Compliance
How Aqta helps you meet regulatory requirements for AI systems.
Overview
Aqta is built for teams operating in regulated environments. Every request that passes through the gateway is logged, auditable, and governed by your policies. The compliance features are designed to support GDPR, the EU AI Act, and sector-specific requirements in healthcare and financial services.
GDPR
What we collect
Aqta records request metadata, timestamp, model used, token counts, cost, and policy outcome. We do not store prompt content or response content by default. You control whether content logging is enabled for your organisation.
Data residency
All data for EU customers is stored and processed within the EU. The gateway runs in eu-west-1 (Ireland). No data crosses EU borders unless you explicitly configure a non-EU provider.
Your rights
Access: export all your data at any time via Settings → Export, or via the API:
bashGET /api/settings/export
Erasure: delete your account via Settings → Delete Account. All personal data is removed within 30 days.
Portability: data exports are available in JSON and CSV format.
Objection: opt out of optional analytics in Settings → Privacy.
Legal basis
| Processing activity | Legal basis |
|---|---|
| Service delivery (proxying requests) | Contract |
| Security monitoring and fraud prevention | Legitimate interest |
| Usage analytics (optional) | Consent |
Data retention
| Tier | Retention period |
|---|---|
| Free | 7 days |
| Starter | 90 days |
| Pro | 365 days |
| Enterprise | Configurable (up to 7 years) |
EU AI Act
The EU AI Act requires providers of high-risk AI systems to meet transparency, human oversight, and documentation standards. Aqta is designed to act as the governance layer that makes these requirements tractable.
What Aqta provides
Audit trail: every request and policy decision is logged with a trace ID, timestamp, model, policy outcome, and cost. Logs are immutable and exportable for regulatory review.
Policy enforcement: define rules for which models, content types, and use cases are permitted for your organisation. Aqta blocks non-compliant requests before they reach a provider.
Human oversight: approval workflows (Pro and above) let you route high-risk requests through a human reviewer before execution.
Transparency: the aqta response object explains why a request was passed, suppressed, or blocked, so users and auditors can understand AI decisions.
Bias monitoring: anomaly detection flags statistical outliers and unusual patterns in model outputs over time.
Healthcare and Annex III
If your application falls under Annex III of the EU AI Act (e.g. AI used in medical diagnosis or clinical decision support), Aqta's healthcare pack includes additional controls:
- Medical record generation for every AI-assisted clinical decision
- Human-in-the-loop review workflows for high-risk cases
- Extended audit trails formatted for clinical governance
Contact hello@aqta.ai to discuss your specific compliance requirements.
HIPAA
Customers in the US healthcare sector can deploy Aqta with HIPAA-aligned configuration. This includes:
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Role-based access controls
- Immutable audit logs
- Business Associate Agreement (BAA) on request
- Data Processing Agreement (DPA) available on request for GDPR obligations
To request a BAA or DPA, email hello@aqta.ai.
Certifications and roadmap
| Standard | Status |
|---|---|
| GDPR | Aligned |
| EU AI Act | Aligned |
| HIPAA | Architecture aligned, contact us for health-pack details |
| SOC 2 Type II | Controls aligned, formal certification planned |
| ISO 27001 | Planned 2027 |
Audit logs and reporting
What's logged
Every request produces an immutable log entry containing:
- Trace ID, timestamp, organisation ID
- Model, provider, token counts, cost in EUR
- Policy outcome (
passed,suppressed, orblocked) and reason - Response time
Prompt and response content are only logged if your organisation has explicitly enabled content logging.
Exporting logs
bash# Audit log export (date range) GET /api/compliance/audit-logs?start=2026-01-01&end=2026-01-31 # Compliance score GET /api/compliance/score # PDF compliance report (Pro and above) POST /api/compliance/export
Scheduled reports
Pro and Enterprise plans include automated quarterly compliance reports covering request volume, policy enforcement statistics, anomaly detection results, and data retention compliance.
Incident response
Detection: real-time monitoring with alerting on anomalous patterns.
Assessment: within 24 hours of detection.
Notification: within 72 hours as required by GDPR Article 33.
Remediation: immediate containment, followed by root cause analysis and corrective measures.
All incidents are documented and available on request.
Contact
For compliance questions, BAA requests, or regulatory documentation:
Email: hello@aqta.ai
Resources: Documentation · Privacy Policy · Terms