feat: Add Document Crawler & Auto-Onboarding service (Phase 1.4)

New standalone Python/FastAPI service for automatic compliance document scanning, LLM-based classification, IPFS archival, and gap analysis. Includes extractors (PDF, DOCX, XLSX, PPTX), keyword fallback classifier, compliance matrix, and full REST API on port 8098. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 20:35:15 +01:00
parent 0923c03756
commit 364d2c69ff
34 changed files with 1633 additions and 0 deletions
--- a/document-crawler/gap_analysis/compliance_matrix.py
+++ b/document-crawler/gap_analysis/compliance_matrix.py
@@ -0,0 +1,75 @@
+"""Required documents per regulation and company type."""
+
+from dataclasses import dataclass
+
+
+@dataclass
+class RequiredDocument:
+    category: str
+    description: str
+    regulation: str
+    severity: str  # CRITICAL, HIGH, MEDIUM
+    applies_to: str  # universal, data_processor, ai_user, large_company
+
+
+COMPLIANCE_MATRIX: list[RequiredDocument] = [
+    # Universal — every company
+    RequiredDocument(
+        category="VVT",
+        description="Verzeichnis von Verarbeitungstaetigkeiten fehlt",
+        regulation="Art. 30 DSGVO",
+        severity="CRITICAL",
+        applies_to="universal",
+    ),
+    RequiredDocument(
+        category="TOM",
+        description="Technisch-organisatorische Massnahmen nicht dokumentiert",
+        regulation="Art. 32 DSGVO",
+        severity="CRITICAL",
+        applies_to="universal",
+    ),
+    RequiredDocument(
+        category="DSE",
+        description="Datenschutzerklaerung fehlt oder unvollstaendig",
+        regulation="Art. 13/14 DSGVO",
+        severity="CRITICAL",
+        applies_to="universal",
+    ),
+    RequiredDocument(
+        category="Loeschkonzept",
+        description="Kein Loeschkonzept / keine Loeschfristen definiert",
+        regulation="Art. 17 DSGVO / Art. 5 Abs. 1e DSGVO",
+        severity="HIGH",
+        applies_to="universal",
+    ),
+    RequiredDocument(
+        category="Richtlinie",
+        description="Interne Datenschutzrichtlinie fehlt",
+        regulation="Art. 24 DSGVO",
+        severity="MEDIUM",
+        applies_to="universal",
+    ),
+    RequiredDocument(
+        category="Schulungsnachweis",
+        description="Keine Datenschutz-Schulungsnachweise vorhanden",
+        regulation="Art. 39 Abs. 1b DSGVO",
+        severity="MEDIUM",
+        applies_to="universal",
+    ),
+    # Data processors
+    RequiredDocument(
+        category="AVV",
+        description="Auftragsverarbeitungsvertrag fehlt",
+        regulation="Art. 28 DSGVO",
+        severity="CRITICAL",
+        applies_to="data_processor",
+    ),
+    # AI users
+    RequiredDocument(
+        category="DSFA",
+        description="Datenschutz-Folgenabschaetzung fuer KI-Systeme fehlt",
+        regulation="Art. 35 DSGVO / EU AI Act",
+        severity="HIGH",
+        applies_to="ai_user",
+    ),
+]