Which Regulations Does Constrix Satisfy?
Constrix does not produce a compliance report. It produces the actual technical controls that regulations require — and generates the evidence that proves those controls were active at the time of an incident or audit. The question regulators ask is not 'do you have a policy?' It is: 'can you prove your AI acted within that policy, at this specific time, and that the record cannot be altered?'
Built for the frameworks regulators actually cite.
Every Constrix architectural property maps to a specific regulatory obligation. Not a compliance checklist. A structural implementation.
EU AI Act
Art. 9 · 12 · 13 · 17Article 9 risk management documentation, Article 12 automatic logging of AI system events, Article 13 transparency for AI-generated outputs, and Article 17 quality management systems — addressed structurally: every decision is logged automatically, sealed tamper-evidently, and attributed to a specific agent identity.
NIST AI RMF
MAP · MEASURE · MANAGEThe NIST AI Risk Management Framework requires organizations to map AI risks, measure them continuously, and manage them systematically. The CAPL audit record provides the continuous measurement signal. Constrix policy engine implements the management controls.
ISO/IEC 42001
§6.1 · §8.4 · §9.1AI risk treatment controls (§6.1), AI system operational management (§8.4), and AI performance evaluation (§9.1) — Constrix's sealed pipeline is the operational control layer. CAPL audit retention provides the independently verifiable performance record.
SOC 2 Type II
CC6 · CC7 · CC9Logical access controls (CC6), system operations monitoring (CC7), and third-party risk management (CC9) — AgentID provides cryptographic identity for every non-human actor (CC6). CAPL provides the tamper-evident system event record (CC7).
GDPR
Art. 5(1)(f) · 22 · 25Data minimization (Art. 5), automated decision-making accountability (Art. 22), and data protection by design (Art. 25) — Constrix governs which data AI agents can access, produces sealed proof of every automated decision, and enforces data access policy at the architecture layer.
HIPAA
§164.312(b) · §164.308(a)(1)HIPAA Audit Controls require hardware, software, and procedural mechanisms to record and examine access to ePHI. CAPL provides the sealed, tamper-evident audit record. AgentID identifies which AI agent accessed which patient data, in which session, at which exact time.
Constrix does not replace legal counsel. It provides the technical controls that regulators evaluate. Discuss your compliance requirements →
Your compliance score. Updated live.
ComplyAI evaluates your active governance controls against each regulation's requirements and produces a real-time compliance score. Gaps are identified. Corrective rules are ready to deploy.
Gap detected — one click to deploy corrective governance rule
Scores shown are illustrative. Your actual compliance posture depends on your active governance rules.
Ed25519 + CBOR — Tamper-Evident by Design
Every evaluation produces a sealed audit record. The record is serialized to CBOR (RFC 8949) and signed with Ed25519 — the gold standard for deterministic digital signatures.
Ed25519 Signatures
Deterministic, fast, and side-channel resistant. Every decision record is signed with Ed25519 — the same algorithm used to secure SSH keys and modern TLS certificates.
CBOR Encoding
Concise Binary Object Representation (RFC 8949) — structured, compact, deterministic. CBOR encoding ensures byte-for-byte reproducibility across any environment.
Tamper-Evident Records
Any modification to a sealed decision record — even a single bit — invalidates the signature. Regulators and auditors can verify integrity without trusting your infrastructure.
Failure Reason Capture
When a decision is deny or kill, the structured failure reason is embedded in the seal. You always know why a decision was made, with cryptographic proof of that reason.
Built for regulated environments
Ed25519 Signatures
Every decision is signed with Ed25519 — the industry-standard elliptic curve algorithm. Open source, audited, verifiable with any standard signature library.
CBOR Encoding
Audit records are encoded in CBOR — a compact binary format defined by RFC 7049. No interpretation, no ambiguity, no margin for rewriting what happened.
Tamper-Evident Records
Any modification to any character in a CAPL record invalidates the signature. Tampering is immediately detectable by any standard Ed25519 verification library.
Failure Reason Capture
Deny and kill decisions include the structured failure reason sealed in the record. Your auditor knows not just what was rejected, but why — in a form that cannot be modified.
TLS 1.3 Everywhere
All Constrix communication is protected by TLS 1.3. No downgradeable connections. No legacy handshakes. Transport encryption is always current.
Fail-Closed Architecture
Any error state in the evaluation pipeline produces a deny decision, never a silent permit. The only way to execute is for governance to explicitly allow it.
OWASP MCP Top 10
Every item on the OWASP MCP Top 10 is addressed structurally at the proxy layer. Tool poisoning, supply chain attacks, excessive permissions, prompt injection via tools — all intercepted before reaching any MCP server.
Offline-Verifiable Seals
CAPL records can be verified offline using any standard Ed25519 verification library. No Constrix infrastructure required. Your auditor can verify audit records without access to Constrix systems.
Air-Gapped Deployment
Enterprise deployment available in fully air-gapped environments with no external network dependencies. Suitable for military, critical infrastructure, and classified computing environments.
Agent Identity Attestation
Every agent carries a short-lived, Ed25519-signed Agent Identity Token (AIT). Verified offline in under 1ms. Private key never leaves the agent. AIT fingerprint sealed into every CAPL record — identity and decision proven simultaneously.
Ghost Agent Detection
Agents that hold live credentials but produce no governed activity are detected via the CAPL activity record and auto-revoked. Revocation propagates globally in under 500ms. Detection, escalation, and revocation are all sealed CAPL events. No other governance platform has this signal.
Sealed Agent Lifecycle
From registration to planned decommission, the complete agent lifecycle is in the CAPL audit record. Decommission events include a sealed activity summary for the lifetime: total evaluations, decision distribution, unique resources accessed, observed delegation depth.