Live · Available today
COMPLY For DPOs & CCOs

Meet every regulation.
Prove it cryptographically.

If you cannot prove compliance, you are not compliant.

EU AI Act Articles 9, 12, 13, 14, 17 · GDPR Art. 5(1)(c) · FDA 510(k) · NIST AI RMF — all mappable with one API call. Full audit trail. W3C Verifiable Credentials.

Want to know what Sgraal does not claim? Read the threat model — including the explicit non-certification disclosure.

Important — compliance evidence: /v1/check verdicts are not included in the audit trail and do not generate W3C Verifiable Credentials. For compliance-grade evidence (HIPAA, GDPR, EU AI Act, FDA 510(k), NIST AI RMF), use /v1/preflight, which produces full audit-log entries and signed W3C VCs per verdict. The /v1/check endpoint is suitable for experimentation and high-frequency agent gating only.

Without Sgraal

  • → Agent makes financial decision based on memory
  • → No compliance validation at decision time
  • → Regulatory audit arrives 6 months later
  • → Missing evidence → weeks of manual reconstruction → potential fine

With Sgraal

  • → Every decision checked against EU AI Act / GDPR / HIPAA in real time
  • → Non-compliant + irreversible = Sgraal returns BLOCK
  • → Full cryptographic audit trail recorded
  • → Compliance report generated in seconds, not months

EU AI Act non-compliance: up to €35M or 7% of global annual revenue.

1

Every decision is compliance-checked in real time

Compliance profile evaluated on every preflight. Non-compliant + irreversible = Sgraal returns BLOCK.

2

Every decision is logged with tamper-proof audit trail

SHA256 hash chain. request_id, omega, action_override_chain — all recorded. SIEM export: Splunk / Datadog / Elastic.

3

Compliance reports generated on demand

/v1/compliance/eu-ai-act/report — Article 9/12/13/14/17 evidence. Conformity declaration template.

⭐ Featured · GDPR Art. 5(1)(c)

MVMem Certificate

Automated GDPR data minimization proof — cryptographically signed, audit-grade.

workspace_premium
Live · Available today

Sgraal computes the Minimum Viable Memory state for every agent action — the smallest set of memory entries that would yield the same decision — and signs it as a W3C Verifiable Credential.

Prove to your regulator that your AI agent operated with the minimum necessary personal data. Cryptographically signed by your tenant's PASSPORT_SIGNING_KEY. Audit-grade. Generates your Article 30 record fields — returned in the API response for you to archive in your own audit-log system (Sgraal issues the credential; it does not store it for you).

Automated data minimization proof — no manual audit reconstruction
Signed W3C Verifiable Credential — standards-grade, not vendor-specific
GDPR Article 5(1)(c) compliant — direct mapping to the regulation
Generated per agent action, not per quarter

Sample credential

{
  "@context": ["https://www.w3.org/2018/credentials/v1"],
  "type": ["VerifiableCredential", "MVMemCertificate2026"],
  "issuer": "did:sgraal:tenant_...",
  "issuanceDate": "2026-05-19T08:42:11Z",
  "credentialSubject": {
    "agentId": "agent_a47...",
    "requestId": "req_b8c...",
    "originalMemorySize": 47,
    "minimumViableSize": 12,
    "decisionPreserved": true,
    "gdprArticle": "5(1)(c)"
  },
  "proof": {
    "type": "Ed25519Signature2020",
    "jws": "eyJhbGc..."
  }
}

Anonymized sample. Your tenant produces identical-format certificates signed by your own key.

Try it

curl -X POST https://api.sgraal.com/v1/certify/mvmem \
  -H "Authorization: Bearer sg_live_..." \
  -H "Content-Type: application/json" \
  -d '{"agent_id": "demo", "memory_state": [{"id": "m1", "content": "...", "type": "semantic"}]}'

Returns a signed MVMemCertificate2026 with the structure shown above. Response headers expose X-Sgraal-Original-Memory-Size, X-Sgraal-Minimum-Viable-Size, X-Sgraal-Decision-Preserved.

See a sample response

info Pre-generated sample · No signup

Capabilities

gavel

Compliance Engine

4 built-in profiles: EU AI Act (Articles 9, 12, 13, 14, 17), GDPR, FDA 510(k), HIPAA. Non-compliant + irreversible = Sgraal returns BLOCK.

Non-compliant actions are flagged before execution. Sgraal returns a BLOCK verdict; runtime enforcement remains the integrator's responsibility — consistent with the verdict-layer scope of every Sgraal endpoint.

receipt_long

Audit Trail & Last Will

Tamper-proof audit log with SHA256 chain. Two API calls: GET /v1/audit-log/chain-verify answers "is the chain intact"; GET /v1/audit-log/export returns the full hash-chained log. Memory Last Will: GDPR + EU AI Act 10-year retention — ensures your audit data survives the full regulatory retention period. SIEM export.

Every decision is provable. Every audit is survivable.

verified_user

Conformity Declaration

Auto-generated EU AI Act conformity declaration via GET /v1/compliance/eu-ai-act/declaration. Article-level evidence mapping. Ready for regulatory submission.

Submit to regulators in minutes. Not months.

Compliance Preflight + Report

Check compliance in real time and generate regulatory reports.

result = client.preflight(
    memory_state=[...],
    action_type="irreversible",
    compliance_profile="EU_AI_ACT"
)
print(result.compliance_result.compliant)   # False
print(result.recommended_action)            # BLOCK
print(result.compliance_result.violations)
# ["Article 9: risk management system required",
#  "Article 13: transparency obligation"]

# Two compliance endpoints, two purposes:
#   /report      — ongoing monitoring snapshot (decision counts, violation rates)
#   /declaration — formal one-time conformance artifact for regulator submission

import requests
headers = {"Authorization": "Bearer sg_live_..."}

# Ongoing monitoring report
resp = requests.get(
    "https://api.sgraal.com/v1/compliance/eu-ai-act/report",
    headers=headers
)
monitoring = resp.json()

# Formal conformance declaration (Article-level evidence mapping)
resp = requests.get(
    "https://api.sgraal.com/v1/compliance/eu-ai-act/declaration",
    headers=headers
)
with open("eu_ai_act_conformity.json", "w") as f:
    import json
    json.dump(resp.json(), f, indent=2)

Data processing transparency

Concrete DPO-facing evidence from our live GDPR commitment. Query the same data programmatically via GET /v1/compliance/gdpr.

shield_lock

Memory content is never stored

memory_state is processed in real time and discarded — never persisted. Your agent memory payloads pass through preflight and are not retained as content.

Data location

EU (Frankfurt, DE)

Legal basis

Legitimate interest (GDPR Article 6(1)(f)) and contract performance (Article 6(1)(b)).

Data retention

  • Preflight logs: 90 days, then auto-deleted
  • Audit logs: 1 year, then archived
  • API keys: retained until account deletion
  • Memory state: not stored — processed in real time and discarded

Sub-processors

Name Purpose Location
SupabaseDatabaseEU
RailwayAPI hostingUS/EU
StripeBillingUS
UpstashRedis (GSV)EU

Data subject rights & DPO contact

Right to erasure and data portability are available today via hello@sgraal.com (30-day fulfillment). Self-service API endpoints are in development:

  • DELETE /v1/account In development — erasure: all API keys, logs, and associated data permanently deleted within 30 days
  • GET /v1/account/export In development — portability: JSON export of preflight logs, audit logs, and API key metadata

Data Protection Officer

hello@sgraal.com · Sgraal Data Protection Officer · 72-hour response

Ready to prove compliance?

Start free trial →