Compliance
Undisk MCP is infrastructure, not an AI system. It enables deployers to meet their own record-keeping, oversight, and retention obligations.
Compliance obligations rest with the AI system provider or deployer. Undisk provides the audit trail, version history, and restore mechanics that make those controls operational.
EU AI Act alignment
Article 12: record-keeping
| Requirement | Undisk feature |
|---|
| Automatic event recording | Immutable version history with agent identity, timestamp, operation, file path, and content hash |
| Risk identification | Anomaly detection hooks and precise file-level activity review |
| Post-market monitoring | Exportable JSON or NDJSON audit evidence |
| Tamper evidence | Content-addressable storage with hash-based verification |
Article 14: human oversight
| Requirement | Undisk feature |
|---|
| Monitor operations | Full per-operation audit trail |
| Override and reverse | restore_version creates a new head version from any prior state |
| Stop runaway activity | Policy ACLs, rate limits, and scoped access controls |
Article 26(6): log retention
| Plan | Retention | Meets 6-month minimum? |
|---|
| Free | 30 days | No |
| Pro | 180 days | Yes |
| Team | 365 days | Yes |
| Enterprise | Up to 10 years | Yes |
Audit evidence shape
{
"id": "ver_a1b2c3",
"path": "regulatory/q2-report.md",
"versionNum": 3,
"contentHash": "sha256:e3b0c44298fc1c...",
"size": 4096,
"operation": "write",
"agentId": "key:78bd0ae5:kyc-agent",
"principalId": "user_abc123",
"createdAt": "2026-04-06T10:00:00.000Z"
}
Deployer responsibilities
- Determine whether your AI system is high-risk under the applicable regulation.
- Define and enforce human oversight procedures.
- Review and retain logs for the period your compliance program requires.
- Conduct your own privacy, security, and DPIA assessments where needed.
- Execute a DPA and data-residency plan appropriate to your environment.
What Undisk does not do
- It does not classify your system under the EU AI Act.
- It does not replace legal advice.
- It does not certify compliance on your behalf.
- It does not replace your organization’s operational review process.
