Architecture
Graphletter is a Next.js 15 application that combines structured compliance data (SCF) with LLM-based document analysis to produce framework-aware compliance assessments.
Pipeline Stages
Ingestion
Documents (PDF, DOCX, images, CSV) are uploaded and content is extracted using pdf-parse, mammoth, and tesseract.js OCR. Text is normalized and chunked for analysis.
Control Graph
The SCF control catalog (1,200+ controls across 33 domains) is loaded from versioned CSV data. Cross-framework mappings connect SCF controls to 79+ regulatory standards.
Evidence Analysis
Extracted content is matched against SCF controls and assessment objectives. Each control has testable criteria that evidence is evaluated against.
LLM Reasoning
Dual-provider AI assessment: GPT-5-mini handles ingestion and extraction, GPT-5 performs control mapping and final schema normalization, and Claude 3.7 Sonnet drives gap analysis and remediation recommendations.
Scoring & Output
Per-control confidence scores, evidence strength ratings (Strong/Moderate/Weak/Insufficient), gap identification, and remediation guidance are compiled into structured reports.
AI Model Selection
Different tasks use different models optimized for their specific requirements. Providers are configured with automatic fallback.
| Task | Model | Temp | Rationale |
|---|---|---|---|
| Document ingestion / parsing | GPT-5-mini | 0.0 | Fast, cost-efficient extraction with stronger 2026 accuracy for chunking and metadata capture |
| Control mapping / classification | GPT-5 | 0.1 | Improved reasoning and structured JSON reliability for evidence-to-control mapping |
| Gap analysis + recommendations | Claude 3.7 Sonnet | 0.2 | Stronger long-document synthesis and analytical writing for remediation narratives |
| Final structured compliance output | GPT-5 | 0.1 | Normalizes multi-model outputs into a strict, deterministic compliance schema |
Data Model
SCF Catalog
- scf_controls — 1,200+ controls across 33 domains
- scf_frameworks — 79+ regulatory standards
- scf_control_mappings — cross-framework mapping table
- scf_assessment_objectives — testable criteria per control
- scf_evidence_request_list — required artifact types
Evidence & Assessments
- evidence — uploaded documents with extracted content
- user_assessments — AI-generated compliance evaluations
- Multi-tenant isolation via Supabase Row-Level Security
- Evidence stored in Supabase Storage
Workflow Durability
Long-running operations (evidence upload, multi-control assessment) use Vercel Workflow Dev Kit for durable execution. Each pipeline stage is a retryable step with state persistence — operations survive function timeouts, deployments, and transient AI provider failures.
The evidence pipeline is split into three durable stages: content extraction, upload & persistence, and AI assessment. Assessment objectives are evaluated in parallel with automatic retry on transient failures.