◆ 5 compliance domains
One agent. 5 regulatory perimeters covered.
01
FinOps · live cost-per-agent
Real-time cost aggregation · per-agent · per-tenant · per-module
- → Aggregates from ross_governance.agent_outbound_log (audit trail · migration 017)
- → 4 hero KPIs + daily sparkline + top 5 agents by spend + approval breakdown
- → Projected monthly · rolling avg × 30 days
- → Window toggle 7d / 30d / 90d · drill-down per agent + action type
Output: Cockpit dashboard + Slack daily report + alert when 80% budget burned
02
AI Act art 50/52 compliance
Voice watermark validation · disclosure enforcement · deadline 2026-08-02
- → Validates every Sara call applies Resemble PerTH watermark (art 52)
- → Confirms art 50 disclosure ("This is an AI agent") fired on appropriate calls
- → Logs to ross_governance.audit_chain SHA-256 chained · 7y retention (art 12)
- → Pre-flight check on Maya outputs · refuses voice-bound copy without disclosure
Output: AI Act audit dossier + Resemble PerTH validation report + ROPA entries
03
GDPR · DPA generator + ROPA
Per-tenant DPA generated on-demand · Records of Processing maintained
- → DPA template canon · adapted to tenant industry (banking · health · etc)
- → Sub-processor map: Supabase Frankfurt · Anthropic · ElevenLabs · Vapi · Unipile · Smartlead · Cal.com
- → Data residency proof · Frankfurt EU enforced
- → Schrems II clause (no US transfer without SCC + TIA)
Output: PDF DPA contract + ROPA entries + sub-processor map · auditor-ready
04
SOC 2 Type II evidence collection
Continuous control monitoring · Vanta/Drata-ready evidence export
- → NIST CSF 2.0 + OWASP ASVS L1 + AI RMF frameworks mapped
- → Prompt injection scan via Garak + Lakera Guard
- → RLS multi-tenant red-team monthly · Cerbos policy validation
- → Incident response playbook · 15-minute response SLA for sev-1
Output: Monthly SOC 2 evidence pack · 95+ controls auto-checked
05
Verifactu Spain 2026 + EN16931 PEPPOL
EU invoice compliance · automated · pre-deadline 2026 Spain rollout
- → josemmo/Verifactu-PHP for Spanish AEAT submission
- → EN16931 PEPPOL routing for EU cross-border
- → Lago + Stripe usage-metering · Mollie SEPA for EU clients
- → Pre-billing entitlement check via Cerbos · per-tenant tier enforcement
Output: XML invoice (FacturaE) + PEPPOL routing + AEAT submission audit log
◆ What auditors get
Evidence on tap. Continuous.
SHA-256 chained audit log · 7y retention
Every agent action immutable · AI Act art 12 + SOC 2 dual-purpose · ross_governance.agent_outbound_log
Sub-processor map · ROPA entries auto-generated
Supabase EU · Anthropic · ElevenLabs · Vapi · Unipile · Smartlead · Cal.com · Frankfurt residency proof
Cerbos policy validation · per-tenant tier enforcement
Every capability gated · machine-readable policy file · audit-importable
Voice watermark validation · per-call Resemble PerTH
AI Act art 52 enforcement · pre-deadline 2026-08-02 · zero unwatermarked synthetic audio
DPA generator · adapted per industry (banking · health · etc)
PDF on-demand · Schrems II compliant · no US transfer without SCC + TIA
Live FinOps · per-agent cost transparency public
"No competitor exposes cost-per-agent publicly" (DEC-V11-42) · we do · /cockpit/finops
◆ 3 compliance pillars · Patxi expansion Ola 4
SOC 2 Type II · ISO 27001:2022 · AI Act art 26.
DEC-V11-72
SOC 2 Type II
Continuous control monitoring · 95+ controls auto-checked · Vanta/Drata-ready · monthly evidence pack · NIST CSF 2.0 + OWASP ASVS L1 mapped
DEC-V11-73
ISO 27001:2022
ISMS canonical · 93 Annex A controls mapped · risk register live · internal audit program · Stage 1+2 cert path drafted
Patxi Ola 4
AI Act art 26
High-risk system deployer obligations · human oversight · log retention 7y · transparency disclosure pre-art 50 trigger
◆ genai_4layer_drift · Patxi canonical metric
4-layer drift · the metric investors ask about.
Per-tenant · per-agent · per-action · per-model drift tracking · prompt drift + tool-use drift + cost drift + quality drift composed into single score. Surface live cockpit Ola 4 shipped. Patxi alerts when delta >15% L7 vs L30 baseline.
Prompt drift
token-set ratio L7 vs L30 baseline
Tool-use drift
MCP tool invocation frequency delta
Cost drift
€/action L7 vs L30 baseline
Quality drift
maya-qa-scorer threshold 8.1 violations
◆ Brand v4 compliance · Patxi surface
Carbon · Bone · Acceleration Gold · Slate.
Single-accent compliance · Acceleration Gold #C49A3D es el único accent que estamos usando aquí · resto Carbon/Bone/Slate per brand v4 DEC-FOUNDER-07. Newsreader italic 300 weight para H1/H2 · Inter 400 body · JetBrains Mono 700 eyebrow + monospace números. Separador "·" único · NUNCA em-dash. Max 1 quote <15 palabras per landing.
◆ Patxi · 3 superpowers
Patxi vigila. Patxi audita. Patxi firma.
01 · AI Act art 26/50/52
Dual watermark PerTH + AudioSeal
Resemble PerTH primary · Meta AudioSeal backup · embedded en todo audio sintético Sara · deadline 2026-08-02 shipped early.
02 · DPIA per vertical
5 verticals · 12 templates
SaaS B2B · banca · seguros · health · deeptech · DPIA generated per tenant onboarding · GDPR art 35 ready · auditor-friendly.
03 · FinOps 4-layer
Cost attribution canon
Per-agent · per-tenant · per-module · per-action · spend de modelos atribuido y trazado · Langfuse + FOCUS 1.2 export.
Audit trail SHA-256
Cada acción de agente se encadena de forma inmutable · integridad verificable por construcción · 7 años de retención (AI Act art 12 + SOC 2).
Disclosure + watermark
Patxi valida que cada llamada de voz lleve disclosure (art 50) y watermark (art 52) antes del deadline 2026-08-02 · cero audio sintético sin marca.
FinOps por acción
Coste atribuido por agente, tenant, módulo y acción · cada llamada LLM lleva su coste visible · presupuesto por tier con tope.
For regulated buyers · CISO + DPO ready