Overview
Most compliance automation tools blur boundaries: extraction → interpretation → judgment, often inside a single opaque step.
DDRP is designed to stop that collapse. It produces a deterministic artifact trail that answers: “What obligation-creating language is present, and is it structurally complete?” It does not decide adequacy, compliance, intent, or risk acceptance.
The Workflow (5 Steps)
Step 1 — Treat the document as immutable evidence
Input: statute, regulation, policy, contract (PDF / DOCX / MD).
Rule: no edits, no annotations, no interpretation.
The goal is to preserve the document as evidence and make processing reproducible across messy formatting.
Step 2 — Canonicalize (normalize) deterministically
The document is transformed into a canonical text representation so formatting quirks don’t change results. Same input → same canonical text → same downstream outputs. :contentReference[oaicite:0]{index=0}
- Normalize whitespace and line breaks
- Stabilize extraction across page/layout artifacts
- Produce a canonical text hash
Step 3 — Run lexical obligation/operator detection
DDRP scans the canonical text for explicit obligation-creating operators (lexical-only). No probability. No semantic model. No “intent” guessing. :contentReference[oaicite:1]{index=1}
- Examples: “must”, “shall”, “may not”, definitional language, conditional triggers
- Each match records: operator type, matched string, pattern ID, and exact character offsets
Step 4 — Structural obligation resolution (not interpretation)
Each detected obligation is checked for structural completeness using a bounded, rule-based scan near the match. The question is not “is this good?” but “is this structurally complete in the text?” :contentReference[oaicite:2]{index=2}
Checklist:
- Who is responsible?
- What must be done?
- When?
- Where?
- How?
- Why (only if stated)?
If any element is missing, status = OPEN. If all are present, status = SATISFIED.
Step 5 — Cryptographic sealing (tamper-evident output)
Outputs are bundled into deterministic JSON artifacts with cryptographic hashing. Any post-hoc modification is detectable; reruns can be byte-identical under the same inputs and rules. :contentReference[oaicite:3]{index=3}
- Canonical input hash
- Operator matches with offsets
- Obligation resolution statuses
- Environment metadata
- Optional hash chaining across runs
Where human judgment begins
DDRP stops once the deterministic artifact exists. Only after that do humans:
- assess adequacy
- interpret intent (if appropriate)
- perform gap analysis
- decide remediation and risk acceptance
What You Get (Artifacts)
The deliverable is not a narrative summary. It is an artifact set you can audit.
- Operators JSON — raw matched obligation language with exact locations
- Obligations JSON — structural completeness outcomes (OPEN/SATISFIED)
- Transaction record — hashes, environment metadata, optional chain link
input document → deterministic canonicalization → lexical operator detection → bounded structural resolution → hash/bundle outputs → (optional) hash-chain across runs
Why This Fits a CCO Workflow
- Pre-flight instrument before gap analysis or controls mapping
- Audit-defensible evidence trail (tamper-evident artifacts)
- Repeatable indefinitely (same doc + same rules → same results)
- Stack-agnostic pattern: artifacts can be ingested into existing GRC workflows
- No AI approvals required, because it does not claim interpretation
FAQ
Does DDRP determine compliance?
No. DDRP extracts and structurally checks obligation language. It does not decide adequacy, compliance, or risk.
Does DDRP infer meaning?
No. It operates on explicit lexical patterns and bounded structural rules. If it’s not in the text, it’s not “added.”
Where does this sit in a program?
Upstream of human review. Think of it as a deterministic baseline you can hand to legal/compliance teams.
What makes it different from AI summarizers?
AI summarizers often mix extraction and interpretation. DDRP is explicitly constrained to extraction + structural status only.