EU compliance
Built for GDPR. Ready for the EU AI Act.
Engramia ships GDPR Art. 17 erasure, Art. 20 portability, multi-tenant RBAC, and a structured audit log as first-class APIs — not consultancy work bolted onto a memory layer.
Compliance APIs, not compliance theatre
Each control below is a real endpoint or schema commitment in the public Core repo — verifiable at engramia.dev/docs and engramia/engramia on GitHub.
GDPR Art. 17 — Right to erasure
Self-service account deletion (POST /auth/me/deletion-request → DELETE /auth/me) cascades through patterns, embeddings, jobs, and API keys. Scoped DELETE /v1/governance/projects/{id} for per-project wipes. 30-day grace window before final hard-delete.
GDPR Art. 20 — Data portability
Streamed NDJSON export of every pattern in a scope, with classification labels and provenance metadata. Symmetric pair to POST /v1/import for cross-vendor migration. Audited.
Multi-tenant RBAC (4 roles)
Owner, admin, editor, reader — enforced at storage layer via contextvars + DB scope columns, not a UI guard. Cross-project delete blocked for non-owners. Role hierarchy on key creation.
Structured audit log
Every key action, governance call, and quota event lands in audit_log with tenant + project + IP. Admin viewer at GET /v1/audit. Maps to EU AI Act Art. 12 logging duties for high-risk AI systems.
86 days to full applicability
Regulation (EU) 2024/1689 lands on 2 August 2026. Memory persistence is a system component subject to logging, conformity, and penalty regimes. Here is what shifts and how Engramia maps.
Annex III high-risk AI duties
If your agent runs in Annex III categories (employment, critical infrastructure, law enforcement…), Art. 16 obligations land on the provider — including logging, transparency, and post-market monitoring.
Logging duties — Art. 12
High-risk systems must keep automatic event logs. Engramia's audit_log + structured JSON logs map directly to this — no custom logging build required.
Conformity assessment — Art. 43
Memory persistence is a system component subject to conformity. Engramia documents data flows in the ROPA and DPA, ready to attach to your conformity package.
Penalty exposure — Art. 99
Up to 7 % of global annual turnover for prohibited-AI breaches; up to 3 % for other obligations. Memory-layer non-compliance is a credible failure mode worth pricing today.
EU-region by default, encrypted in transit and at rest
EU-only hosting
Production runs on Hetzner CX23 in Nuremberg / Falkenstein (Germany). No transatlantic data flows for hosted customers. Self-hosted deployments retain full control.
PII redaction enabled by default
RedactionPipeline scrubs emails, phone numbers, IBANs, and credit-card patterns before patterns hit storage. Disable per project only with explicit ENGRAMIA_REDACTION=false.
Hashed credentials, scoped tenants
API keys stored as SHA-256 hashes; verification is timing-safe. Tenant + project scope is enforced at the storage layer via contextvars — not a UI guard, not a route filter.
Pre-drafted documents your DPO can attach
Each artifact mirrors from the Core repo (engramia/engramia/docs/legal/) — Core is the single source of truth, this site is the public mirror.
Data Processing Agreement (DPA) template
Pre-drafted Art. 28 processor agreement. Sign and attach to your master contract.
Record of Processing Activities (ROPA)
Engramia's controller-side ROPA. Use as input for your own Art. 30 register.
Subprocessor list
Hetzner (DE), Stripe, OpenAI, Anthropic, Resend. Notification commitments included.