Architectural guarantee
We cannot leak what we never store.
AqtaCore™ is an enforcement proxy that runs before the action executes. It signs every decision, enforces every policy, and returns a cryptographic receipt. Prompts, responses, and PII are never stored by default.
Request flow
The auditor verifies the receipt against the published Ed25519 public key. No Aqta server is in the trust path. See the technical walkthrough for the cryptography.
Backed by
Regulatory Compliance
AqtaCore is designed to meet the technical requirements of major AI and data protection regulations. Infrastructure architecture maps to the following frameworks:
Articles 12, 14, 72: transparency, human oversight, record-keeping. Enforcement begins August 2026.
Official text →Article 25: data protection by design and by default. EU-hosted across AWS (Ireland, Frankfurt) and Google Cloud (Belgium); data sovereignty within the EU by default.
Learn more →PHI redaction and encryption at rest and in transit. Architecture designed for healthcare deployments. BAA available for Enterprise.
AI Risk Management Framework crosswalk to AqtaCore enforcement and attestation outputs. Available to enterprise design partners.
Framework →AI management-system standard. Certification path opens after first paying enterprise contract.
Technical alignment shipped (Article 6 ICT risk evidence, Article 16 records, NIS2 incident handling). Bespoke audit packages produced under engagement. See FinServ →
Security Infrastructure
Encryption
AES-256 at rest. TLS 1.3 in transit. Ed25519-signed verdict at inference for every request. SHA-256 hash-chained audit logs at export, tamper-evident.
Access Controls
Role-based access management (RBAC). Multi-factor authentication enforced. Audit logs for every access event.
EU data sovereignty
EU-hosted by default across both clouds: AWS in Ireland (eu-west-1) and Frankfurt (eu-central-1), Google Cloud in Belgium (europe-west1). VPC isolation. Dedicated-region options on Enterprise plans.
No PII in Session Metadata
Session metadata contains model ID, timestamp, cost, and policy result. No prompt content. No response content. No user data. Sessions auto-expire per your retention tier.
Incident Response
72-hour breach notification per GDPR Article 33. Documented incident response plan. Security contact: security@aqta.ai
Security Posture
We treat AqtaCore as a security-critical product because regulated buyers do. The current state of the security posture is documented here and refreshed at least quarterly.
Open attestation specification
The receipt format, two reference verifiers, and 14 conformance test vectors are public on github.com/Aqta-ai/attestation-spec under permissive licences. Customers can verify any receipt offline.
Per-receipt live chain
Every receipt records a SHA-256 chain hash that commits to the previous receipt for its org. Tampering with any historical row produces a hash mismatch on every later row. Authenticated callers verify their entire chain via the compliance API.
Groth16 zero-knowledge verifier available
Pairing-based zero-knowledge verifier exposed on the public API. A precomputed demo proof is verifiable end to end. Prover access is offered as a sidecar service for Enterprise tier; circuit details are shared with design partners under NDA.
Cross-org threat intelligence with privacy proofs
Design-partner orgs see anonymised threat-pattern signals contributed by other partners, never the orgs themselves. Contributor counts are privacy-bucketed; raw figures are gated behind cryptographic commitments with differential privacy. Mechanism details available to design partners under NDA. Live for design partners; general availability rolls in over the pilot programme.
Post-quantum migration documented
Not post-quantum secure today. The SHA-256 chain hash is quantum-resilient; signature primitives (Ed25519, Schnorr, Groth16) need migration. ATTESTATION-v2 target: hybrid signing with ML-DSA-65 (NIST FIPS 204) plus Ed25519. Full read at /post-quantum.
DPA available on request
GDPR Article 28 Data Processing Agreement available for design partners and Enterprise contracts. Email legal@aqta.ai with your legal entity.
Dependency hygiene
All third-party Python and Node dependencies are pinned. npm audit and pip-audit run on every CI build. SBOM available on request.
Reviewed quarterly
Penetration-test and formal-verification path discussed with enterprise design partners under NDA; specifics are scoped per engagement. Confidential security disclosures: SECURITY.md (acknowledgement within two working days).
Company Information
Aqta Technologies Ltd
Registered in Ireland
Company Registration Number (CRO): 807530
Security: security@aqta.ai
General: hello@aqta.ai