Skip to content
VeraFrame Docs

Compliance & Trust — overview

VeraFrame is a compliance-ready component, not a “compliant” product. This distinction is deliberate, and it matters when you are evaluating VeraFrame for a regulated use case.

Compliance-ready, not compliant

No single tool can claim to make your organization compliant with a regulation like the EU AI Act. Compliance is a combination of:

  • Technical controls (audit trail, provenance metadata, human oversight, transparency information)
  • Organizational controls (documented processes, role assignments, incident response, risk assessments)

VeraFrame implements the technical controls side. That is what compliance-ready means: the technical building blocks you need are here, tested, and ready to plug in. The organizational processes — who reviews what, how incidents are escalated, how you document your risk assessment — remain your responsibility.

This is an honest position. A vendor claiming their tool alone makes you “AI Act compliant” is misleading you.

What VeraFrame provides

The compliance-ready capabilities VeraFrame implements in code today:

  • Compliance profiles — per-tenant policy profiles (none, compliance_ready, high_risk_ready) that define the default compliance posture for workflow-enabled tenants.
  • AI provenance metadata — every generation records the model, timestamp, and source context used.
  • Approve/reject workflow — Article 14 human oversight. Workflow-enabled tenants can route policy-triggered or validation-triggered cases to human review before final use.
  • External review workflow — hand off validations to an external review system when your process lives outside VeraFrame.
  • Audit trail — structured event log of every generation, review decision, and correction, with exportable JSON and CSV.
  • System card — versioned, multi-language description of the VeraFrame system itself (intended use, limitations, human oversight requirements).
  • Data retention — configurable TTL on validation history and audit events, with automatic deletion.

What stays with you

The organizational side of compliance — the part VeraFrame deliberately does not try to own — includes:

  • Risk assessment for your specific use of AI, documented per the relevant regulation.
  • Role assignment — who in your organization is a reviewer, who is a deployer, who is the data controller.
  • Incident response when a reviewer flags a problem.
  • Training for users who interact with AI output.
  • Organizational documentation that pulls together your technical stack, your process, and your oversight into a coherent whole.

VeraFrame’s compliance-ready package (delivered outside this docs site) contains customer-facing materials to help you assemble the organizational side: a deployer responsibility checklist, an oversight operating-model template, a provider documentation set, and a release compliance checklist. These are starting points, not substitutes for legal counsel.

Which regulations

VeraFrame’s first compliance target is the EU AI Act, which enters force in phases starting August 2026 for high-risk use cases. The technical controls in VeraFrame map directly to AI Act articles covering:

  • Article 9 — risk management
  • Article 12 — record-keeping
  • Article 13 — transparency
  • Article 14 — human oversight
  • Article 50 — transparency obligations for generative AI

The same underlying controls also align with:

  • NIST AI Risk Management Framework (USA)
  • ISO/IEC 42001 (AI management system standard)

VeraFrame’s compliance features are built once and serve multiple frameworks — no refactor needed when a second framework becomes relevant.

How deep each tier goes

  • SaaS Cloud — compliance-ready workflow is not enabled by default. Validation history and provenance metadata are recorded, but the approve/reject workflow, audit trail export, and system card are off unless specifically enabled. SaaS Cloud is intended for exploration and non-regulated use.
  • Integration — all compliance features are available but configurable. Choose the profile that matches your use case.
  • Compliance Edition — compliance profile is pre-configured, audit exports are always on, and the compliance-ready package is included.

Next steps