This recipe builds a centralized legal and compliance dashboard that tracks regulatory deadlines, manages compliance documents with version control, and automates status notifications. The output is a live dashboard showing all compliance obligations, their owners, deadlines, evidence status, and automated alerts for items approaching due dates. [src1]
compliance assessment — Startup Legal Checklist by JurisdictionWhich path?
├── Pre-revenue / bootstrapped AND budget = free
│ └── PATH A: Notion Free — compliance database + calendar views + Slack webhooks
├── Early revenue AND budget = $50-200/mo
│ └── PATH B: Retool + Supabase — custom dashboard with database backend
├── Preparing for SOC 2 / ISO 27001 AND budget = $7,500+/yr
│ └── PATH C: Vanta — automated compliance platform with 375+ integrations
└── Enterprise compliance AND budget = $15,000+/yr
└── PATH D: Drata — granular control with 250+ integrations| Path | Tools | Cost | Setup Time | Automation Level |
|---|---|---|---|---|
| A: Notion Free | Notion + Slack webhooks | $0 | 4-6 hours | Manual + reminders |
| B: Retool + Supabase | Retool + Supabase + Slack | $0-50/mo | 1-2 days | Semi-automated |
| C: Vanta | Vanta + Slack | $7,500+/yr | 2-4 weeks | Fully automated |
| D: Drata | Drata + Slack | $15,000+/yr | 3-6 weeks | Fully automated |
Duration: 2-3 hours · Tool: Spreadsheet or Notion
Define every compliance obligation as a trackable item: framework, control ID, description, owner, evidence type, frequency, next due date, status.
Framework: SOC 2 Type II
├── CC1.1 — Code of Conduct policy → Owner: CEO → Annual review
├── CC6.1 — Access control review → Owner: CTO → Quarterly
├── CC7.1 — Vulnerability scanning → Owner: DevOps → Monthly
└── CC8.1 — Change management process → Owner: Eng Lead → ContinuousVerify: Every framework has at least 5 trackable items with owners and due dates · If failed: Consult legal checklist card for framework-specific controls
Duration: 2-4 hours (Path A), 4-8 hours (Path B) · Tool: Notion (Path A) or Supabase + Retool (Path B)
Create compliance_items and compliance_documents tables/databases with status tracking, ownership, and deadline fields.
CREATE TABLE compliance_items (
id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
framework TEXT NOT NULL,
control_id TEXT NOT NULL,
control_name TEXT NOT NULL,
owner_email TEXT NOT NULL,
evidence_type TEXT,
frequency TEXT,
next_due_date DATE NOT NULL,
status TEXT DEFAULT 'not_started',
last_evidence_date DATE,
created_at TIMESTAMPTZ DEFAULT NOW()
);Verify: Database contains all items from Step 1 with no null owners or due dates · If failed: Re-import from mapping spreadsheet
Duration: 2-3 hours · Tool: Notion views (Path A) or Retool (Path B)
Create views: Overdue Items, Due This Month, By Framework, By Owner, Document Review Calendar. For Retool, build summary stats row, overdue table, upcoming timeline, framework progress bars.
Verify: Dashboard loads in under 3 seconds with accurate counts · If failed: Check resource connection settings and SQL syntax
Duration: 1-2 hours · Tool: Notion automations or Supabase Edge Functions
Auto-flip overdue items and expired documents via daily cron. Items past due date transition to overdue; documents past review date transition to expired.
Verify: Run function manually and confirm status changes reflect in dashboard · If failed: Check for RLS policy conflicts, use service role key
Duration: 1-2 hours · Tool: Slack webhooks + cron trigger
Configure: daily overdue alerts, weekly deadline digests (14-day lookahead), immediate document expiry alerts via Slack incoming webhooks.
Verify: Send test notification to Slack, confirm formatting · If failed: Regenerate webhook URL, check channel permissions
Duration: 1-2 hours · Tool: Google Drive or Notion
Organize documents: Policies, Evidence (by framework + quarter), Contracts (vendor DPAs, NDAs), Certifications. Link each document to its compliance item in the dashboard.
Verify: Every compliance item requiring a document has a linked, accessible file · If failed: Create placeholders and assign owners with deadlines
{
"output_type": "compliance_dashboard",
"format": "live dashboard + document repository",
"components": [
{"name": "compliance_items_database", "type": "database", "required": true},
{"name": "documents_database", "type": "database", "required": true},
{"name": "dashboard_views", "type": "UI", "required": true},
{"name": "notification_automations", "type": "configured_rules", "required": true},
{"name": "document_folder_structure", "type": "file_system", "required": true}
],
"expected_item_count": "15-100 depending on frameworks"
}| Quality Metric | Minimum Acceptable | Good | Excellent |
|---|---|---|---|
| Items with assigned owners | > 90% | > 95% | 100% |
| Items with due dates | > 90% | > 95% | 100% |
| Documents linked to items | > 70% | > 85% | > 95% |
| Notification delivery rate | > 80% | > 95% | 100% |
| Status update automation | Manual | Daily auto-check | Real-time |
If below minimum: Audit compliance mapping for missing owners or deadlines; verify document links are accessible.
| Error | Likely Cause | Recovery Action |
|---|---|---|
| Notion API rate limit (429) | Too many automated updates | Batch to max 3 req/sec, add exponential backoff |
| Slack webhook delivery failure | Webhook URL expired or channel deleted | Regenerate webhook URL, update configuration |
| Wrong compliance status | Auto-update skipped item due to RLS | Use service role key in Supabase function |
| Broken document links | File moved or renamed | Use file IDs instead of paths; run weekly link validation |
| Dashboard load timeout | Too many items in single query | Add pagination (LIMIT 50) and filter by framework |
| Component | Free Tier | Mid Tier | Enterprise |
|---|---|---|---|
| Dashboard (Notion/Retool) | $0 | $10-50/mo | Included |
| Database (Supabase) | $0 (500MB) | $25/mo | Included |
| Notifications (Slack) | $0 | $0 | $0 |
| Compliance platform | N/A | N/A | $7,500-15,000/yr |
| Total | $0 | $35-75/mo | $7,500-15,000/yr |
Building a full compliance automation platform from scratch when fewer than 10 compliance items exist. Engineering time (40-80 hours) exceeds 2 years of Notion-based tracking costs. [src2]
Use free-tier path until the startup has more than 25 active items or is pursuing certification. Then evaluate Vanta, Drata, or Secureframe.
Setting up the dashboard once and never reviewing it. Regulatory requirements change with EU AI Act, state privacy laws, and framework version updates. [src5]
Set a recurring quarterly event to review all items, update deadlines, check for new regulatory requirements, and archive completed one-time items.
Use when a startup needs to systematically track legal and compliance obligations rather than relying on memory or scattered documents. Required before SOC 2, ISO 27001, or HIPAA certification, and strongly recommended once the team exceeds 5 people or handles regulated data.