Trust & Security

Compliance isn't a checkbox.
It's a proof.

RAGuard is built on the premise that AI governance requires cryptographic evidence — not just documentation. We've designed the audit chain from the ground up for demonstrable, verifiable compliance.

Compliance Frameworks

Built for the regulations that govern AI.

GDPR

RAGuard automatically detects and redacts personal data in AI interactions before it reaches your model provider. DLP applies bi-directionally — prompts and responses. Audit logs provide demonstrable record of data protection applied to each interaction.

Article 22 Support:

Automated decision-making documentation aligned with GDPR Article 22 transparency requirements.

HIPAA

For healthcare AI applications, RAGuard's NER engine includes models tuned for medical entity detection. PHI redaction applies to structured data (patient IDs, dates of birth, SSNs) and unstructured clinical language. The ZKP evidence chain satisfies HIPAA Technical Safeguard requirements without creating secondary PHI exposure in log systems.

BAA Available:

Business Associate Agreements available for Enterprise customers deploying in healthcare contexts.

EU AI Act

The EU AI Act requires high-risk AI systems to maintain technical documentation and audit trails demonstrating human oversight and risk management. RAGuard's immutable interaction logs and ZKP evidence bundles are designed to satisfy these requirements — providing the documentation backbone for AI Act compliance.

Article 12 Logging:

Interaction logging designed to meet EU AI Act Article 12 transparency and traceability requirements.

Zero-Knowledge Proofs

Prove compliance without exposing content.

Traditional compliance logging creates a dilemma: the more detailed your audit trail, the more sensitive data you store in your log systems. RAGuard's ZKP evidence model resolves this completely.

How it works

Every interaction is committed via SHA-256 hash. Policy decisions, risk scores, and applied rules are signed into an evidence bundle. Zero-Knowledge Proofs allow independent verification that compliance was achieved — without revealing the interaction content.

What auditors receive

A verifiable proof bundle demonstrating: (1) a specific interaction occurred, (2) specific policy rules were evaluated, (3) the outcome of each policy decision. All independently verifiable. None requiring access to the underlying data.

Why this matters for regulated industries

GDPR, HIPAA, and AI Act compliance often requires demonstrating what your AI processed. Traditional approaches expose sensitive data to auditors. ZKP eliminates that tradeoff entirely.

Security Architecture

Security at every layer.

RAGuard is designed as a security-first system. Every architectural decision is made with the assumption that the gateway itself is a high-value target.

  • TLS 1.3 in transit. All communication between your application, RAGuard, and LLM providers is encrypted with TLS 1.3.
  • AES-256 at rest. Audit logs and evidence bundles are encrypted at rest using AES-256.
  • Tenant data isolation. Strict logical isolation between tenant data. One tenant's policies and logs are never accessible to another.
  • Role-based access control. Principle of least privilege for all internal system access. All access is logged.
  • API key protection. Your LLM provider API keys are never stored in plaintext. Secret management via industry-standard vault systems.
  • SOC 2 Type II (In Progress). Zerberus Technologies is pursuing SOC 2 Type II certification. Completion expected 2026.
Data Residency

Your data stays where you need it.

Enterprise customers can deploy RAGuard within their own cloud environment — AWS, Azure, or GCP — ensuring AI interaction data never leaves their jurisdiction. This is particularly important for EU customers subject to GDPR data transfer restrictions and for regulated industries with strict data localisation requirements.

Enterprise deployment options →

Managed (US)

Default deployment. Data processed and stored in US-based infrastructure.

Managed (EU) Coming Soon

EU-based managed deployment for GDPR data residency requirements.

Self-Hosted (Enterprise)

Deploy within your own infrastructure. Full data sovereignty. Available for Enterprise tier.

Need to fill out a security questionnaire?

We're happy to work through your organisation's security review. Contact us for our security overview document, pen test results, and to discuss specific compliance requirements.