Information for Regulators
ARQERA provides AI governance infrastructure that helps organizations meet regulatory requirements for AI systems. This page explains our capabilities for regulators, auditors, and compliance officers.
What ARQERA Does
ARQERA is a governance API that evaluates AI actions in real-time and maintains complete audit trails. When an AI system wants to take an action, ARQERA:
- Evaluates the action against policies
- Decides whether to proceed, escalate to humans, or block
- Records the decision with cryptographic proof
- Enables human oversight at scale
Regulatory Framework Support
EU AI Act (Regulation (EU) 2024/1689)
ARQERA addresses requirements for high-risk AI systems under Annex III:
| Article | Requirement | ARQERA Capability |
|---|---|---|
| Art. 9 | Risk management system | Real-time evaluation, policy enforcement |
| Art. 12 | Record-keeping | Immutable evidence chain, 100% coverage |
| Art. 13 | Transparency | Explainable verdicts, reasoning logs |
| Art. 14 | Human oversight | Escalation workflows, approval queues |
| Art. 15 | Accuracy and robustness | Sub-15ms evaluation, 99.97% uptime |
Key dates:
- August 2, 2025 — Prohibited AI practices take effect
- August 2, 2026 — High-risk requirements (Annex III) take effect
GDPR (Regulation (EU) 2016/679)
| Article | Requirement | ARQERA Capability |
|---|---|---|
| Art. 5 | Data processing principles | Audit trail of all data access |
| Art. 17 | Right to erasure | Data retention policies, deletion workflows |
| Art. 20 | Data portability | Evidence export in standard formats |
| Art. 22 | Automated decision-making | Human review for significant decisions |
| Art. 35 | DPIA requirements | Risk assessment logging |
SOC 2
ARQERA maintains SOC 2 Type II certification covering:
- Security (CC1-CC9)
- Availability (A1)
- Confidentiality (C1)
Annual audits by independent third-party firms. Reports available under NDA.
Other Frameworks
| Framework | Status | Notes |
|---|---|---|
| ISO 27001 | Aligned | Information security management |
| ISO 42001 | In progress | AI management system |
| UK DPA 2018 | Compliant | Post-Brexit GDPR equivalent |
| Cyber Essentials | Certified | UK government baseline |
Audit Capabilities
Evidence Chain
Every AI action creates an evidence record containing:
{
"evidence_id": "ev_abc123def456",
"timestamp": "2026-04-13T10:30:00.000Z",
"action": "send_email",
"actor": {
"type": "agent",
"id": "agent_xyz",
"name": "Email Assistant"
},
"context": {
"recipient": "external@company.com",
"subject": "Contract Discussion",
"has_attachments": true
},
"verdict": "ESCALATE",
"reasoning": "External recipient + contract keyword triggered policy: financial-communications",
"laws_evaluated": [
{"name": "safety_dominance", "passed": true},
{"name": "budget_conservation", "passed": true},
{"name": "bounded_autonomy", "passed": false, "reason": "Requires human approval"}
],
"signature": "sha256:abc123...",
"chain_hash": "sha256:def456..."
}
Cryptographic Integrity
- SHA-256 hashing — Each evidence record is hashed
- Chain linking — Each record includes the previous record's hash
- HMAC signing — Records are signed with tenant keys
- Tamper detection — Any modification invalidates the chain
Export Formats
Evidence can be exported in:
- JSON (machine-readable)
- CSV (spreadsheet-compatible)
- PDF (human-readable reports)
Exports include chain verification data for independent validation.
