Trust Centre

Security, compliance, and transparency

Architectural guarantee

We cannot leak what we never store.

AqtaCore™ is an enforcement proxy that runs before the action executes. It signs every decision, enforces every policy, and returns a cryptographic receipt. Prompts, responses, and PII are never stored by default.

Request flow

ClientrequestAqtaCore gatewaypolicy enforcedEd25519 signedClient+ receiptAuditorverifies offline

The auditor verifies the receipt against the published Ed25519 public key. No Aqta server is in the trust path. See the technical walkthrough for the cryptography.

Backed by

Regulatory Compliance & Standards Alignment

AqtaCore is designed to satisfy the rigid technical requirements of major international regulations and data protection frameworks. To maintain absolute transparency, we distinguish between Aligned Standards (where we map our cryptographic telemetry, policy engines, and signed receipt attributes directly to specific legal articles to enable client-side compliance within their own deployments) and Certifications (such as ISO/IEC 42001, which require independent third-party audits and are on our active operational roadmap). None of the legal frameworks below offer vendor-level certifications; rather, our infrastructure is engineered to support your compliance with the following:

EU AI ActAligned

Articles 12, 14, 72: transparency, human oversight, and record-keeping. Architectural features are engineered to enable client-side compliance ahead of the August 2026 enforcement.

Official text →
GDPRAligned

Article 25: data protection by design and by default. EU-hosted across AWS (Ireland, Frankfurt) and Google Cloud (Belgium) to enable full data sovereignty and localized processing compliance within the EU.

Learn more →
HIPAA-ready architectureAligned

PHI redaction, end-to-end transit encryption, and on-premises deployment options. Engineered to align with healthcare safety requirements. BAA discussions for Enterprise are open on request.

NIST AI RMFMapping

Detailed alignment crosswalk mapping our gateway enforcement and signed attestation outputs to the NIST AI Risk Management Framework. Available to early-access partners.

Framework →
ISO/IEC 42001Roadmap

International AI management-system standard. While our platform is technically built to align with these controls, formal third-party certification is scheduled on our active operational roadmap.

DORA · MiFID II · NIS2 · SR 11-7Aligned

Technical alignment shipped to support regulated financial services (Article 6 ICT risk evidence, Article 16 record-keeping, and NIS2 incident handling). Supporting client audits under engagement. See FinServ →

Trustworthy AI · ALTAI self-assessment

The seven key requirements from the EU High-Level Expert Group's Assessment List for Trustworthy AI (ALTAI). Each requirement names the artefact a reviewer can inspect, not an aspiration.

01 · Human agency & oversight

AqtaCore kill switch + policy engine, “Request Human Review” on every gateway call, Spectra voice/keyboard/gesture user choice, AqtaBio HITL sign-off field on top-1% risk tiles, Pulse patient-led clinical-scanning choice.

02 · Robustness & safety

Bounds Pro five-layer detection ensemble, Spectra deterministic walkthrough fallback when the live agent hits quota, Ed25519 receipt integrity, AqtaBio per-revision signing seed so receipts survive deploys, Pulse offline-first sensor calibration.

03 · Privacy & data governance

Bounds Pro fully on-device PDF redaction, Spectra camera frames never leave the browser, Pulse on-device biometric extraction (rPPG/voice notes never uploaded), AqtaCore zero PII stored, AqtaBio anonymous-tiles gate on the public API.

04 · Transparency

ATTESTATION-v1 open spec (CC BY 4.0), reference verifiers on PyPI and npm, weekly signed AqtaBio commits, SHAP attribution, per-product /architecture pages.

05 · Diversity, non-discrimination & fairness

Spectra is built for blind, low-vision, post-stroke, multilingual and hands-busy users. Testera serves nine standardised exams across multiple regions. Pulse voice diagnostics cover 70+ languages. AqtaBio publishes country-rank failure disclosures (the first prospective Ebola signal was rank 4, not rank 1, and we said so first).

06 · Societal & environmental wellbeing

AqtaBio One Health zoonotic-spillover signal, Pulse hospital validation in Thailand pairing environmental telemetry with personal health, Spectra accessibility for healthcare access, Apache 2.0 source releases on Bounds and Spectra.

07 · Accountability

Ed25519 signed receipts per AI call, offline verifier so the trust path doesn't go through Aqta's servers, public security policy (two-working-day acknowledgement, ten-working-day remediation), AqtaBio append-only public ledger of predictions.

Security Infrastructure

Encryption

AES-256 at rest. TLS 1.3 in transit. Ed25519-signed verdict at inference for every request. SHA-256 hash-chained audit logs at export, tamper-evident.

Access Controls

Role-based access management (RBAC). Multi-factor authentication enforced. Audit logs for every access event.

EU data sovereignty

EU-hosted by default across both clouds: AWS in Ireland (eu-west-1) and Frankfurt (eu-central-1), Google Cloud in Belgium (europe-west1). VPC isolation. Dedicated-region options on Enterprise plans.

No PII in Session Metadata

Session metadata contains model ID, timestamp, cost, and policy result. No prompt content. No response content. No user data. Sessions auto-expire per your retention tier.

Data retention by tier

Tier-based and configurable, up to seven years for regulated-clinical retention. Custom on Enterprise. Applies to session metadata and signed receipt chains alike, and receipts remain offline-verifiable for the full retention window.

Incident Response

72-hour breach notification per GDPR Article 33. Documented incident response plan. Security contact: security@aqta.ai

Security Posture

We treat AqtaCore as a security-critical product because regulated buyers do. The current state of the security posture is documented here and refreshed at least quarterly.

Open attestation specification

The receipt format, two reference verifiers, and 14 conformance test vectors are public on github.com/Aqta-ai/attestation-spec under permissive licences. Customers can verify any receipt offline.

Per-receipt live chain

Every receipt records a SHA-256 chain hash that commits to the previous receipt for its org. Tampering with any historical row produces a hash mismatch on every later row. Authenticated callers verify their entire chain via the compliance API.

Groth16 zero-knowledge verifier available

Pairing-based zero-knowledge verifier exposed on the public API. A precomputed demo proof is verifiable end to end. Prover access is offered as a sidecar service for Enterprise tier; circuit details are shared with early-access customers under NDA.

Cross-org threat intelligence with privacy proofs

Early-access orgs see anonymised threat-pattern signals contributed by other participants, never the orgs themselves. Contributor counts are privacy-bucketed; raw figures are gated behind cryptographic commitments with differential privacy. Mechanism details available to early-access customers under NDA. General availability rolls in over the early-access programme.

Post-quantum migration documented

Not post-quantum secure today. The SHA-256 chain hash is quantum-resilient; signature primitives (Ed25519, Schnorr, Groth16) need migration. ATTESTATION-v2 target: hybrid signing with ML-DSA-65 (NIST FIPS 204) plus Ed25519. Full read at /post-quantum.

DPA available on request

GDPR Article 28 Data Processing Agreement available for early-access customers and Enterprise contracts. Email legal@aqta.ai with your legal entity.

Dependency hygiene

All third-party Python and Node dependencies are pinned. npm audit and pip-audit run on every CI build. SBOM available on request.

Reviewed quarterly

Penetration-test and formal-verification path discussed with enterprise early-access customers under NDA; specifics are scoped per engagement. Confidential security disclosures: SECURITY.md (acknowledgement within two working days).

Company Information

Aqta Technologies Limited

Registered in Ireland

Company Registration Number (CRO): 807530

Supported through Irish startup and research programmes, including an Enterprise Ireland Innovation Voucher.

Security: security@aqta.ai

General: hello@aqta.ai