Expert mode & framework references

Expert mode loads a structured reference library covering eleven frameworks. Each entry is anchored — the model cites it back to you as a stable [ref:fw.<framework>.<reference>] token, which renders as a chip with the article / criterion / control number it points at. The model is forbidden from fabricating reference ids.

When expert mode engages

Three triggers, in order of precedence:

1. Per-conversation toggle — the Expert button in the assistant header. Highest priority.
2. Workspace default — Settings → Compliance copilot → Default new conversations to expert mode. Applies to every new thread.
3. Auto-detection — your message mentions a framework keyword (e.g. "GDPR Art. 28", "AI Act Annex III", "SOC 2 TSC", "VCDPA"). Only the matched module loads, keeping the prompt small.

If none of the above match, the assistant runs in standard mode and will ground answers in workspace facts only.

What each framework module covers

The references below are the exact [ref:…] ids the model is allowed to cite. The summary you see in chat is short; expand a chip to read our compact gloss of each article (and follow the link, where one is provided, to the official source).

GDPR (EU 2016/679)

art-5 principles · art-6 lawful bases · art-9 special-category data · art-13-14 privacy-notice contents · art-15-22 data-subject rights · art-25 privacy by design · art-28 processor obligations · art-30 records of processing · art-32 security · art-33-34 breach notification · art-35 DPIA · art-44-49 international transfers · art-83 fines.

EU AI Act (Reg. 2024/1689)

art-3 definitions · art-5 prohibited practices · annex-iii high-risk use cases · art-9 risk management (high-risk) · art-10 data and data governance · art-13 transparency to deployers · art-14 human oversight · art-26 deployer obligations · art-50 limited-risk transparency · art-51-55 general-purpose AI · art-99 penalties.

AICPA SOC 2 (TSP-100, 2017 / 2022)

common-criteria CC1–CC9 · tsc-availability · tsc-confidentiality · tsc-processing-integrity · tsc-privacy · evidence audit walkthroughs.

CCPA / CPRA

right-to-know · right-to-delete · right-to-correct · right-to-opt-out of sale or sharing · right-to-limit-sensitive · service-provider-contracts § 1798.140(ag)/(ah) · privacy-policy § 1798.130 · enforcement § 1798.155 / 199.

HIPAA / HITECH (45 CFR 160, 162, 164)

privacy-rule · security-rule (administrative / physical / technical safeguards) · breach-rule · baa business associate agreement · minimum-necessary · penalties.

ISO/IEC 27001:2022

clauses-4-10 ISMS requirements · annex-a-organisational (37 controls) · annex-a-people (8) · annex-a-physical (14) · annex-a-technological (34) · soa Statement of Applicability.

NIST AI Risk Management Framework 1.0

govern · map · measure · manage · gen-ai-profile (NIST AI 600-1, twelve gen-AI risks).

US comprehensive state privacy laws

vcdpa (Virginia) · cpa (Colorado) · ctdpa (Connecticut) · ucpa (Utah) · common-shape (TX, OR, MT, IA, TN, IN, DE, NJ, NH, NE, MN, MD, RI, KY) · minor-protections.

EU DORA (Reg. 2022/2554)

art-5-15 ICT risk management · art-17-23 incident reporting · art-24-27 operational resilience testing · art-28-44 third-party ICT risk · art-50-58 penalties.

EU NIS 2 Directive (Dir. 2022/2555)

art-20 governance · art-21 ten minimum risk-management measures · art-23 incident reporting · art-24-25 supply-chain security · art-32-37 supervision and penalties.

EU Digital Services Act (Reg. 2022/2065)

art-9-10 orders · art-14 T&Cs · art-15 transparency reporting · art-16-17 notice-and-action / statement of reasons · art-25-27 recommender systems & dark patterns · art-28 minor protection · art-34-35 VLOP/VLOSE systemic-risk obligations · art-52 fines.

How citations interact with workspace facts

The most useful expert-mode answers braid framework references with your workspace data. A typical reply looks like:

Yes — [ref:fw.gdpr.art-28] requires the controller-processor contract to set out (a)–(h); your published DPA covers all of them [ref:doc.dpa.v3]. Your subprocessor inventory currently has 12 active vendors with one in pending Art. 28(2) state [ref:count.subprocessors] [ref:fw.gdpr.art-28].

Click the GDPR chip → opens our gloss. Click the doc chip → jumps to your DPA at the relevant section.

Disclosure and limits

The framework reference library is the assistant's map, not a legal opinion. The model is instructed to:

• Disclose uncertainty when application depends on facts it doesn't have.
• Use phrasing like "this typically requires" rather than definitive conclusions.
• Recommend counsel for application to specific facts.
• Prefer concrete next steps you can take inside Attestly today.

If you spot a stale reference (an article number changed, a directive was superseded), open an issue at hello@attestly.dev. The library is versioned — each module's last-reviewed date is captured in the source under src/lib/assistant/frameworks.ts.