Retention
| Data Type | Default Retention | Configurable |
|---|---|---|
| Evidence records | 7 years | Yes (up to unlimited) |
| Approval decisions | 7 years | Yes |
| Access logs | 2 years | Yes |
| Personal data | Per GDPR | Yes |
Human Oversight
Escalation Workflow
When an action requires human review:
- AI action → ARQERA evaluation → ESCALATE verdict
- Approval request created and routed
- Human reviewer sees action details and context
- Reviewer approves, rejects, or modifies
- Decision recorded with reviewer identity and timestamp
- If approved, action executes; if rejected, action blocked
Approval Routing
- Role-based — Route to specific roles (manager, compliance officer)
- Team-based — Route to team queues
- Escalation chains — Auto-escalate if not reviewed within SLA
Oversight Metrics
Dashboard shows:
- Approval volume by category
- Average review time
- Rejection rate
- Override patterns
Technical Architecture
Infrastructure
- Hosting: Google Cloud Platform (europe-west2, London)
- Encryption: TLS 1.3 in transit, AES-256 at rest
- Availability: 99.97% uptime SLA
- Data residency: EU by default, configurable per tenant
Security Controls
| Control | Implementation |
|---|---|
| Authentication | SSO (SAML/OIDC), MFA required for admins |
| Authorization | Role-based access control (RBAC) |
| Encryption | TLS 1.3, AES-256, key rotation |
| Logging | All access logged, immutable storage |
| Monitoring | 24/7 SOC, anomaly detection |
| Incident response | Documented procedures, 1-hour SLA |
Penetration Testing
Annual penetration tests by third-party firms. Summary reports available under NDA.
Compliance Dashboard
Organizations using ARQERA can view compliance status in real-time:
Control Mapping
Each regulation is mapped to specific controls. Dashboard shows:
- Control status (passed/failed/not applicable)
- Evidence supporting each control
- Remediation guidance for failed controls
Compliance Scoring
Aggregate score per framework:
- SOC 2: 95/100
- GDPR: 92/100
- EU AI Act: 88/100
Scores based on control coverage and evidence availability.
Audit Reports
Pre-generated reports for common audit requests:
- All AI actions in date range
- Escalated actions and outcomes
- Policy violations and responses
- Human oversight statistics
Incident Response
Breach Notification
If a data breach occurs:
- Affected organizations notified within 72 hours
- Detailed incident report provided
- Remediation steps outlined
- Post-incident review completed
Regulatory Contact
For regulatory inquiries:
- Email: compliance@arqera.io
- Response time: Within 48 hours
- Escalation: Legal counsel engaged for formal requests
Data Processing
Data Flows
Customer AI System → ARQERA API → Evaluation Engine
↓
Evidence Storage
↓
Compliance Reporting
Data Categories
| Category | Purpose | Retention |
|---|---|---|
| Action context | Governance evaluation | Configurable |
| Verdicts | Audit trail | 7 years |
| User identities | Access control | Account lifetime |
| Logs | Security monitoring | 2 years |
Sub-processors
ARQERA uses the following sub-processors:
- Google Cloud Platform (hosting, storage)
- Stripe (payment processing)
- SendGrid (transactional email)
Full sub-processor list available in our DPA.
Frequently Asked Questions
Is ARQERA itself an AI system under EU AI Act? ARQERA provides governance infrastructure. The AI systems being governed may be subject to EU AI Act requirements. ARQERA helps those systems meet their obligations.
Can ARQERA be audited? Yes. We provide SOC 2 reports and support customer audits. Penetration test summaries available under NDA.
Where is data stored? EU by default (GCP europe-west2, London). US and other regions available for enterprise customers.
Can evidence be falsified? No. Evidence records are cryptographically signed and chain-linked. Tampering invalidates the chain and is detectable.
How do you handle cross-border data transfers? Standard Contractual Clauses (SCCs) for EU→non-EU transfers. UK Addendum for UK transfers.
What happens if ARQERA goes offline? Customers can configure fail-open or fail-closed behavior. 99.97% uptime SLA with financial credits for downtime.
Resources
- Data Processing Agreement
- Privacy Policy
- Security Whitepaper
- SOC 2 Report (NDA required)
- EU AI Act Compliance Guide
Contact
Compliance Team: compliance@arqera.io
Legal Team: legal@arqera.io
Data Protection Officer: dpo@arqera.io
ARQERA: Enabling compliant AI deployment.