Compliance & Regulatory Status

• Art. 7 — Explicit consent recorded at registration (timestamp + IP)
• Art. 15 — Right of access: structured JSON export endpoint
• Art. 17 — Right to erasure: gdpr_machine_unlearning.py — SISA/SCRUB cascade + model retraining
• Art. 20 — Data portability: one-click structured export
• Art. 25 — Privacy by Design: BrainCode data minimisation (60–80% reduction)
• Art. 28 — Sub-processor audit: Hetzner (EU), Proton AG (CH) — EU/adequacy only, no US AI providers
• Art. 30 — ROPA maintained and signed
• Art. 33 — Automated 72h breach notification pipeline (DPO email + AKI)
• Art. 37 — DPO appointed: Marco Piccio (m.piccio@brainpredict.ai)

• Art. 9 — Risk management system — sentinel_certification.py
• Art. 11 + Annex IV — Full 9-section technical documentation auto-generated (eu_ai_act_annex_iv.py)
• Art. 12 — Record-keeping: Dilithium-3 signed audit trail per decision
• Art. 13 — Conformal Prediction: 90%-guaranteed confidence intervals + TreeSHAP
• Art. 14 — Human oversight: AI Council + one-click override on every prediction
• Art. 47 — EU Declaration of Conformity signed by Raphaël Clairin
• Art. 49 — Annex VIII registration record generated, ready for submission when euaidb.ec.europa.eu opens
• Art. 51 — Confirmed not applicable (not a GPAI foundation model publisher)
• Art. 52 — All AI responses carry the mandatory transparency disclosure

External dependency: Art. 49 database submission pending EU portal public opening (expected Q1/Q2 2026)

• Art. 21 — 10 control domains implemented (risk, incident, BCP, supply chain, crypto, HR, hygiene, MFA, cloud, cryptography)
• Art. 23 — 24h early warning (CERT-EE) + 72h notification (RIA) + 1-month final report (AKI) — auto-triggered
• Art. 26 — Registration submission API to ria@ria.ee ready
• Pipeline subscribed to 5 IB security events (anomaly, breach, OT anomaly, AI attack, auth brute-force)
• Service: nis2_cert_ee_pipeline.py

External dependency: Manual send of registration email to ria@ria.ee (tech record generated)

• Art. 6/9 — ICT risk register (in-memory + IB-published)
• Art. 11 — Business continuity plan — daily PG backups + Hetzner DR
• Art. 17 — ICT incident management process
• Art. 18 — Automated classification (MAJOR / SIGNIFICANT / MINOR) per Delegated Reg. 2024/1774
• Art. 19 — 4h initial + 72h intermediate + 1-month final report pipeline
• Art. 28 — Third-Party Service Provider register (Hetzner, Proton)
• Art. 30 — Contractual addendum template ready
• Service: dora_ict_incident_pipeline.py

• 33 Trust-Service-Criteria controls designed across CC1-CC9 + A1 + C1 + PI1 + P1
• Continuous evidence collection engine (soc2_evidence_collector.py) with Merkle-anchored observations
• Every control has a live evidence source (e.g. CC6.6 → Kyber-768 mTLS, CC7.3 → nis2 pipeline)
• Type II operating effectiveness requires CPA attestation over 3–12 months — runs continuously in the background

External dependency: External CPA attestation (PwC/Deloitte/E&Y/KPMG/BDO) — triggered on first enterprise contract requiring SOC 2 Type II

• Clause 4.3 — ISMS scope document: BrainPredict AI OS, 20 platforms, Hetzner EU + on-premise
• Clause 6.1.3(d) — Statement of Applicability covering 93 Annex A controls across 4 themes
• A.5.9 — Asset inventory auto-discovery (7 core assets registered at boot)
• A.8.24 — Cryptography: Kyber-768 IB encryption + Dilithium-3 signing
• Clause 9.2 — Internal audit register · Clause 9.3 — Management review logs
• Service: iso27001_isms_registry.py

External dependency: Certification Stage 2 — requires accredited CB audit (UKAS / DAKKS / EA-MLA)

• §164.308 administrative safeguards
• §164.310 physical safeguards (Hetzner DE — ISO 27001 + SOC 1/2/3 attested datacentre)
• §164.312 technical safeguards: access control · audit · integrity (SHA3-256) · MFA · TLS 1.3 + Kyber-768
• §164.502 Business Associate Agreement registry
• §164.514(b)(2) Safe Harbor de-identification: 18 identifier regex pipeline
• Service: hipaa_phi_detector.py

External dependency: Signed BAA with each covered entity before production PHI processing

• §11.10 — Validation, integrity, retention, access, audit trail, authority checks
• §11.50 — Signature manifestation (printed name, UTC timestamp, meaning)
• §11.70 — Record-signature binding: HMAC-SHA3-256 + Dilithium-3 (FIPS-204)
• §11.100 — Unique signer IDs enforced
• §11.200 — Two-factor e-signature (knowledge + possession)
• §11.300 — Uniqueness enforcement + loss management
• Service: fda_21cfr11_electronic_records.py

External dependency: FDA submission is customer-specific (medical-device provider responsibility)

• §1798.100/110 Right to know · §1798.105 delete · §1798.106 correct
• §1798.120 opt-out of sale/share · §1798.121 limit sensitive PI
• §1798.125 non-discrimination enforcement
• §1798.130 45-day response SLA tracker (+45-day extension)
• Global Privacy Control (GPC) signal respected
• Service: ccpa_consumer_rights_api.py · Portal: /legal/ccpa-request

• §302 Management assertion records (CEO + CFO signed + Merkle-anchored)
• §404 ITGC control testing — 17 controls across Access, Change, Ops, Dev
• PCAOB AS 2201 continuous-monitoring evidence
• Automated quarterly test runs + on-demand via API
• Service: sox_404_control_testing.py

External dependency: External audit firm attestation — when customer contract requires