ESG Copilot

• 

• 

• 

• 

• 

• 

• 

• 

• 

• 

• 

• 

• 

• 

• 

• 

• 

• 

• 

Inspiration

Small and medium businesses face a critical challenge: ESG compliance costs $10K-$50K per report, requires specialized expertise, and involves navigating complex regulations across multiple jurisdictions. Most SMBs can't afford dedicated sustainability teams, leading to:

• Manual data collection taking weeks
• Missed compliance deadlines
• Incomplete or inaccurate reports
• Risk of regulatory penalties

The inspiration: What if AI agents could autonomously handle the entire ESG compliance workflow - from researching regulations to generating framework-compliant reports - making sustainability accessible to businesses of all sizes?

---

What it does

ESG Copilot is a multi-agent AI system that automates end-to-end ESG compliance:

5 Specialized AI Agents:

1. Regulation Research Agent (with 3 sub-agents)

   • Analyzes company location, industry, size
   • Performs real-time web search for applicable regulations
   • Identifies jurisdiction-specific requirements (California SB 253, SEC Climate, EU CSRD)
   • Calculates compliance deadlines
   • Sub-agents: Jurisdiction Analyzer, Framework Mapper, Deadline Calculator

2. ESG Data Collection Agent (with 3 sub-agents)

   • Queries EPA Envirofacts API for environmental data
   • Web scrapes company sustainability pages
   • AI estimates missing metrics using industry benchmarks
   • Sub-agents: EPA Collector, Web Scraper, AI Estimator
   • Parallel execution: All 3 sub-agents run simultaneously

3. Emissions Calculator Agent

   • Calculates Scope 1, 2, 3 carbon emissions
   • Uses Climatiq API for emission factors
   • Provides breakdown by source category
   • Generates emissions trends

4. Report Generator Agent (with 4 sub-agents)

   • Creates framework-compliant reports (GRI, SASB, TCFD)
   • Iterative refinement: Review & Critique loop (1-3 iterations)
   • Auto-generates executive summaries
   • Produces downloadable PDFs
   • Sub-agents: GRI Writer, SASB Writer, TCFD Writer, Review & Critique

5. Chat Agent (RAG)

   • Permission-aware Q&A using Retrieval-Augmented Generation
   • Company-scoped knowledge base (Pinecone vector DB)
   • Real-time authorization checks (Auth0 FGA Store)
   • Answers questions about regulations, ESG data, reports

Key Features:

• ✅ Real-time web search for regulation discovery (Google Gemini grounding)
• ✅ Multi-source data collection (EPA API, web scraping, AI estimation)
• ✅ Automated emissions calculation (Climatiq API integration)
• ✅ Framework-compliant reports (GRI, SASB, TCFD standards)
• ✅ Role-based access control (4 roles: Company Admin, ESG Consultant, Auditor, Regulator)
• ✅ Company-level data isolation (zero data leakage between companies)
• ✅ Audit logging (all agent actions tracked in BigQuery)

---

How we built it

Architecture:

Frontend:

• Next.js 14 (React framework)
• TailwindCSS for styling
• Auth0 SDK for authentication
• Deployed on Vercel

Backend:

• Node.js + Express.js
• Google Gemini 2.5 Flash (LLM for agent reasoning)
• LangChain.js (agent orchestration)
• Deployed on Render

Data & Storage:

• Google BigQuery (ESG data, audit logs, reports)
• Pinecone (vector database for RAG)
• Google Cloud Storage (report PDFs)

External APIs:

• Climatiq API (emissions calculations)
• EPA Envirofacts API (environmental data)
• SendGrid (email notifications)
• Auth0 (authentication, authorization, Token Vault, FGA Store)

Multi-Agent Patterns:

