Preventive controls at the browser boundary
Meets FCA SYSC and EU AI Act Article 15 requirement for preventive, not detective, controls. Block-first, log-always architecture.
Compliance Evidence-ready for every framework
Evidence-ready for every framework
your regulator cares about.
Compliance isn't retro-fitted from a feature checklist, it's how the product is architected. What follows is the concrete mapping, not the marketing version.
Immutable audit logs in WORM storage
Append-only event logs with cryptographic chain-of-custody. Retention configurable up to SEC 17a-4 (7 years) and UK DPA (6 years).
Role-based scoping via SSO / SCIM
Directory-group policies via Okta, Azure AD, Google Workspace. Legitimate exceptions recorded, not hidden.
Data residency options
US, EU, UK, APAC regions. Your data never leaves your chosen jurisdiction: no US subprocessor exposure.
Annual third-party penetration testing
Results shared under NDA on request. Continuous scanning and monthly internal red-team exercises between engagements.
Incident response within 4 hours
24/7 on-call security team. Root-cause analysis delivered within 48 hours. EU AI Act Article 73 72-hour compliance built in.
Evidence-ready audit exports
Native export in SOC 2 evidence format, HIPAA OCR investigation format, PCI-DSS 4.0 assessment template, and EU AI Act inspection artefact schema.
Subprocessor transparency
Full subprocessor list published and versioned on our Site. Changes notified to affected customers 30 days in advance.
Need specific evidence for your regulator?
We provide pre-inspection artefact packs tailored to SOC 2, HIPAA, PCI-DSS, EU AI Act, and FCA SYSC. A briefing walks through exactly what your auditor will ask for.
NDA on request. Includes worked examples from anonymised customer audits.