Every component mapped to regulation.
ProvableCORE® was designed from day one to satisfy specific regulatory obligations. This page shows, for each major framework, which regulatory requirement is discharged by which component of the system. No hand-waving. No "trust us, we comply." Just direct mapping.
Primary frameworks (EU)
EU AI Act · Regulation (EU) 2024/1689
ProvableCORE® customers operating high-risk AI systems under Annex III (credit scoring, insurance pricing) use our platform to satisfy the Regulation's technical obligations.
| Article | Requirement | ProvableCORE® component |
|---|---|---|
| Art. 9 | Risk management system | Confidence Matrix + Drift Detection + Trust Budget |
| Art. 10 | Data and data governance | SD-JWT selective disclosure + column-level policy tags |
| Art. 11 | Technical documentation (Annex IV) | Evidence Pack Compiler generates Annex IV documentation per decision |
| Art. 12 | Automatic record-keeping | Event Spine + Merkle Ledger + WORM storage (7 years) |
| Art. 13 | Transparency and information to deployers | Decision Proof Objects with human-readable reason chains |
| Art. 14 | Human oversight | S/D/H reflex model — Class H decisions require explicit human approval |
| Art. 15 | Accuracy, robustness, cybersecurity | Deterministic replay + KMS HSM + Workload Identity Federation |
EBA GL/2020/06 · Loan Origination
European Banking Authority guidelines on loan origination and monitoring. Applies to banks and non-bank credit institutions issuing loans within the EU.
| Section | Requirement | ProvableCORE® component |
|---|---|---|
| §4.3 | Creditworthiness assessment | Deterministic credit model with SHAP explainability per decision |
| §5.2 | Use of automated models — explainability | SHAP Evidence Cards with feature attribution and confidence intervals |
| §5.3 | Model development, validation, performance monitoring | Model Validation Appendix + drift detection + counterfactual simulation |
| §7.1 | Milestone-based credit monitoring | Event-driven reflex model tracks milestone status automatically |
| §9 | Data infrastructure for credit risk management | BigQuery analytics warehouse with column-level policy tags |
DORA · Regulation (EU) 2022/2554
Digital Operational Resilience Act. Applies to financial entities (banks, insurance, investment firms) since January 2025.
| Article | Requirement | ProvableCORE® component |
|---|---|---|
| Art. 5-16 | ICT risk management framework | Event journal + cryptographic integrity + drift detection + incident constitution |
| Art. 17-23 | ICT-related incident management, classification, reporting | AIR v1.0 Autonomous Incident Response with ProvableCORE-signed incident records |
| Art. 24-27 | Digital operational resilience testing | Counterfactual simulation engine + deterministic replay |
| Art. 28-44 | ICT third-party risk management | Sub-processor register + DPA + SLA coverage per Trust Center |
GDPR · Regulation (EU) 2016/679
General Data Protection Regulation. Applies to all processing of EU personal data.
| Article | Requirement | ProvableCORE® component |
|---|---|---|
| Art. 5 | Data minimization | SD-JWT selective disclosure — audiences receive only necessary fields |
| Art. 22 | Automated individual decision-making safeguards | S/D/H model — decisions with legal effect routed to Class H (human required) |
| Art. 25 | Data protection by design and by default | Per-tenant CMEK + column-level policy tags + tokenization service |
| Art. 32 | Security of processing | TLS 1.3, FIPS 140-2 HSM, workload identity federation, audit logging |
| Art. 35 | Data Protection Impact Assessment | Full DPIA completed April 2026; summary available under NDA |
| Art. 46 | Transfers subject to appropriate safeguards (SCCs) | EU-only data residency by default; SCC module available for extra-EU customers |
EUDR · Regulation (EU) 2023/1115
EU Deforestation Regulation. Applies to placing of specific commodities (soy, beef, palm oil, cocoa, coffee, wood, rubber) on the EU market. Relevant for agricultural lenders financing these commodity chains.
| Requirement | ProvableCORE® component |
|---|---|
| GPS plot-level traceability | Grain Passport with geolocation at plot level |
| Deforestation-free declaration | Sentinel-2 satellite imagery + land-use change detection |
| Chain of custody from producer to operator | Merkle-anchored supply chain events |
Secondary frameworks
Basel II / Basel III — SR 11-7
Model risk management framework (Federal Reserve SR 11-7, applied globally). Decision Proof Objects + deterministic Replay satisfy model validation and independent review requirements.
ISO/IEC 42001:2023
First international standard for AI Management Systems. Gap analysis complete. External audit targeted Q3 2026. Constitutional Governance Kernel maps directly to AIMS clauses 4-10.
OCC SR 11-7 · SEC Rule 17a-4
For customers operating in US markets via our Americas edition (provablecore.com): FIPS 140-2 HSM signing, 7-year WORM retention, SHAP explainability, examiner-accessible verification endpoint.
SOC 2 Type II
External audit planned. Type I scheduled Q4 2026, Type II scheduled 2027. Controls mapped to Trust Services Criteria: Security, Availability, Confidentiality, Processing Integrity.
ISO/IEC 27001
Infrastructure inherits ISO 27001 certification from GCP. Our own ISO 27001 ISMS certification planned 2027 following SOC 2 Type II.
eIDAS · MSign (Moldova)
Qualified electronic signatures for legal admissibility. MoldSign KES supported for Moldova-registered entities; eIDAS QES supported for EU customers.
Document package available under NDA
Prospective customers and pilot participants can request the full compliance document package under mutual NDA:
- DPIA Summary — GDPR Article 35 impact assessment, 25 pages
- Technical Documentation (AI Act Annex IV) — system architecture, training data provenance, performance metrics, 40 pages
- Risk Management System — AI Act Art. 9 documentation, 18 pages
- Model Validation Appendix — designed to support Basel II / SR 11-7 review, 32 pages
- Human Oversight Procedure — AI Act Art. 14 documentation, 12 pages
- Conformity Assessment Checklist — per Annex VII of AI Act
- SLO / SLA Definition Document — per-tier performance commitments
- Incident Response Runbook — DORA Art. 17-23 aligned
- DPA (Data Processing Agreement) Template — designed for GDPR Art. 28 alignment
- SCC Module — Standard Contractual Clauses for extra-EU transfers
Regulatory observability
Every ProvableCORE® receipt is independently verifiable by your regulator, your internal auditor, or any third party — without access to our infrastructure. The public verification endpoint requires no authentication:
POST https://provablecore.com/governance/verify
This design choice is deliberate. We believe that accountability infrastructure should not depend on trusting the vendor. Verifiers need only three things to check a receipt: the receipt itself, the published public key, and the Merkle path. Nothing more.
Need regulatory documentation for your deployment?
We can provide a tailored compliance package for your specific regulatory scope. DPAs, DPIAs, and technical documentation delivered under NDA within 3 business days.
Request compliance package View Trust Center