Skip to main content

Information for Regulators

ARQERA provides AI governance infrastructure that helps organizations meet regulatory requirements for AI systems. This page explains our capabilities for regulators, auditors, and compliance officers.

What ARQERA Does

ARQERA is a governance API that evaluates AI actions in real-time and maintains complete audit trails. When an AI system wants to take an action, ARQERA:

  1. Evaluates the action against policies
  2. Decides whether to proceed, escalate to humans, or block
  3. Records the decision with cryptographic proof
  4. Enables human oversight at scale

Regulatory Framework Support

EU AI Act (Regulation (EU) 2024/1689)

ARQERA addresses requirements for high-risk AI systems under Annex III:

ArticleRequirementARQERA Capability
Art. 9Risk management systemReal-time evaluation, policy enforcement
Art. 12Record-keepingImmutable evidence chain, 100% coverage
Art. 13TransparencyExplainable verdicts, reasoning logs
Art. 14Human oversightEscalation workflows, approval queues
Art. 15Accuracy and robustnessSub-15ms evaluation, 99.97% uptime

Key dates:

  • August 2, 2025 — Prohibited AI practices take effect
  • August 2, 2026 — High-risk requirements (Annex III) take effect

GDPR (Regulation (EU) 2016/679)

ArticleRequirementARQERA Capability
Art. 5Data processing principlesAudit trail of all data access
Art. 17Right to erasureData retention policies, deletion workflows
Art. 20Data portabilityEvidence export in standard formats
Art. 22Automated decision-makingHuman review for significant decisions
Art. 35DPIA requirementsRisk assessment logging

SOC 2

ARQERA maintains SOC 2 Type II certification covering:

  • Security (CC1-CC9)
  • Availability (A1)
  • Confidentiality (C1)

Annual audits by independent third-party firms. Reports available under NDA.

Other Frameworks

FrameworkStatusNotes
ISO 27001AlignedInformation security management
ISO 42001In progressAI management system
UK DPA 2018CompliantPost-Brexit GDPR equivalent
Cyber EssentialsCertifiedUK government baseline

Audit Capabilities

Evidence Chain

Every AI action creates an evidence record containing:

{
"evidence_id": "ev_abc123def456",
"timestamp": "2026-04-13T10:30:00.000Z",
"action": "send_email",
"actor": {
"type": "agent",
"id": "agent_xyz",
"name": "Email Assistant"
},
"context": {
"recipient": "external@company.com",
"subject": "Contract Discussion",
"has_attachments": true
},
"verdict": "ESCALATE",
"reasoning": "External recipient + contract keyword triggered policy: financial-communications",
"laws_evaluated": [
{"name": "safety_dominance", "passed": true},
{"name": "budget_conservation", "passed": true},
{"name": "bounded_autonomy", "passed": false, "reason": "Requires human approval"}
],
"signature": "sha256:abc123...",
"chain_hash": "sha256:def456..."
}

Cryptographic Integrity

  • SHA-256 hashing — Each evidence record is hashed
  • Chain linking — Each record includes the previous record's hash
  • HMAC signing — Records are signed with tenant keys
  • Tamper detection — Any modification invalidates the chain

Export Formats

Evidence can be exported in:

  • JSON (machine-readable)
  • CSV (spreadsheet-compatible)
  • PDF (human-readable reports)

Exports include chain verification data for independent validation.

Retention

Data TypeDefault RetentionConfigurable
Evidence records7 yearsYes (up to unlimited)
Approval decisions7 yearsYes
Access logs2 yearsYes
Personal dataPer GDPRYes

Human Oversight

Escalation Workflow

When an action requires human review:

  1. AI action → ARQERA evaluation → ESCALATE verdict
  2. Approval request created and routed
  3. Human reviewer sees action details and context
  4. Reviewer approves, rejects, or modifies
  5. Decision recorded with reviewer identity and timestamp
  6. If approved, action executes; if rejected, action blocked

Approval Routing

  • Role-based — Route to specific roles (manager, compliance officer)
  • Team-based — Route to team queues
  • Escalation chains — Auto-escalate if not reviewed within SLA

Oversight Metrics

Dashboard shows:

  • Approval volume by category
  • Average review time
  • Rejection rate
  • Override patterns

Technical Architecture

Infrastructure

  • Hosting: Google Cloud Platform (europe-west2, London)
  • Encryption: TLS 1.3 in transit, AES-256 at rest
  • Availability: 99.97% uptime SLA
  • Data residency: EU by default, configurable per tenant

Security Controls

ControlImplementation
AuthenticationSSO (SAML/OIDC), MFA required for admins
AuthorizationRole-based access control (RBAC)
EncryptionTLS 1.3, AES-256, key rotation
LoggingAll access logged, immutable storage
Monitoring24/7 SOC, anomaly detection
Incident responseDocumented procedures, 1-hour SLA

Penetration Testing

Annual penetration tests by third-party firms. Summary reports available under NDA.


Compliance Dashboard

Organizations using ARQERA can view compliance status in real-time:

Control Mapping

Each regulation is mapped to specific controls. Dashboard shows:

  • Control status (passed/failed/not applicable)
  • Evidence supporting each control
  • Remediation guidance for failed controls

Compliance Scoring

Aggregate score per framework:

  • SOC 2: 95/100
  • GDPR: 92/100
  • EU AI Act: 88/100

Scores based on control coverage and evidence availability.

Audit Reports

Pre-generated reports for common audit requests:

  • All AI actions in date range
  • Escalated actions and outcomes
  • Policy violations and responses
  • Human oversight statistics

Incident Response

Breach Notification

If a data breach occurs:

  • Affected organizations notified within 72 hours
  • Detailed incident report provided
  • Remediation steps outlined
  • Post-incident review completed

Regulatory Contact

For regulatory inquiries:

  • Email: compliance@arqera.io
  • Response time: Within 48 hours
  • Escalation: Legal counsel engaged for formal requests

Data Processing

Data Flows

Customer AI System → ARQERA API → Evaluation Engine

Evidence Storage

Compliance Reporting

Data Categories

CategoryPurposeRetention
Action contextGovernance evaluationConfigurable
VerdictsAudit trail7 years
User identitiesAccess controlAccount lifetime
LogsSecurity monitoring2 years

Sub-processors

ARQERA uses the following sub-processors:

  • Google Cloud Platform (hosting, storage)
  • Stripe (payment processing)
  • SendGrid (transactional email)

Full sub-processor list available in our DPA.


Frequently Asked Questions

Is ARQERA itself an AI system under EU AI Act? ARQERA provides governance infrastructure. The AI systems being governed may be subject to EU AI Act requirements. ARQERA helps those systems meet their obligations.

Can ARQERA be audited? Yes. We provide SOC 2 reports and support customer audits. Penetration test summaries available under NDA.

Where is data stored? EU by default (GCP europe-west2, London). US and other regions available for enterprise customers.

Can evidence be falsified? No. Evidence records are cryptographically signed and chain-linked. Tampering invalidates the chain and is detectable.

How do you handle cross-border data transfers? Standard Contractual Clauses (SCCs) for EU→non-EU transfers. UK Addendum for UK transfers.

What happens if ARQERA goes offline? Customers can configure fail-open or fail-closed behavior. 99.97% uptime SLA with financial credits for downtime.


Resources


Contact

Compliance Team: compliance@arqera.io

Legal Team: legal@arqera.io

Data Protection Officer: dpo@arqera.io


ARQERA: Enabling compliant AI deployment.