Precipiq is an evidentiary layer, not a compliance product. It gives you the records a compliance program needs — what the AI decided, when, with what confidence, and what happened afterward — and leaves the legal interpretation to qualified professionals.
Nothing on this page is legal advice. Compliance requirements depend on your jurisdiction, your product, your contracts, and facts we don’t have. Treat the content below as implementation guidance that your counsel will need to review before you rely on it in a regulated context.
EU AI Act — Article 12 record-keeping
The EU AI Act’s Article 12 requires providers of high-risk AI systems to keep automatic logs of events throughout the system’s lifetime. Specifically:
- (a) period of each use
- (b) the reference database against which input data was checked
- (c) the input data for which the search led to a match
- (d) identification of the natural persons involved in verification
Precipiq’s decision records map onto these requirements directly:
| Article 12 item | Precipiq field |
|---|
| Period of use | timestamp + created_at |
| Input data | inputs (JSON blob) |
| Outputs | outputs (JSON blob) |
| Confidence | confidence + alternatives (competing actions) |
| Verifier | human_in_loop + metadata.reviewer_id (caller-set) |
| Tamper-evidence | hash + prev_hash (the chain) |
U.S. discovery
A typical U.S. class-action or FTC action demands evidence of what an automated system did to named plaintiffs. Precipiq’s discovery-friendly surface area:
- Per-decision queryable by
agent_id, action_type, time range, and metadata.customer_id (or whatever key you chose).
- Hash chain proves no record was added, removed, or altered after the fact.
- Soft-deleted records — such as rejected suggested links — remain in the forensic export, so a party cannot claim you scrubbed the log.
Forensic export flow
Precipiq’s forensic export endpoint produces a cryptographically sealed evidence bundle suitable for handoff to an auditor, regulator, or opposing counsel.
What’s in the bundle
| File | Contents |
|---|
decisions.json | Every decision in the requested range, full fields, in chronological order. |
events.json | Every financial event in the requested range. |
links.json | Every consequence link, including soft-deleted ones. Forensic exports preserve retractions. |
chain_verification.json | A re-run of verify_chain at export time, with the starting and ending hashes pinned. |
manifest.json | File names, SHA-256 checksums, and byte sizes for every file in the bundle. |
manifest.sig | An RSA-2048 signature over manifest.json using your org’s signing key. |
precipiq-pubkey.pem | The public half of your org’s signing key, so the recipient can verify independently. |
Generating an export
Exports are asynchronous. The first request creates the export job and returns an export_id. Poll the status endpoint until status equals "complete", then download the bundle.
curl -X POST https://api.precipiq.dev/api/v1/exports \
-H 'X-Precipiq-Key: pq_test_demo_key_REPLACE_ME' \
-H 'Content-Type: application/json' \
-d '{
"export_type": "forensic",
"start_date": "2026-01-01T00:00:00Z",
"end_date": "2026-03-31T23:59:59Z"
}'
Verifying a received bundle
Any third party holding the bundle can verify its integrity without contacting Precipiq:
# 1. Recompute each file's SHA-256 and check against the manifest.
# 2. Verify the RSA-2048 signature on manifest.json:
openssl dgst -sha256 -verify precipiq-pubkey.pem \
-signature manifest.sig manifest.json
Verified OK response is proof the bundle was produced by Precipiq’s signing key and has not been altered since export time.
Export types
| Type | Contents | Typical use |
|---|
forensic | Full evidence bundle described above. | Legal proceedings, regulatory handoff. |
compliance | Subset tailored to EU AI Act Article 12 record structure. JSON + CSV summary. | Audit submissions, internal compliance reviews. |
insurance | Anonymised, aggregate-only view for underwriters. No PII; decision IDs are hashed. | Cyber insurance applications and renewals. |
Rate limit
Exports are rate-limited to one per hour per org. A forensic bundle over 50,000 decisions is expensive to produce; if you need to generate exports more frequently, contact support.
Compliance roadmap
These are planning targets, not commitments. Contact sales for the current status of any specific attestation.
- SOC 2 Type II — planned; target window Q3 2026 subject to audit scheduling.
- FedRAMP Moderate — being scoped for 2027.
- HIPAA BAA — available on the Business plan and above. Contact sales for the signed BAA template.