Tamper-evident records of every tool call, payment, memory write, and refusal. Merkle-rooted, signed, regulator-shaped. Exportable on demand.
“Honest about what’s shipped, what’s in flight, what isn’t.”
If we don’t have it yet, this page tells you that. SOC 2 Type II is in observation phase. ISO 42001 alignment is underway. The audit-bundle export and FiscalGate are live in v1.4.2. Dates are honest commitments — not pitch-deck dates.
Merkle-rooted SHA-256 chain over every tool call, payment, memory write, refusal. Signed receipts. Exportable as a single JSON+signatures bundle for deployer or regulator review.
Every action signed by the agent’s keypair. Every receipt verifiable independently. Canary honeypots flag impersonation. Cryptographic chain of custody for the audit trail.
Charters declare a max-USD budget. Every priced tool call routes through a hold/settle two-phase commit. Runaway agents hit the cap and abort. Auditable record of every approval and refusal.
Email, phone, credit-card, SSN-shaped patterns redacted before persistence. Decay policies by domain. Right-to-erasure tooling for GDPR / CCPA subject requests.
Type I attestation in scoping. Type II observation period targeting Q3 2026. Auditor selection in flight. We’ll publish the report URL on this page when complete.
Mapping each ISO 42001 control to a corresponding MnemoPay SDK primitive or operational policy. Targeting alignment doc by Q3 2026; certification targeting H1 2027.
Founder enrolled in IAPP AIGP certification path. Adding a fractional GRC advisor (CIPP/E + AIGP) for enterprise pilot engagements.
For financial-services agents in EU. Mapping audit-bundle format to DORA ICT incident reporting expectations. Customer-driven; first design partner targeting Q4 2026.
Colorado AI Act (effective June 30, 2026) overlaps Article 12 obligations. State-by-state mapping doc planned. NIST AI RMF crosswalk first.
Every audit bundle is a single signed JSON file containing the agent’s identity and capability tokens; every tool call with arguments and return values (secrets redacted); every payment hold/settle/refund with rail and counterparty; every memory write with content hash; every refusal and approval with rationale; the Merkle root binding it together.
"bundleVersion": "1.0.0",
"missionId": "ms_3a8...c91",
"agent": { "id": "checkout-bot", "publicKey": "ed25519:..." },
"generatedAt": "2026-05-06T19:47:02.144Z",
"retentionMonths": 6,
"events": [
{
"ts": "2026-05-06T19:32:11.020Z",
"kind": "payment.hold",
"rail": "stripe",
"amountUsd": 24.99,
"counterparty": "cus_***[redacted]",
"fiscalGate": { "remainingUsd": 75.01, "status": "approved" },
"sig": "ed25519:8xK..."
},
{ "ts": "...", "kind": "memory.write", "contentHash": "sha256:9b2..." },
{ "ts": "...", "kind": "tool.refusal", "tool": "delete_user", "reason": "out_of_scope" }
],
"merkleRoot": "sha256:f1c4...8d3",
"signature": "ed25519:..."Compliance officers don’t buy SDKs — they buy mappings. Here’s where MnemoPay’s audit bundle satisfies what.
Automatic recording of events for high-risk AI systems. 6-month minimum retention. Bundle export covers logging requirement directly. Article 26 (deployer obligations) inherits.
AI management systems standard. Bundle satisfies controls A.6.2 (records), A.7 (lifecycle), A.8 (data & PII). Crosswalk doc in flight; full alignment Q3 2026.
US voluntary framework, de-facto standard. Bundle maps to Govern (GV), Manage (MG), Measure (MS) functions. Same evidence file works for Colorado AI Act safe harbour.
Financial sector ICT incident reporting. Bundle format being extended for 7-year retention + financial-supervisor format. Customer-driven; first design partner Q4 2026.
A pilot is 90 days, fixed-fee, with a defined deliverable: a working agent with full audit-bundle export, mapped to your specific compliance regime — EU AI Act, NIST AI RMF, ISO 42001, NYC LL144, or sector-specific.
90-day pilot, fixed-fee. Single agent, single regime mapping. Includes audit-bundle integration, custom event taxonomy, regulator-shaped export, and a compliance summary report at end of period.
Multi-agent fleet, multi-regime mapping, named CSM, sector-specific work (finance, health, public-sector). Includes co-development of evidence formats with your auditor of record.
SOC 2 Type II is in observation period, expected Q3 2026. We’ll be transparent about that during procurement — and we’ll work with your InfoSec team to bridge it (segmented data handling, contractual controls, attestation letter from our Type I auditor) until Type II lands.
No surprise sales cycle · yes / no / not-yet, plainly