The platform, the methodology,
and why it's built this way
Rote is a production-grade, multi-tenant healthcare compliance platform. One person built it. This page explains how, why, and what the architecture is doing.
Baseline and continuous monitoring.
Two categories, one platform.
The design choice that matters most: Rote is built around two categories of capability, and they are deliberately sequential. The baseline exists as the foundation that makes continuous monitoring useful and actionable.
Point-in-time analysis tells you where you stand. Six baseline workflows cover the full compliance surface: HIPAA gap analysis, BAA review against 45 CFR 164.504, bidirectional framework mapping with confidence scoring, control assessment with evidence extraction, 3x3 risk assessment, and RAG-backed compliance Q&A.
Continuous monitoring tells you when the ground shifts. Sentinel watches the regulatory landscape and compares incoming changes against your workspace's surface area — but the surface area mapping is only meaningful because the baseline analysis defines it. Sentinel's remediation recommendations are specific to your posture because the posture is already mapped. That's the dependency. That's why it's built in this order.
Most compliance platforms stop at point-in-time analysis. Rote treats it as the floor.
Six point-in-time workflows. Run once, run on a schedule, or run on demand. Every finding is citation-backed and grounded in the specific CFR or framework it addresses.
- → HIPAA Gap Analysis
- → BAA Review (45 CFR 164.504)
- → Framework Mapping
- → Control Assessment
- → Risk Assessment
- → Compliance Q&A (RAG)
Sentinel: ongoing regulatory surveillance. Requires baseline analysis to be meaningful. The baseline defines the surface area that Sentinel monitors.
- → Regulatory source fetching
- → Surface area mapping
- → Change detection + confidence scoring
- → Remediation recommendations
The compliance methodology
behind the workflows
Every workflow is grounded in the specific regulation or framework it addresses. Not general-purpose AI prompts applied to compliance — actual compliance methodology encoded into structured workflows.
HIPAA Gap Analysis
Maps documents against HIPAA Security Rule (45 CFR Part 164 Subpart C) and Privacy Rule (Subpart E) requirements. Coverage classification: covered, partial coverage, gap. Confidence scored per control. Citations back to source document sections and CFR provisions.
BAA Review
Structured against 45 CFR 164.504. The regulation specifies what a BAA must contain — the workflow evaluates each required provision, scores risk, and generates recommended contract language for every deficiency. Not a general "BAA checklist" — the specific CFR provisions are the checklist.
Framework Mapping
Bidirectional: document section to control, and control to document section. Uses official control catalogs for NIST CSF 2.0, ISO 27001, SOC 2, and HIPAA. Relevance scoring and aggregate confidence per control. Upload any proprietary framework to extend coverage.
Control Assessment
Evaluates individual controls against documentation. Evidence chain extraction: which document sections support the control, and how well. Severity classification (critical, high, medium, low) with defined criteria. Remediation steps are specific to the control and the gap, not generic.
Risk Assessment
3x3 likelihood/impact matrix. Framework-directable: you specify the regulatory context, the workflow scores against it. Risk treatment options with prioritization guidance. Output format compatible with audit evidence requirements.
Compliance Q&A
RAG-backed on the platform: answers are sourced from your indexed documents, not from a general HIPAA knowledge base. Source attribution and confidence scoring. Escalation triggers when the relevant context isn't in the indexed corpus — so you know when the answer is "not in your documents."
What's under the hood
Production-grade, multi-tenant, ~130K LOC. Sole architect and developer: Dan Gonzalez.
| Component | Technology / Approach |
|---|---|
| Backend API | FastAPI (Python). Async throughout. Multi-tenant workspace isolation at the data layer. |
| Frontend | Next.js. Workspace management, document upload, workflow execution, report generation, compliance chat. |
| Vector Store | Qdrant. Workspace-isolated collections: each workspace's documents are indexed separately. No cross-workspace retrieval. |
| LLM Routing | LiteLLM. Multi-provider routing selects the optimal model for each task type — balancing cost and accuracy per task, not a single model for everything. Configurable per workspace. |
| Workflow Orchestration | LangGraph. Agentic workflows as graphs with defined nodes, edges, and conditional routing. Used for both baseline workflows and Sentinel's continuous monitoring pipeline. |
| Document Processing | PDF and DOCX parsing, chunking, embedding, and indexing into workspace-isolated Qdrant collections. Documents are processed at upload time; RAG retrieval is at query time. |
| Security | TLS 1.3 in transit, AES-256 at rest, workspace-level data isolation, HIPAA-eligible hosting. Documents are never used for model training. Full data export available. |
| Open Source | Core compliance skills: Apache 2.0 at github.com/Rote-Compliance. Platform infrastructure: proprietary. |
One person built this
I'm Dan Gonzalez. I'm a JD with a Health Law Certificate, and I've spent 12+ years building healthcare compliance programs at regulated technology companies: HITRUST audits, SOC certifications, CMS authorization, BAA review at scale, fractional CCO work across healthtech, managed care, and provider organizations.
I built Rote because I needed a platform that could do real compliance work, not a chatbot wrapper around HIPAA text. The baseline workflows came first because Sentinel needs that grounding to be useful and actionable in the way I intended. The methodology behind every workflow comes from that work — actual compliance program building, not market research or AI-generated templates.
The architecture decisions follow from the compliance methodology, not the other way around. Workspace-isolated RAG means your documents don't cross into other workspaces. LiteLLM routing means the platform isn't locked to a single model or provider. LangGraph orchestration means the agentic workflows have defined behavior that can be inspected, extended, and validated.
If you want to talk about Rote, a managed engagement, or the methodology behind any of this, reach out. The full background on who I am outside of Rote is at dangssolutions.com.
Dan Gonzalez, JD · dangssolutions.com
Start with the baseline.
Stay ahead of what's next.
Free trial. Full platform access. Personally onboarded by Dan within 2 business days.