1. Hybrid Parallel + Sequential Execution

• Regulation Research: Phase 1 runs 2 agents in parallel (Jurisdiction Analyzer + Framework Mapper), Phase 2 runs Deadline Calculator with Phase 1 results
• ESG Data Collection: 3 sub-agents execute in parallel via Promise.all()
• Results aggregated and merged
• Optimizes for both speed and data dependencies

1. Iterative Refinement

• Report Generator: Review & Critique loop
• Draft → Review → Revise (1-3 iterations)
• Configurable via MAX_REVIEW_ITERATIONS env variable

1. Service-Level Orchestration
   • Main agents coordinate sub-agents
   • State management via BigQuery
   • Error handling with graceful degradation

Security Implementation:

• Authentication: Auth0 Universal Login with JWT tokens
• Authorization: Role-based access control (RBAC) with 9 permissions
• Token Vault: API keys injected into JWT (never hardcoded)
• FGA Store: Document-level authorization with real-time checks
• Audit Logging: Every agent action logged with user, company, timestamp

---

Challenges we ran into

1. Multi-Agent Coordination

Challenge: Coordinating 5 main agents + 9 sub-agents with dependencies

• Regulation Research must complete before Report Generation
• ESG Data Collection needed before Emissions Calculator
• Deadline Calculator needs regulations from Jurisdiction Analyzer
• Race conditions with parallel sub-agents

Solution:

• Service-level orchestration with clear dependency chains
• Hybrid execution: Promise.all() for independent agents, sequential for dependent ones
• Regulation Research uses 2-phase approach: Phase 1 parallel (jurisdiction + frameworks), Phase 2 sequential (deadlines)
• State management in BigQuery for tracking agent progress
• Error handling with partial success (if 2/3 sub-agents succeed, continue)

2. Real-Time Web Search Reliability

Challenge: Google Search grounding sometimes returns incomplete results

• Regulation deadlines not always available
• Jurisdiction-specific laws hard to find
• Web scraping blocked by some company websites

Solution:

• Fallback to AI estimation when web search fails
• Multiple search queries with different phrasings
• Graceful degradation (show partial results, mark as "estimated")
• Clear error messages to users

3. Company Data Isolation

Challenge: Preventing data leakage between companies in multi-tenant system

• Company Admin should only see own company data
• ESG Consultant should see all companies
• RAG must respect company boundaries

Solution:

• Auth0 FGA Store for document-level authorization
• Real-time authorization checks before every query
• Pinecone metadata filtering by company_id
• Two-layer security: Pinecone filter + FGA authorization

4. Emissions Calculation Accuracy

Challenge: Climatiq API requires specific activity data formats

• Different emission factors for different industries
• Scope 3 emissions hard to estimate
• Missing data for some emission sources

Solution:

• Industry-specific emission factor mapping
• AI estimation for missing Scope 3 data
• Clear labeling of "estimated" vs "calculated" values
• Validation against industry benchmarks

5. Report Quality & Compliance

Challenge: Ensuring reports meet GRI/SASB/TCFD standards

• Each framework has multiple disclosure requirements
• Reports must be auditable and verifiable
• Iterative refinement needed for quality

Solution:

• Framework-specific prompts for each standard
• Review & Critique sub-agent validates completeness
• Iterative refinement loop (1-3 iterations)
• Human review option before finalization

6. Deployment & Environment Variables

Challenge: Managing multiple environment variables across dev/prod

• API keys for 6 external services
• GCP service account JSON file
• Different URLs for frontend/backend

Solution:

• Auth0 Token Vault for API keys (3 keys in JWT)
• Render Secret Files for GCP credentials
• Environment-specific .env files
• Clear deployment documentation

---

Accomplishments that we're proud of

1. Production-Ready Multi-Agent System

• ✅ 5 main agents + 9 sub-agents working in production
• ✅ Parallel execution with fan-out/gather pattern
• ✅ Iterative refinement with review/critique loop
• ✅ Real-world use case solving actual SMB pain point

