[01]team.dev
Onboard →Menu

Project — Sprint / SKU 03

HIPAA/PCI Compound Catalog Build-out

Uses PTOI MCP

Give your regulated AI system a structured data vocabulary that survives a BAA audit and accelerates every future agent build.

Fixed fee

$35k

Duration

4 weeks

Engagement

Standalone — no retainer required

Start onboarding →Book a 15-minute fit call← All sprint SKUs

The problem this solves

Why this exists

PHI/PCI classifications scattered in code comments, Notion docs, and individual heads are not auditable. They drift the moment a new field is added by a new engineer at 6pm on a Friday.

A compound catalog gives the agent and your team a single source of truth: every field has a type, a classification, a masking rule, and an audit event. When BAA review comes, you point at one repo, not a meeting.

Is this for you?

Concrete fit and anti-fit

If we're not a fit, we'd rather you find out here than after a sales call.

Good fit

  • You have an AI agent in healthcare, fintech, or other regulated work — in production or close to it.
  • You have already hit the wall of 'what fields are PHI?' and your current answer is a Slack thread or a stale spreadsheet.
  • You want a versioned, machine-readable catalog your engineering team can build against and your compliance team can audit.
  • You are committed to PTOI, or open to it, as the spec.

Not a fit

  • ×You don't have an agent yet — start with SKU 01 (audit) or a Retainer for design help.
  • ×You want a one-time CSV — this is a maintained system with masking rules and audit events, not a spreadsheet.
  • ×Your data lives entirely outside your control (e.g., 100% via third-party APIs you cannot influence) — much harder; that needs separate scoping.
  • ×You expect a legal compliance certification — that is not what this delivers.

Schedule

Week by week

What happens, in order, with checkpoints. The SOW dates match this schedule.

  1. Week 1

    1. Inventory

    • 60-minute kickoff with engineering + compliance.
    • Walk every data surface in scope (agent inputs, outputs, logs, storage).
    • Map fields. Classify each against the chosen regulatory frame.
    • End of week: inventory spreadsheet + draft compound list.

  2. Week 2

    2. Reactions

    • Translate classifications into PTOI compound and reaction definitions.
    • Define masking rules per compound (display, logging, persistence).
    • Define audit events for each compound's lifecycle.
    • Wire the catalog into your storage layer.
    • End of week: catalog v0.5 in your repo + reactions YAML.

  3. Week 3

    3. Wire and test

    • Wire the catalog into one agent surface — we pick the highest-leverage one with you.
    • Audit log schema implemented end-to-end on that surface.
    • Test cases covering classification, masking, and audit emission.
    • 30-minute mid-sprint check-in.

  4. Week 4

    4. Harden and hand off

    • Documentation: catalog reference, runbook, how-to-add-a-compound guide.
    • BAA-readiness checklist mapped to your obligations.
    • 60-minute handoff call with engineering + compliance.
    • Final delivery. 30-day follow-up window opens.

Deliverables

What you have at the end

Each deliverable has a format. We don't ship slide decks instead of code.

01

Compound catalog v1

Every field, every type, every classification — using the PTOI spec. Yours to extend and own.

FormatYAML in your repo, version-controlled

02

Reactions and masking rule set

Display, logging, and persistence rules per compound — the rules engine your agent code can call.

FormatYAML in your repo

03

Audit log schema and reference logging pattern

Event shape, emission helpers, and example wiring — implemented on one agent surface.

FormatCode + Markdown

04

One wired surface

We pick the highest-leverage agent surface with you and wire the catalog end-to-end. Additional surfaces are scoped separately.

FormatCode in your repo

05

BAA-readiness checklist

Mapped to your obligations under the chosen regime, with explicit pointers to the artifacts that satisfy each item.

FormatMarkdown in your repo

06

How-to-add-a-compound runbook

Written for the next engineer who has never seen the catalog before. The durable artifact.

FormatMarkdown in your repo

07

30-day follow-up call

Check on adoption, answer questions, no upsell.

Format45 minutes, included

What you provide

Concrete dependencies, not 'share relevant info'

If these aren't in place, the ship date moves. We say so up front.

  • A named decision-maker for acceptance and scope changes (~1 hour/week).
  • A named technical contact for access and clarifications (~4 hours/week — heavier than the audit).
  • Read and write access to your repo and one storage layer.
  • Synthetic sample data covering the field surface in scope.
  • Decision on the regulatory frame at kickoff.
  • Engineering availability during the wiring step in week 3 (one engineer pair-programming for ~6 hours).

Out of scope

What this does NOT include

Read this. If something you assumed is here isn't, raise it on the fit call before we sign.

  • ×Wiring more than one agent surface — additional surfaces are scoped separately.
  • ×Backfilling masking on historical data — separate engagement.
  • ×Migrating off a legacy schema — separate engagement, often a Retainer.
  • ×Legal compliance certification — your counsel makes that call.
  • ×Building a custom replacement for the PTOI spec — we will not silently fork it.
  • ×Any work not expressly listed in the weekly schedule or deliverables above.

Success looks like

One paragraph, plain English

Day 28, your engineering team can answer 'how do we add a new field to the agent and stay BAA-ready?' by following a runbook, not by scheduling a meeting. Your compliance lead has a single artifact that maps directly to their checklist.

What happens after

Common post-sprint paths

What clients typically do after this sprint ships. None of these are required.

  • Many clients convert to a Retainer to extend the catalog across more surfaces.
  • The catalog is yours; the PTOI carveout means anonymized patterns flow back to the open-source spec — your specific compounds do not.
  • Some clients pair this with SKU 01 (audit) afterward as a defensible posture for a board or investor conversation.

Pricing and terms

What it costs and when you pay

The same numbers appear in the SOW. No bait-and-switch on the legal.

Fixed fee
$35,000 USD, fixed.
Payment schedule
50% on signing ($17,500), 50% on final delivery ($17,500).
Net terms
Net-15 from invoice date.
Cancellation
Cancel for convenience: you owe work performed plus 25% of the unbilled remaining fixed fee. Cause-based termination follows the MSA.
Founding-client discount
Up to 20% off, first 3 months only, capped to the first 3 clients to sign at any tier.

FAQ

Specific questions for this SKU

Other sprint SKUs

Could one of these fit better?

SKU 01

$25k

AI Agent Compliance Audit

Know exactly where PHI or PCI moves through your AI agent — and what to do about it.

Read the spec →

SKU 02

$20k

MCP / Agent Integration Sprint

Ship one MCP server or agent integration end-to-end in 2 weeks — with evaluations and a handoff doc your team can maintain.

Read the spec →

SKU 04

$15k

Marketing Instrumentation Sprint

Ship a minimal event taxonomy and a reporting view that marketing and sales actually trust.

Read the spec →

SKU 05

$20–40k

Web Build Sprint

A focused marketing or product site, designed and shipped in weeks — code you can extend, no lock-in.

Read the spec →

Ready to scope

Book the 15-minute fit call

Confirm fit, regulatory frame (if any), and start date. Written SOW within 48 hours.

Start onboarding →Book a 15-minute fit call← All sprint SKUsRetainer →