Skip to content
Trust by architecture, not paperwork

Everything your legal team needs in one page.

EU AI Act readiness memos, FTC truth-in-advertising checklists, DPIA templates, and immutable audit logs - all in the Legal Kit. Hand over the evidence once. The deal moves.

Get the Legal Kit PDF · 18 pages · ~2 min read
EU AI Act
Readiness evidence for sourced, approved, auditable AI claims
10y
Hash-chained audit log retention, every claim, every change
AES-256
At rest · TLS 1.3 in transit · per-tenant key isolation
DPIA
Template included · sub-processor list · 99.9% SLA

Your data, your tenant.

Every Truth Graph runs in its own logical tenant. Your commercial IP is never used to train shared models, never blended with another customer's data, never accessible across tenant boundaries.

View security framework →

AI claims your legal team can inspect.

Every AI-generated commercial claim is sourced, versioned, and human-approved before deployment. Assay gives legal the evidence trail they need for EU AI Act readiness, FTC truth-in-advertising review, and state AI governance workflows. Audit-grade logs retain the proof up to 10 years.

Review privacy standards →

99.9% uptime, geo-redundant.

Systems monitored 24/7. Geo-redundant backups. Rigorous incident response. Your GTM doesn't stop because a region went dark.

Read service terms →

SOC 2 Type II

Audit in progress · target Q3 2026

ISO 27001

Framework alignment · controls mapped

GDPR / UK GDPR

Full compliance · DPA available

EU AI Act & FTC

Readiness evidence for sourced AI claims

Technical Vetting & Procurement Answers

The evidence your security and legal teams need to approve our deployment.

Zero model training on customer data

Assay enforces a strict, architecture-wide zero-training policy. Your commercial claims, Truth Graph nodes, and pilot results are never used to train or fine-tune models (ours or our sub-processors'). All LLM calls run through enterprise API agreements that prohibit data training.

Hashed PII protection in RAG

We do not store or process raw email addresses, names, or phone numbers in our analytics or inference logs. All personal data is pseudonymized using a 32-byte HMAC-SHA-256 hash keyed by a unique customer-secret. Security-invariants prevent plain text leakage to logs.

EU / US Data Residency

Every customer is deployed in a dedicated, isolated database tenant. We offer local data residency in both US and EU (Dublin) regions. Storage is encrypted with AES-256, and data in transit is forced to TLS 1.3.

GDPR DSR log erasure

We support full Data Subject Requests (DSR) including portability (Art. 20) and erasure (Art. 17) for AI inference logs. Individual records can be pseudonymized or removed without breaking the cryptographic integrity of our immutable audit log.

The Legal Kit · single PDF

Everything legal and compliance teams ask for, in one download.

  • EU AI Act readiness, FTC, and state AI governance memos
  • DPIA template, populated with Assay's processing record
  • Sub-processor list (current, hash-versioned)
  • Security posture summary (SOC 2 status, ISO controls)
  • Audit retention policy (90d / 2y / 10y by event class)
  • Model card for the variation generator
Request the Legal Kit

Sent within the working day. Reviewed by a person. No autoresponder.