EU AI Act readiness
The EU AI Act requires human oversight controls for high-risk AI systems and transparency about AI-initiated actions. Sentrail provides several controls that support compliance: Human oversight for write actions Therequire_approval policy mode implements a mandatory human-in-the-loop gate for any AI-initiated write action. Reviewers can inspect the full payload before deciding, and their decision is recorded with a timestamp and reviewer ID.
Immutable audit trail
Every evaluated action is written to an append-only audit_logs table with the agent identity, decision, matched policy, risk level, and correlation ID. This provides the documented audit trail required for AI system transparency.
Risk classification
Actions are classified into four risk levels: low, medium, high, critical. High and critical actions can be automatically escalated to human review via policy.
Kill switch / override
The global kill switch and per-tool pause provide immediate cessation capability — a key requirement for high-risk AI system oversight. The kill switch state is logged and notified.
Agent identity tracking
Agents are identified in every audit log entry and approval request, supporting the traceability requirements of the Act.
SOC 2 roadmap
Sentrail is working toward SOC 2 Type II certification. Current controls that map to SOC 2 Trust Service Criteria:| Control | Status |
|---|---|
| Access controls (RLS, role hierarchy) | Implemented |
| API key hashing (SHA-256) | Implemented |
| Webhook HMAC verification | Implemented |
| Immutable audit logs | Implemented |
| Sensitive header stripping | Implemented |
| Data retention / purge policy | Implemented (configurable) |
| Encryption at rest | Via Supabase (AES-256) |
| Encryption in transit | TLS 1.2+ via Supabase edge |
| Formal penetration test | Planned |
| Vendor risk assessment | Planned |
| SOC 2 Type I report | Planned |
| SOC 2 Type II report | Roadmap |
If you have specific compliance requirements for your organization, contact us at security@sentrail.io. We can provide documentation for controls already in place.
Data residency
Sentrail is hosted on Supabase. Your Sentrail deployment runs in the region selected when the Supabase project is created. Audit logs, approval requests, and tool credentials are stored in that region. If you require EU data residency for GDPR compliance, contact us to discuss deployment options.GDPR
Sentrail stores:- User email addresses (from authentication, in audit logs as
requested_by) - Agent identifiers (set by you in the
X-Agent-Idheader) - Payload previews (truncated snapshots of agent request bodies)
purge-audit-logs scheduled function. Contact support to request a full data deletion.