What is a compliance tracker?

A small serverless system that keeps a small business on top of its recurring compliance tasks — the checks that have to happen on a rhythm, like a monthly safety check, a quarterly data review, or an annual policy sign-off. It holds a list of these tasks with how often each repeats and who owns it, reminds the owner when one is due, collects a quick note or file as proof it was done, and shows a simple done-and-overdue board.

How much does it cost to run?

About $1.80/month at typical small-business volume (around 60 recurring tasks). The fixed cost is essentially zero. The variable cost is dominated by the daily Lambda tick that reads every task; Bedrock and Textract fire only on the evidence-reading lane and the monthly summary, so they're small slivers. At 600 tasks the bill lands around $11.

Which AWS services does it use?

Lambda (Python 3.14, arm64) with Function URLs for the done-and-evidence endpoint, EventBridge Scheduler for the daily tick and the deferred-reminder one-offs, DynamoDB on-demand, S3 (with versioning), SES inbound + outbound, Secrets Manager, CloudWatch Logs (7-day retention), AWS Budgets, and Bedrock (Claude Haiku 4.5 via Global cross-Region inference) for reading forwarded evidence and the monthly summary. No API Gateway, no NAT Gateway, no always-on compute, no Knowledge Base.

Where does the task list live?

In a Google Sheet in a Drive folder you control. One row per task with name, control area, how often it repeats, who owns it, what proof to keep, and the date it was last done. A small drive-sync Lambda mirrors the sheet to S3 every 15 minutes; the tracker reads from S3 to keep Drive API calls predictable and to get S3 versioning for free.

Does the tracker use AI?

Sparingly. The daily tick uses no AI — it's plain Python that reads dates and decides on a move. Bedrock Haiku 4.5 fires only when somebody forwards evidence (a photo or PDF, where Textract plus Haiku pull out a short summary for the record) and once a month for the board-summary narrative. Most of the system is deterministic by design.

How does a reminder reach me without being noisy?

Each task has its own reminder chain in the rules doc — a monthly safety check gets a nudge 5 days before, on the day, and 2 days after; an annual policy sign-off gets 30/14/3 before. Reminders respect quiet hours (default 6pm–8am local) and the holiday calendar. Once a task is marked done, it goes quiet until its next due date. Done-with-note records the proof inline; the chain stops for this cycle.

What happens when I act on a reminder?

Three buttons on every reminder: Done (record the task complete and stamp the date; the next due date is computed from the repeat rule), Attach evidence (open a small form to add a note or a file as proof), and Snooze (delay a few days without dismissing). Every action is recorded in the ct-audit DynamoDB table with timestamp, task, action, by-user, and a snapshot before-and-after, so the trail is auditable for years.

Series · 7 parts Published May 27, 2026

Compliance tracker

A serverless tracker that keeps a small business on top of its recurring compliance tasks — the checks that have to happen on a rhythm, like a monthly safety check, a quarterly data review, or an annual policy sign-off; reminds the right owner when each one is due; collects a quick note or file as proof it was done; and shows a simple done-and-overdue board. The owner can mark done, attach evidence, or snooze right from the reminder. Seven posts on the same system — one diagram at a time — with an engineering reference at the end.

01

A compliance tracker on AWS for a few dollars a month

The whole system on one page — a task intake, a scheduler, and a reminder piece, plus the four moves they share for every recurring task.
02

How a compliance task gets set up

Three lanes feed the task list — the Drive sheet itself, a starter-pack lane that loads common controls for your industry, and an inbox-forwarding lane that turns a forwarded policy into a proposed task for one-tap approval.
03

How a control comes due

A daily tick reads the task list, computes the next due date per task from its repeat rule, compares against per-task reminder chains in the rules doc, and picks one of four moves: on-track, due now, overdue, escalate. No model on the tick.
04

How a compliance reminder reaches its owner

Owner resolution per task, quiet hours, holiday calendars, Slack DMs with full context, email fallback, and the four guardrails between the tracker’s chosen move and the actual reminder landing.
05

How evidence gets captured

Three actions on the Done button: done (stamp the date, compute the next due date), attach evidence (a note or a file kept as proof), and snooze (delay without dismissing, capped per cycle). Every action is logged.
06

What the compliance tracker costs

Pennies a month at SMB volume. The tracker runs once a day, calls no models on the tick, and only fires Bedrock on the evidence-reading lane and the monthly summary.
07

Engineering reference: the compliance tracker architecture

Same system, drawn purely for engineers. Service names, resource identifiers, region, Bedrock model IDs, Lambda inventory, IAM scopes, the SES inbound rule set, EventBridge Scheduler config, and the DynamoDB schemas.

What is a compliance tracker?: A small serverless system that keeps a small business on top of its recurring compliance tasks — the checks that have to happen on a rhythm, like a monthly safety check, a quarterly data review, or an annual policy sign-off. It holds a list of these tasks with how often each repeats and who owns it, reminds the owner when one is due, collects a quick note or file as proof it was done, and shows a simple done-and-overdue board.
How much does it cost to run?: About $1.80/month at typical small-business volume (around 60 recurring tasks). The fixed cost is essentially zero. The variable cost is dominated by the daily Lambda tick that reads every task; Bedrock and Textract fire only on the evidence-reading lane and the monthly summary, so they’re small slivers. At 600 tasks the bill lands around $11.
Which AWS services does it use?: Lambda (Python 3.14, arm64) with Function URLs for the done-and-evidence endpoint, EventBridge Scheduler for the daily tick and deferred-reminder one-offs, DynamoDB on-demand, S3 (with versioning), SES inbound + outbound, Secrets Manager, CloudWatch Logs (7-day retention), AWS Budgets, and Bedrock (Claude Haiku 4.5 via Global cross-Region inference) for reading forwarded evidence and the monthly summary. No API Gateway, no NAT Gateway, no always-on compute, no Knowledge Base.
Where does the task list live?: In a Google Sheet in a Drive folder. One row per task with name, control area, how often it repeats, who owns it, what proof to keep, and the date it was last done. A small drive-sync Lambda mirrors the sheet to S3 every 15 minutes; the tracker reads from S3 to keep Drive API calls predictable and to get S3 versioning for free.
Does the tracker use AI?: Sparingly. The daily tick uses no AI — it’s plain Python that reads dates and decides on a move. Bedrock Haiku 4.5 fires only when somebody forwards evidence (a photo or PDF, where Textract and Haiku pull out a short summary for the record) and once a month for the board-summary narrative. Most of the system is deterministic by design.
How does a reminder reach me without being noisy?: Each task has its own reminder chain in the rules doc — a monthly safety check gets a nudge 5 days before, on the day, and 2 days after; an annual policy sign-off gets 30/14/3 before. Reminders respect quiet hours (default 6pm–8am local) and the holiday calendar. Once a task is marked done, it goes quiet until its next due date. Done-with-note records the proof inline; the chain stops for this cycle.
What happens when I act on a reminder?: Three buttons on every reminder: Done records the task complete and stamps the date; the next due date is computed from the repeat rule. Attach evidence opens a small form to add a note or a file as proof. Snooze delays a few days without dismissing. Every action is recorded in the ct-audit DynamoDB table with timestamp, task, action, by-user, and a before-and-after snapshot, so the trail is auditable for years.

All posts

Frequently asked questions

Other series