If you cannot prove compliance, you are not compliant.
EU AI Act Articles 9, 12, 13, 14, 17 · GDPR Art. 5(1)(c) · FDA 510(k) · NIST AI RMF — all mappable with one API call. Full audit trail. W3C Verifiable Credentials.
Want to know what Sgraal does not claim? Read the threat model — including the explicit non-certification disclosure.
Important — compliance evidence: /v1/check verdicts are not included in the audit trail and do not generate W3C Verifiable Credentials. For compliance-grade evidence (HIPAA, GDPR, EU AI Act, FDA 510(k), NIST AI RMF), use /v1/preflight, which produces full audit-log entries and signed W3C VCs per verdict. The /v1/check endpoint is suitable for experimentation and high-frequency agent gating only.
Without Sgraal
With Sgraal
EU AI Act non-compliance: up to €35M or 7% of global annual revenue.
Compliance profile evaluated on every preflight. Non-compliant + irreversible = Sgraal returns BLOCK.
SHA256 hash chain. request_id, omega, action_override_chain — all recorded. SIEM export: Splunk / Datadog / Elastic.
/v1/compliance/eu-ai-act/report — Article 9/12/13/14/17 evidence. Conformity declaration template.
Automated GDPR data minimization proof — cryptographically signed, audit-grade.
Sgraal computes the Minimum Viable Memory state for every agent action — the smallest set of memory entries that would yield the same decision — and signs it as a W3C Verifiable Credential.
Prove to your regulator that your AI agent operated with the minimum necessary personal data. Cryptographically signed by your tenant's PASSPORT_SIGNING_KEY. Audit-grade. Generates your Article 30 record fields — returned in the API response for you to archive in your own audit-log system (Sgraal issues the credential; it does not store it for you).
Sample credential
{
"@context": ["https://www.w3.org/2018/credentials/v1"],
"type": ["VerifiableCredential", "MVMemCertificate2026"],
"issuer": "did:sgraal:tenant_...",
"issuanceDate": "2026-05-19T08:42:11Z",
"credentialSubject": {
"agentId": "agent_a47...",
"requestId": "req_b8c...",
"originalMemorySize": 47,
"minimumViableSize": 12,
"decisionPreserved": true,
"gdprArticle": "5(1)(c)"
},
"proof": {
"type": "Ed25519Signature2020",
"jws": "eyJhbGc..."
}
}
Anonymized sample. Your tenant produces identical-format certificates signed by your own key.
Try it
curl -X POST https://api.sgraal.com/v1/certify/mvmem \ -H "Authorization: Bearer sg_live_..." \ -H "Content-Type: application/json" \ -d '{"agent_id": "demo", "memory_state": [{"id": "m1", "content": "...", "type": "semantic"}]}'
Returns a signed MVMemCertificate2026 with the structure shown above. Response headers expose X-Sgraal-Original-Memory-Size, X-Sgraal-Minimum-Viable-Size, X-Sgraal-Decision-Preserved.
See a sample response
info Pre-generated sample · No signupcheck_circle HTTP 200 · POST /v1/certify/mvmem
{
"@context": ["https://www.w3.org/2018/credentials/v1"],
"type": ["VerifiableCredential", "MVMemCertificate2026"],
"issuer": "did:sgraal:tenant_demo",
"issuanceDate": "2026-05-21T20:07:43.441557+00:00",
"credentialSubject": {
"agentId": "demo_agent",
"requestId": "457b411b-a8ac-4d93-a59d-b629148b1c5e",
"originalMemorySize": 47,
"minimumViableSize": 12,
"decisionPreserved": true,
"gdprArticle": "5(1)(c)"
},
"proof": {
"type": "Ed25519Signature2020",
"created": "2026-05-21T20:07:43.441557+00:00",
"verificationMethod": "did:sgraal:tenant_demo#key-1",
"proofPurpose": "assertionMethod",
"jws": "eyJhbGciOiJFZERTQSIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..FHT0szhLUdizD6evzdh9i7oNPejOYbG9e4O5IBsw7mKz6squXd_O58blbFz1FCuuUSxKuEj4vr36p09it1BeCA"
}
}
Sample output — your tenant produces identical-format certificates signed by your own Ed25519 key. Get your own key →
4 built-in profiles: EU AI Act (Articles 9, 12, 13, 14, 17), GDPR, FDA 510(k), HIPAA. Non-compliant + irreversible = Sgraal returns BLOCK.
Non-compliant actions are flagged before execution. Sgraal returns a BLOCK verdict; runtime enforcement remains the integrator's responsibility — consistent with the verdict-layer scope of every Sgraal endpoint.
Tamper-proof audit log with SHA256 chain. Two API calls: GET /v1/audit-log/chain-verify answers "is the chain intact"; GET /v1/audit-log/export returns the full hash-chained log. Memory Last Will: GDPR + EU AI Act 10-year retention — ensures your audit data survives the full regulatory retention period. SIEM export.
Every decision is provable. Every audit is survivable.
Auto-generated EU AI Act conformity declaration via GET /v1/compliance/eu-ai-act/declaration. Article-level evidence mapping. Ready for regulatory submission.
Submit to regulators in minutes. Not months.
Check compliance in real time and generate regulatory reports.
result = client.preflight(
memory_state=[...],
action_type="irreversible",
compliance_profile="EU_AI_ACT"
)
print(result.compliance_result.compliant) # False
print(result.recommended_action) # BLOCK
print(result.compliance_result.violations)
# ["Article 9: risk management system required",
# "Article 13: transparency obligation"]
# Two compliance endpoints, two purposes:
# /report — ongoing monitoring snapshot (decision counts, violation rates)
# /declaration — formal one-time conformance artifact for regulator submission
import requests
headers = {"Authorization": "Bearer sg_live_..."}
# Ongoing monitoring report
resp = requests.get(
"https://api.sgraal.com/v1/compliance/eu-ai-act/report",
headers=headers
)
monitoring = resp.json()
# Formal conformance declaration (Article-level evidence mapping)
resp = requests.get(
"https://api.sgraal.com/v1/compliance/eu-ai-act/declaration",
headers=headers
)
with open("eu_ai_act_conformity.json", "w") as f:
import json
json.dump(resp.json(), f, indent=2)
Concrete DPO-facing evidence from our live GDPR commitment. Query the same data programmatically via GET /v1/compliance/gdpr.
memory_state is processed in real time and discarded — never persisted. Your agent memory payloads pass through preflight and are not retained as content.
Data location
EU (Frankfurt, DE)
Legal basis
Legitimate interest (GDPR Article 6(1)(f)) and contract performance (Article 6(1)(b)).
| Name | Purpose | Location |
|---|---|---|
| Supabase | Database | EU |
| Railway | API hosting | US/EU |
| Stripe | Billing | US |
| Upstash | Redis (GSV) | EU |
Right to erasure and data portability are available today via hello@sgraal.com (30-day fulfillment). Self-service API endpoints are in development:
DELETE /v1/account In development — erasure: all API keys, logs, and associated data permanently deleted within 30 daysGET /v1/account/export In development — portability: JSON export of preflight logs, audit logs, and API key metadataData Protection Officer
hello@sgraal.com · Sgraal Data Protection Officer · 72-hour response