Last updated: May 22, 2026. This page details Spctre's support for the General Data Protection Regulation (GDPR) and the European Union Artificial Intelligence Act (EU AI Act).
Under the GDPR, Ciwrl Technologies LLC d/b/a Spctre serves primarily as a Data Processor on behalf of our customers (the Data Controllers). We process agent telemetry, environment metadata, and policy evaluation results solely under the instruction of the controller:
We process transaction headers, resource scopes, and policy flags to verify and audit agent execution. We enforce strict data minimization, encouraging controllers to restrict active telemetry payloads to non-PII values.
Customer workspaces are logically separated at the database level. Multi-tenant workspaces employ cryptographic access constraints, ensuring that no cross-workspace data leakage occurs during runtime gateway evaluations.
We maintain a public directory of third-party sub-processors (e.g., Stripe, AWS infrastructure) engaged under strict Data Processing Agreements (DPAs) incorporating EU Standard Contractual Clauses (SCCs).
GDPR Article 22 establishes constraints on solely automated decisions. If your autonomous agents execute decisions that affect natural persons, Spctre is engineered to supply the necessary explainability framework:
For every transaction, Spctre records the specific policy rule, matching condition, and decision reason (e.g., refund.limit_exceeded). This gives compliance officers an immediate, human-readable justification for any automated action.
Every decision includes a hash reference (SHA-256) of the active policy bundle. This guarantees that the exact rules in force at the millisecond of execution can be retrieved and inspected for audits.
When an agent action is routed to a human reviewer, the control plane logs the reviewer's identity, the approval/denial timestamp, and the explicit rationale entered during manual resolution.
Spctre SDKs integrate customizable regex parameters. You can intercept tool arguments and runtime targets at your cluster border, masking personal identifiers before they ever reach our hosted gateways.
To fulfill GDPR Article 17 (Right to Erasure), administrators can initiate target erasure requests via our API, identifying and deleting specific traces containing transient personal markers.
Audit logging balances erasure with ledger integrity. Deletion operations overwrite parameter metadata while leaving transaction hashes and state signatures intact to preserve overall ledger history.
The EU AI Act mandates stringent controls for high-risk AI and governed AI agent systems. Spctre is designed as a foundational compliance tool to help developers fulfill these legal obligations:
Our simulation projections let developers test proposed policy rules against real historical logs. This satisfies AI Act requirements to evaluate risks, systemic biases, and failure modes before deploying AI systems.
Spctre automatically generates chronological logs of system operations throughout the life cycle, providing the durable, unalterable proof of AI decisions required by European regulators.
By separating system rules into inspectable bundles and mapping all runtime targets into normalized schemas, Spctre ensures system operations remain transparent, predictable, and inspectable.
Our REVIEW gate allows developers to build programmatic human-in-the-loop overrides, pausing autonomous tool execution until approved by a qualified operator.