 30 days before adding a new subprocessor.
Regulatory map
HIPAA: retain audit evidence for 6 years.
GDPR: EU data must remain in EU regions unless SCCs are in place.
Implications
Retention policy must support longer regulated windows.
Residency controls must be enforceable at ingest and backup layers.
Audit checklist
Required evidence
Retention configuration screenshots
Log redaction proof
Residency control verification
Operational checks
Access review completed quarterly
Incident response drills within the last 12 months
Security risk assessment
Top risks
Retention mismatch between policy and contracts.
Vendor logging of payloads beyond policy.
EU residency gaps in onboarding defaults.
Mitigation: update policy language and enforce configuration gates.
Security architecture notes
Data flow
Ingestion applies redaction before storage.
Region selection is enforced at workspace creation.
Backups stay within the selected region.
Reminder: logging should not include raw payloads.
Monitoring plan
Operational proposal for debugging.
Telemetry approach
Store full request payloads for 7 days to reproduce issues.
Retain performance metrics for 12 months.
Alert on spikes in failed requests.
This plan assumes payload logging is acceptable for short windows.
Backup policy
Backups run nightly and retain for 120 days.
EU workloads stay in EU storage buckets; US workloads remain in US regions.
Restore tests are scheduled quarterly with documented results.
Service level targets
Availability target: 99.9 percent monthly uptime.
Response targets
P1 incidents: acknowledge within 15 minutes
P2 incidents: acknowledge within 1 hour
Maintenance windows require 7-day notice.
Policy review meeting (2024-10-07)
Attendees: Compliance, Security, Legal.
Discussion
Retention policy vs contract addendum
Logging policy vs monitoring plan
Residency expectations for EU tenants
Action items
Legal to confirm MSA hosting language
Ops to revise monitoring scope
Legal review (2024-10-15)
Summary
MSA currently defaults to US hosting.
DPA needs explicit SCC language.
Retention addendum must reference regulated workspaces only.
Next step: revise legal drafts and circulate for sign-off.
Decision log (2024-10-18)
Decision: internal retention policy set to 90 days for standard workspaces.
Rationale
Reduce data exposure
Align with current storage costs
Follow-up: determine exceptions for regulated teams.
Open questions
Should EU hosting be the default for all EU customer trials?
Can we prohibit payload logging in vendor contracts?
What is the approval workflow for retention exceptions?
Owners: compliance and security.
Vendor onboarding notes
Default region: US-East. EU region requires a separate request and lead time.
Vendor stores full request payloads for debugging up to 7 days.
Requested follow-ups
Clarify log retention beyond 7 days
Provide EU data handling documentation
Vendor security questionnaire
Logging
Full payload logging enabled for troubleshooting (7 days).
Log retention for metadata is 180 days.
Data residency
Primary storage in US with optional EU region.
Encryption at rest and in transit: supported.
Customer requirements summary
Regulated teams require:
24-month retention of audit evidence
PDF audit exports for external review
EU-only hosting for EU locations
These requirements are contractually binding for pilot sites.
Data flow notes
Ingestion -> processing -> storage -> reporting.
Controls
Redact sensitive fields before storage.
Apply residency tags at ingest and enforce on backups.
Log metadata only (no content).
Open issue: verify vendor logging behavior in EU region.
Validation plan
Tests
Retention expiration behavior at 90 days
Residency enforcement for EU tenants
Logging redaction verification
Artifacts: screenshots, logs, and config exports are required for audits.
Support FAQ
Q: Can we self-host?
A: Yes, for limited pilots with approved security review.
Q: How long is data retained?
A: Policy default is 90 days; regulated workspaces may be longer.
Q: Where is EU data stored?
A: EU region only, per policy.
Policy program roadmap
Phase 1: publish retention, logging, and access control policies.
Phase 2: finalize residency controls and vendor addendums.
Phase 3: run an external audit readiness review.
Target: complete Phase 1 by end of Q4.
Problem
Launch collateral, pricing docs, and security status statements are out of sync, creating mixed messages and risk.
Solution
Compair checks marketing, sales, and engineering artifacts together and flags claim mismatches before launch day.
Compair Notifications
High Score 0.90
Integration availability mismatch
Press release and landing page claim real-time integrations, but release notes and engineering docs say beta or coming soon.
Project Polaris launch targets mid-December for the first paid pilot.
Goals
Prove alert quality in real projects
Validate onboarding flow with 5 teams
Gather pricing feedback
Success signals: weekly active reviewers, low false-positive rate, and at least two enterprise leads.
GTM checklist
Pre-launch items
Finalize messaging and positioning
Approve pricing page content
Confirm support coverage and escalation path
Launch week
Publish release notes
Update website CTA
Notify pilot customers
Release notes
Project Polaris v0.9 highlights:
Desktop sync with offline review
Priority and digest notifications
Evidence snippets with source links
Limitations
Integrations are beta (Gmail only)
No real-time integrations in v0.9
PDF audit export not included
Feature matrix
Included
Passage-level alerts
Desktop sync agent
CLI batch upload
Planned
Outlook integration (beta)
Discord notifications
Audit exports
Not in this release
Real-time integrations
Advanced analytics dashboards
Press release draft
Draft headline: "Project Polaris launches with real-time integrations and instant conflict alerts."