2. Zero Data Leakage

• ✅ Company-level isolation enforced by Auth0 FGA Store
• ✅ Tested with 5 test accounts across 4 roles
• ✅ Real-time authorization on every query
• ✅ Audit trail of all access attempts

3. Framework-Compliant Reports

• ✅ GRI, SASB, TCFD standards implemented
• ✅ Automated generation from raw ESG data
• ✅ PDF export with professional formatting
• ✅ Iterative quality improvement via review loop

4. Seamless Auth0 Integration

• ✅ Universal Login (no custom auth code)
• ✅ Token Vault for API key management
• ✅ FGA Store for document authorization
• ✅ RBAC with 4 roles, 9 permissions

5. Real-Time Regulation Discovery

• ✅ Web search for latest regulations
• ✅ Jurisdiction-specific (California, EU, SEC)
• ✅ Deadline calculation for compliance
• ✅ No dummy data - all real-time queries

---

What we learned

1. Multi-Agent Orchestration is Hard

• Coordinating multiple agents requires careful state management
• Parallel execution needs proper error handling
• Dependencies between agents must be explicit
• Service-level orchestration is cleaner than agent-to-agent communication

2. Security Must Be Built-In, Not Bolted-On

• Authorization checks at every layer (API, database, vector DB)
• Token Vault prevents API key leakage
• FGA Store enables fine-grained access control
• Audit logging is essential for production systems

3. LLM Limitations Require Fallbacks

• Web search doesn't always return complete results
• AI estimation needed for missing data
• Iterative refinement improves output quality
• Human-in-the-loop still valuable for critical decisions

4. Real-World Data is Messy

• EPA API has incomplete records
• Company websites vary widely in structure
• Emission factors differ by industry/region
• Graceful degradation is essential

5. Framework Compliance is Complex

• GRI has multiple disclosure requirements
• SASB is industry-specific (77 sectors)
• TCFD focuses on climate risks
• Each framework needs specialized prompts

---

What's next for ESG Copilot

1. Enhanced Data Sources - Integrate CDP API, S&P Global ESG scores, ERP systems, and IoT sensors
2. More Frameworks - Add ISSB, EU CSRD, BRSR, and custom framework builder
3. Predictive Analytics - Forecast emissions, predict compliance risks, recommend reduction strategies
4. Stakeholder Engagement - Automated surveys, sentiment analysis, materiality matrix generation
5. Supply Chain ESG - Supplier risk assessment, Scope 3 tracking, vendor scorecards
6. AI-Powered Recommendations - Personalized strategies, regulatory alerts, best practice recommendations
7. Enterprise Features - Multi-subsidiary support, consolidated reporting, custom workflows
8. Real-Time Monitoring - Redis caching, async execution, horizontal scaling, edge deployment

---

Try It Out

Live Demo: [Your Vercel URL]

GitHub: https://github.com/omkardongre/ESG-Copilot

Test Accounts (Password: Test@1234):

• 3m@company.com - Company Admin (3M Company data only)
• ef@company.com - Company Admin (Eileen Fisher data only)
• consultant@esgfirm.com - ESG Consultant (all companies)
• auditor@sustainapilot.com - Auditor (read-only)
• regulator@epa.gov - Regulator (read-only)

Test Scenarios:

1. Login as 3M Admin → Execute "Research Regulations" → See California SB 253, SEC Climate rules
2. Execute "Collect ESG Data" → Watch 3 sub-agents run in parallel
3. Execute "Calculate Emissions" → See Scope 1, 2, 3 breakdown
4. Execute "Generate Report" → Select GRI → Download PDF
5. Use Chat Agent → Ask "What are our Scope 2 emissions?" → Get company-specific answer
6. Login as Eileen Fisher Admin → Try to view 3M data → Access denied (data isolation works!)

Built With

• auth0
• bigquery
• climatiq
• epa
• express.js
• gemini
• langchain.js
• next.js
• node.js
• pinecone
• react
• render
• sendgrid
• tailwindcss
• vercel