About RuleMesh

Engineered compliance for every regulated system.

Engineered Compliance Infrastructure

Why we exist

Something is broken.

The GRC market keeps growing. Regulatory fines keep growing too. Both at the same time — that tells you something is broken.

Here's what we think it is. Regulations are written in prose. Software is built in code. Between them sits an industry that operates almost entirely at the policy layer — documents, questionnaires, SOC 2 reports, Big Four engagements. Prose checked against prose.

But a regulation is not satisfied by a policy document. It's satisfied — or not — at the execution layer: in the code that handles data, the access rules the application enforces, the retention logic in the database, the audit trail written at the moment a decision gets made.

That's where compliance actually lives or dies. And it's where engineers and AI agents have almost nothing to guide them, because no one is shipping the piece in between: engineered rules for every regulation, traced from statutory citation through control and configuration to defensible evidence — consumable by engineers, AI agents, and auditors alike.

That's what RuleMesh is building.

Layer

Policy layer

Documents, questionnaires, SOC 2 reports, Big Four engagements. Prose checked against prose.

Layer

Execution layer

Code that handles data, access rules the app enforces, retention logic in the database, the audit trail written at decision time.

Layer ⇄

RuleMesh

Engineered rules for every regulation, traced from statutory citation through control and configuration to defensible evidence — consumable by engineers, AI agents, and auditors.

Who's behind it

Lawrance Nyakiso

Founder · Stockholm

“RuleMesh is the thing that should have existed.”

RuleMesh was founded by Lawrance Nyakiso, based in Stockholm. Lawrance has spent 18 years in regulated industries — 7 as a software engineer in banking, then 11 as a security architect and advisor across fintech, global banks, automotive, and industrial clients.

He has worked directly with auditors and supervisory bodies, seen how compliance programs actually run, and watched the same gap open up on project after project: the policy exists, the engineer has a ticket, and nothing connects them.

Years in regulated industries

Years as a software engineer in banking

Years as security architect / advisor

We're not pretending

We're early. The MVP is live.

Our focus right now is the design partners we've onboarded and the regulations they need most. We're a small, focused team building something we believe is missing — and we're telling you that upfront, because the companies we most want to work with are the ones who'd rather shape the product than inherit one.

What we're packaging

RuleMesh is not a GDPR tool.

GDPR is the first regulation we've fully packaged; the roadmap spans some of the most consequential compliance regimes across the EU, the US, and Australia.

European Union

·GDPR
·EU AI Act
·DORA
·NIS2
·Data Governance Act
·Data Act
·Digital Services Act
·Digital Markets Act
·Cyber Resilience Act
·Medical Devices Regulation

United States

·HIPAA (Privacy, Security, Breach, Administrative)
·COPPA
·FERPA
·Gramm-Leach-Bliley (Regulation P)
·Identity Theft Red Flags
·CAN-SPAM
·Fair Credit Reporting Act

Australia

·Privacy Act
·Security of Critical Infrastructure Act
·Online Safety Act
·Cybercrime Act
·Surveillance Devices Act
·Data Availability and Transparency Act
·Spam Act
·Criminal Code Act
·Telecommunications (Interception and Access) Act

integration_instructions

How teams consume it

Each regulation is engineered into structured, traceable rules anchored to statutory citation — consumable through our Jira app, via MCP for AI agents like Claude Code and Cursor, and through GraphQL for platform integrations.

We contribute to the standards we depend on

HCAP — the HTTP Compliance Authorization Protocol.

IETF draft · draft-nyakiso-hcap-00

Compliance-as-infrastructure only works if the infrastructure is open. HCAP is an IETF standards-track draft that moves compliance verification from annual audits to the HTTP layer: providers declare their policy requirements; callers present signed, verifiable credentials; verification happens offline in milliseconds.

HCAP is open, vendor-neutral, and designed to work with any registry — not just ours. We'd rather help define the category than fence it off.

Read the proposalarrow_forward

hcap-exchange.http

GET
/protected-resource HTTP/1.1
Host: provider.example
401 Unauthorized
WWW-Authenticate: HCAP
  realm="gdpr",
  policy="art_32_encryption"
With credential
GET
/protected-resource HTTP/1.1
Authorization: HCAP eyJhbGci…
200 OK
Verified offline · < 2ms

Join the design partner waitlist

Shape the product, don't inherit it.

RuleMesh is shaped by the companies we onboard as design partners. They get first access to new regulation packages, direct input on the roadmap, and a line straight to the founder. We take on a small number at a time so the work stays deep.

If compliance has just become a revenue blocker on your biggest deal, or you're a SaaS or AI company watching what's coming in the EU over the next two years, the waitlist is where to start.

Apply for Design Partner Programarrow_forward