Body draft mentions real-time Gmail and Outlook integrations at launch.
Needs review to ensure claims match release scope.
Landing page copy
Hero line draft: "Real-time integrations, SOC2-certified security, and instant alignment."
Supporting bullets mention Gmail, Outlook, and Discord live at launch.
This copy is a placeholder and has not been approved by security.
Email drip campaign
Sequence: welcome -> use case -> proof -> invite to demo.
Draft highlights "real-time integrations" and "audit-ready reports" in week two.
Check all claims against release notes before scheduling.
Sales one-pager
Value props
Reduce review time across large doc sets
Evidence-backed alerts for decision makers
Pricing note (draft)
Free tier for teams up to 10 users
Paid plans start after pilot
Pricing FAQ
Q: Is there a free tier?
A: No, there is a 14-day free trial only.
Q: What happens after the trial?
A: Per-seat pricing applies with annual or monthly options.
Q: Are integrations included?
A: Gmail beta included; others are planned.
Support FAQ
Top questions from onboarding calls:
How do I install the desktop agent?
Where do alerts show up?
What is the trial length?
Answer references: setup guide, release notes, and support email.
Onboarding guide
Step 1: create a workspace and invite a reviewer.
Step 2: install the desktop sync app and select a folder.
Step 3: run first sync and review priority alerts.
Step 4: publish a snapshot for the team.
If alerts look noisy, switch to the digest view first.
Release comms
Send to support on launch day.
Include
Release notes and limitations
Known issues and workaround steps
Escalation path for sync failures
Tone: transparent, clear on what is beta.
Security status
SOC2 readiness is in progress.
Gap assessment complete
External audit scheduled for next quarter
Do not claim certification until audit results are finalized.
Claims guidance
Do not state SOC2 certification or real-time integrations before GA.
Approved language
"SOC2 in progress"
"Integrations available in beta"
Marketing must route claims through legal review.
Integration roadmap
Phase 1: Gmail beta (read-only, inbound).
Phase 2: Outlook beta after reliability pass.
Phase 3: Discord summaries once alerts stabilize.
Real-time processing is not planned for v0.9.
Reliability notes
Targets
99.9 percent uptime for cloud alerts
Sync retry with exponential backoff
Alert fetch within 2 seconds
Open issue: batch size tuning for large workspaces.
Known limitations
Current release limits:
Gmail beta only; other integrations are not live.
No real-time integrations or webhooks.
PDF audit export not supported.
Document this in release notes and onboarding.
Launch sync (2024-11-01)
Decisions
Ship v0.9 to pilot customers only.
Keep pricing page in trial-only mode.
Action items
Update marketing copy with approved claims.
Support to prepare FAQs.
Sales sync (2024-11-08)
Discussion summary:
Sales wants a free tier to reduce friction.
Finance prefers a trial-only model.
Product wants a decision before launch.
Next step: schedule a pricing decision meeting.
Decision log (2024-11-10)
Decision: launch with a 14-day trial and no free tier.
Rationale
Simplify billing for the pilot
Avoid long-term free usage during beta
Launch risks
Marketing claims exceed release scope.
Pricing message inconsistency across docs.
Security status misrepresented.
Mitigation: update copy and enforce review gates before launch.
Beta feedback
Most requested items:
Outlook integration timeline
Clearer pricing explanation
Fewer noisy alerts in early runs
Positive note: evidence links were called "the best part".
API reference
Rate limits: 60 requests per minute.
Endpoints
POST /documents
POST /alerts
GET /alerts?view=priority|digest
Authentication uses API keys scoped to a workspace.
CLI guide
Example usage
polaris sync ./docs
polaris alerts --priority
polaris publish --workspace alpha
CLI output is JSON and can be piped to other tools.
Pricing page draft
Draft copy:
14-day free trial for all plans
Per-seat pricing after trial
Annual discount available
No free tier is listed in the current draft.
Usage limits
Starter plan
3 projects
1 integration (Gmail beta)
50k passages per month
Pro plan
Unlimited projects
Multiple integrations
Higher passage limits
Webinar outline
Agenda
Problem overview and demo workflow
Live review of a priority alert
Roadmap Q&A
Remind speakers to avoid SOC2 or real-time integration claims.
Objection handling
Q: Do you have a free tier?
A: No, we offer a 14-day trial.
Q: Are integrations real-time?
A: Not yet; Gmail is beta and others are planned.
Q: Are you SOC2 certified?
A: SOC2 is in progress.
Product suite
Choose the Compair that's right for your team.
Compair works as a hosted cloud app, a self-hosted core container, a desktop companion, and a developer CLI.
Available
Compair Cloud
Hosted workspace for teams and individuals alike. Bring your files and jump right in.
