$ docs/compliance

How UNDISK enables regulatory compliance for AI agent deployments.

# UNDISK's Role

UNDISK MCP is infrastructure — not an AI system. Under the EU AI Act (Regulation 2024/1689), obligations for record-keeping, human oversight, and log retention fall on AI system providers and deployers, not on infrastructure vendors.

UNDISK enables deployer compliance by providing the tamper-evident audit trail, version history, and restore capabilities that deployers need to meet their obligations.

Positioning: "enables compliance" — we provide infrastructure that supports regulatory requirements. Compliance obligations rest with the AI system deployer.

# EU AI Act — Key Articles

→ Article 12 — Record-Keeping

High-risk AI systems must automatically record events (logs) throughout their lifetime for risk identification, post-market monitoring, and operational oversight.

Requirement	UNDISK Feature
Automatic event recording	Immutable version history — every file operation creates a content-addressed version with agent ID, timestamp, operation type, file path, and content hash
Risk identification	Anomaly alerts — rule-based alerting on unusual patterns (high-frequency writes, bulk deletes, unauthorized path access)
Post-market monitoring	Structured audit export — NDJSON with integrity verification, covering any time range
Tamper evidence	Content-addressable storage (SHA-256) — versions are immutable, content hashes verify integrity

→ Article 14 — Human Oversight

High-risk AI must have tools for humans to monitor, interpret, override, reverse, or stop.

Requirement	UNDISK Feature
Monitor operation	Full activity tracing — every agent operation tracked with identity chain (file → agent → user)
Override / reverse	`restore_version` — reversal of any agent action in <50ms
Stop the system	Policy engine — revoke agent write access immediately via path ACLs; rate limits throttle runaway agents

→ Article 26(6) — Log Retention

Deployers must retain auto-generated logs for at least 6 months.

UNDISK Plan	Retention	Meets Art. 26(6)?
Free	7 days	No
Pro	180 days (6 months)	Yes
Team	365 days	Yes
Enterprise	Up to 10 years	Yes

# Audit Trail Format

Every operation produces a structured audit entry:

{
  "timestamp": "2026-04-06T10:00:00.000Z",
  "workspace_id": "ws_abc123",
  "agent_id": "agent_claude_prod",
  "human_principal": "user@company.com",
  "operation": "write_file",
  "file_path": "/regulatory/q2-report.md",
  "version_id": "ver_a1b2c3",
  "content_hash": "sha256:e3b0c44298fc1c...",
  "content_size_bytes": 4096,
  "policy_evaluation": {
    "rules_checked": ["max_file_size", "path_acl"],
    "result": "ALLOW"
  },
  "transport": "sse",
  "source_ip": "203.0.113.42",
  "request_id": "req_xyz789"
}

This gives deployers the evidence chain: who (human principal) authorized what (agent) to do which operation on which file at what time, with cryptographic proof of content integrity.

# Retention Architecture

UNDISK uses layered retention to resolve the GDPR vs EU AI Act tension:

Layer 1 — Operational
Full audit logs with all identifiers. Retained for the active period (configurable, default 180 days).

Layer 2 — Compliance Archive
After the operational period, PII is pseudonymized (user IDs hashed, file paths with names redacted). Retained for up to 10 years per EU AI Act Article 18.

Layer 3 — Deletion
After the compliance archive period, all data is permanently deleted including pseudonymized records. GDPR Article 5(1)(e) storage limitation satisfied.

# Audit Export

Export audit data as NDJSON with integrity verification:

{
  "export_metadata": {
    "workspace_id": "ws_abc123",
    "time_range_start": "2026-01-01T00:00:00Z",
    "time_range_end": "2026-03-31T23:59:59Z",
    "entry_count": 47832,
    "complete": true,
    "integrity_hash": "sha256:...",
    "exported_at": "2026-04-06T10:00:00Z",
    "compliance_notice": "This audit trail supports EU AI Act Article 12 record-keeping. Compliance obligations rest with the AI system deployer per Article 26."
  }
}

# What UNDISK Does NOT Provide

✗ UNDISK is not an AI system and has no obligations under Articles 6–15 of the EU AI Act

✗ UNDISK does not provide legal advice or certify compliance

✗ UNDISK does not assess whether your AI system is "high-risk" under the Act

✗ UNDISK does not replace your organization's Data Protection Impact Assessment (DPIA)

# Deployer Responsibilities

What you still need to do independently:

1. Determine if your AI system is classified as high-risk under the EU AI Act

2. Implement human oversight procedures (Article 14) — UNDISK provides the tools, your team defines the process

3. Ensure logs are reviewed and retained per Article 26(6) — UNDISK stores them, your team must access and act on them

4. Report serious incidents to authorities (Article 26(5))

5. Conduct a Data Protection Impact Assessment if processing personal data

6. Execute a Data Processing Agreement (DPA) with UNDISK for GDPR Article 28 compliance — available on Enterprise tier

# Data Residency

UNDISK runs on Cloudflare's global network (330+ cities). File content is stored in Cloudflare R2 with location hints available for jurisdiction control. Durable Objects replicate to nearby edge locations with automatic failover.

Enterprise customers can request EU-only data residency via R2 location hints. Contact support@undisk.app for details.

# Timeline

Deadline	What	Status
Aug 2, 2025	Prohibited AI practices (Article 5)	In force
Aug 2, 2025	AI literacy obligations (Article 4)	In force
Dec 2, 2027	Stand-alone high-risk AI (Annex III)	Extended via Digital Omnibus
Aug 2, 2028	High-risk AI in regulated products	Extended via Digital Omnibus

The Dec 2, 2027 deadline was extended from Aug 2, 2026 via the EU Digital Omnibus proposal (Council + Parliament endorsed, trilogue ongoing as of April 2026). The original deadline remains legally binding until the Omnibus is formally adopted. Enterprise procurement for Dec 2027 compliance is beginning now.

← Back to docs