Kraterion
Try Kraterion →
CGCompliance & governance

Built for the rules
AI is facing.

New AI regulation keeps coming back to the same questions: can you show what your AI did, keep the record, and control the data behind it? Kraterion is built to give you those technical controls — out of the box, not bolted on.

Talk to usRegulation by regulation

DPA, subprocessor list, and security docs available on request · security@kraterion.com

Regulatory requirementsmapped
  • Automatic, durable logs
    EU AI Act · met by Run records
    covered
  • Right to erasure
    GDPR · met by Revoke + crypto-erase
    covered
  • Traceability
    ISO 42001 · met by Lineage + replay
    covered
  • Data residency & ownership
    GDPR · met by You own the bytes
    covered
Technical controls — not legal advice.
Aug 2026
EU AI Act high-risk obligations apply
Annex III systems
6 months
minimum AI log retention
EU AI Act Art. 12 / 19
Art. 17
GDPR right to erasure
2026 enforcement priority
yours
data + logs you own
Not vendor-held
01The common thread

Different rules, three demands.

Strip away the acronyms and most AI regulation asks for the same three things. Kraterion provides each as a property of the system.

EU AI Act · ISO 42001

Durable audit logs

High-risk AI must automatically record what it did and keep it (6 months minimum). Every Kraterion run is a tamper-evident record you keep as long as you need.

GDPR

Data control & erasure

People can ask to be forgotten. Because data is encrypted and access is revocable, you can lock it out or erase it by destroying the key — and prove you did.

ISO 42001 · NIST AI RMF

Traceability & provenance

Frameworks want to reconstruct how a decision was made. Lineage shows every input behind an output; replay reproduces the run against the same data.

Bridge

The controls regulators ask for —
already in the product.

02Regulation by regulation

What it asks. What we give you.

EU AI Act

High-risk AI · obligations apply Aug 2, 2026

What it asks
Automatic event logs over the system's lifetime, kept six months at minimum (Art. 12 / 19). Traceability of inputs to outputs, and technical documentation you can produce on request — retained up to 10 years (Art. 18).

How Kraterion helps
  • Run records
  • Tamper-evident logs
  • Replay
  • Lineage

GDPR

Personal data · right to erasure (Art. 17)

What it asks
Lawful control over personal data: restrict access, honor erasure requests, and keep data in a region you choose. EU data-protection authorities accept cryptographic erasure — destroying the key — as valid deletion.

How Kraterion helps
  • Encrypted by default
  • Revoke access
  • Cryptographic erasure
  • Owned & portable

ISO 42001 · NIST AI RMF

AI governance frameworks

What it asks
Continuous traceability — a versioned accountability record with input provenance, outputs, approvals, and retention an external reviewer can follow end to end.

How Kraterion helps
  • Run records
  • Lineage
  • Verifiable citations
  • You own the logs
03How your data is handled

Your data, on your terms.

The questions every security review asks — where the data lives, who can read it, how it's deleted, how long it's kept. Here, the answers are properties of the system.

Residency you choose

Your data lives on storage you own and control. Keep it in a region you pick, and move it out anytime with standard tools.

Encrypted, keys you hold

Everything is sealed before it leaves you. The platform stores ciphertext only — we never hold the keys to your data.

Deletion that proves itself

Erase by destroying the key. EU regulators recognize cryptographic erasure, and access is revocable in a single step.

Retention on your terms

You decide how long run records and logs live — no vendor retention cliff, no traces aging out on someone else's clock.

04Our posture

Where we stand today.

What's in place, what's in progress, and what isn't supported yet — stated plainly. We'd rather you know than guess.

Encryption in transit
TLS 1.3, modern ciphers only
Encryption at rest
Sealed client-side before upload
Data processing agreement
DPA available on request
Subprocessor list
Published and kept current
Responsible disclosure
security@kraterion.com
SOC 2 Type II
In progress — on the roadmap
ISO 42001
Aligned; certification on the roadmap
HIPAA / PHI
Not currently supported

Need our DPA, subprocessor list, or a security review? security@kraterion.com — documentation is available on request.

05Who this is for

Teams that have to show their work.

Financial services

Agents that touch advice, underwriting, or trading — where every decision needs a defensible record.

Healthcare & life sciences

Sensitive data with strict access, residency, and deletion requirements.

Public sector

Procurement and citizen-facing AI that must be transparent and auditable by design.

Anyone shipping high-risk AI

If your agent influences real decisions, you'll be asked to show your work.

06Worth being clear about

Controls, not a checkbox.

Kraterion gives you the technical controls these rules call for — durable logs, encryption, revocable access, replay, and lineage. It doesn't make you compliant on its own, and nothing here is legal advice. Your compliance program is yours; we make the evidence easy to produce.

Compliance & governance

Ship AI you can
stand behind in an audit.

Durable audit trails. Data you own and can erase. Runs you can replay.

Try Kraterion →Read the docs
v 0.1 · testnetAll systems normal
Security model
Sealing, revocation, and the audit log.
Replay & audit
How every run becomes a record.
Talk to us
DPAs, residency, and audit support.