Complyr

Complyr is an agent that scans MongoDB databases for sensitive data, classifies violations against specific regulations , encrypts critical fields with and generates auditor-ready PDF reports.

Comment

Inspiration

What it does## Inspiration

Every company running MongoDB has sensitive data they don't know about. A forgotten email field, an unencrypted social security number, years of IP addresses in a logs collection. The fines are real — GDPR reaches 20 million euros, HIPAA hits $1.9 million per year. Most companies either hire a $100K compliance auditor or hope nobody notices. We wanted to build an agent that does this work continuously, not once a year.

What it does

Complyr connects to any MongoDB database, scans every collection for sensitive data, classifies each field against specific regulations (PCI-DSS, HIPAA, GDPR, GLBA, CCPA), encrypts critical fields with MongoDB Client-Side Field Level Encryption, and generates auditor-ready PDF reports. All from a terminal or browser. Works across any domain — healthcare, fintech, e-commerce, HR.

How we built it

  • Agent: Google ADK 2.2 with Gemini 3.1 Pro (Vertex AI) for reasoning and classification
  • MCP: MongoDB MCP server (Docker locally, npx on Cloud Run) for database access
  • Tools: 4 custom FunctionTools — schema fetching, database scanning, field encryption, report generation
  • Encryption: MongoDB CSFLE with explicit ClientEncryption (no mongocryptd dependency)
  • Backend: FastAPI with SSE streaming for real-time chat, htmx-free vanilla JS UI
  • Deployment: Cloud Run with Cloud Build, connecting to MongoDB Atlas
  • Test data: Gemini-generated synthetic documents across two company profiles (healthcare + fintech)

Challenges we ran into

MongoDB CSFLE on Windows 8.3 has a known mongocryptd issue, so we switched to explicit encryption using ClientEncryption.encrypt() — no mongocryptd required. The MCP server runs in Docker locally but Cloud Run can't spawn containers, so we built a dual transport (docker + npx) that switches automatically. The agent's system prompt went through multiple iterations to be truly domain-agnostic — it infers the regulatory framework from field patterns rather than assuming any industry.

What's next

Post-hackathon: support for PostgreSQL and S3 scanning, Slack/Jira alerting, continuous monitoring mode, and an auditor portal for external compliance review.

How we built it

Challenges we ran into

Accomplishments that we're proud of

What we learned

What's next for Complyr

Share this project:

Updates