Governance & Compliance
AI governance, not as an afterthought.
Every AI deployment we ship is designed to pass legal review before it ships, not after. Founder is a qualified lawyer (BA, LLB) as well as a 25-year engineer.
GDPR-ready · DPA available pre-signature · SOC 2 Type 1 in progress · EU AI Act ready · India DPDPA aligned
Section 1 · Frameworks
The regulations we build against.
GDPR (EU)
Data minimization, lawful basis, right to erasure, DPA execution before processing.
How we handle it: we sign DPAs and Standard Contractual Clauses before any data flows, default to data-minimization in every prompt and prompt-cache design, document lawful basis per processing activity, and build deletion workflows that propagate to model caches and audit logs — not just the application database.
CCPA / CPRA (California)
Consumer rights, opt-out signals, deletion workflows, training-data disclosures.
How we handle it: we honor Global Privacy Control signals where applicable, build right-to-know and right-to-delete endpoints into every integration that touches consumer data, and document our training-data position clearly — we do not train on client data without explicit written consent.
EU AI Act
Risk classification (minimal / limited / high), conformity assessment for high-risk uses, transparency obligations.
How we handle it: every deployment gets a written risk classification under the Act before we build. Limited-risk systems ship with the transparency obligations the Act requires; we decline high-risk builds without the conformity assessment infrastructure in place.
India DPDPA
Consent management, data fiduciary obligations, cross-border transfer rules.
How we handle it: consent capture and revocation flows wired into the integration from day one, fiduciary role and grievance contact named in the engagement agreement, cross-border transfer assessed against the latest Rules notified under the Act.
Section 2 · Defaults
Six things every UES deployment ships with — non-negotiable.
-
01
Audit logs
For every model call — who, what prompt, what response, what model, what cost, timestamped and retained.
-
02
Cost caps
At request, daily, and monthly level. Hard stop on overrun, not a soft alert.
-
03
Data residency choice
Your AWS / Azure / GCP region, or our managed deployment in the region of your choice. Your data does not leave it.
-
04
Model abstraction
Claude, GPT, open-source, on-prem. You pick. We recommend. Switching costs are designed to be low.
-
05
Prompt-injection defenses
Input sanitization, output validation, jailbreak detection, escalation rules for adversarial inputs.
-
06
Rollback path
Every agent has a kill switch and a documented manual fallback. Production failure is not a crisis we improvise through.
Section 3 · Paperwork
The paperwork is ready when you are.
We ship with templates your legal team can mark up: Data Processing Addendum, Standard Contractual Clauses for cross-border transfers, mutual NDA, IP assignment language for any custom work, model and data audit access rights. We’ve negotiated these with the legal teams of mid-market US and UK companies — they survived. We expect yours will too.
Section 4 · EU AI Act
Where your AI deployment sits under the EU AI Act.
The EU AI Act, fully in force in 2026, classifies AI systems by risk: minimal, limited, high, and prohibited. Most CRM lead-scoring, email subject-line generation, and support triage applications fall into the minimal or limited risk categories — but the categorization is workload-specific, not vendor-wide. We assess every deployment against the Act before we build, document the classification, and ship the conformity artifacts that classification requires.
For limited-risk systems, this means transparency obligations: users informed they are interacting with an AI, generated content labeled appropriately. For high-risk applications — anything affecting employment decisions, access to credit, or health — we’ll tell you that during the readiness audit and decline the build if we don’t have the conformity assessment infrastructure in place.
The founder’s legal background means this assessment is part of the engagement, not a separate consulting fee.
Section 5 · What we won’t build
What we won’t build.
- AI systems for employment decisions without a documented human-in-the-loop and bias audit
- AI handling clinical decisions (we’ll integrate around clinical workflows, not into them)
- Systems that train on customer data without explicit consent
- Black-box deployments without audit logging
- Anything that can’t survive a compliance review
Section 6 · Speak with the founder
Speak with the founder.
If you’re a General Counsel, CISO, or compliance lead, the founder takes these calls personally. Twenty-five years of engineering plus a law degree means the conversation moves fast.