How estoppl maps to your compliance obligations
AI agents are calling APIs, moving money, and accessing sensitive data. Regulators are catching up. estoppl provides the controls and evidence your compliance team needs — without changing your agent code.
EU AI Act Article 14 — Human Oversight Deadline: August 2, 2026
High-risk AI systems must have human oversight mechanisms, audit trails, and the ability to interrupt or override autonomous decisions. estoppl provides all three out of the box.
Regulatory mapping
Each row maps a specific regulatory requirement to the estoppl feature that satisfies it. Features marked “coming soon” are in active development.
| Regulation | Requirement | estoppl feature |
|---|---|---|
| EU AI Act | Article 14 — Human oversight of high-risk AI | ✓Blocking human review with approve/deny via dashboard, Slack, email, webhook. Remote kill switch updates every proxy within 5 seconds. |
| Article 12 — Record-keeping and traceability | ✓Ed25519 signed, hash-chained audit trail. Every tool call logged with agent ID, tool name, arguments, decision, timestamp, and cryptographic signature. | |
| Article 9 — Risk management system | ✓Policy engine with block lists, allow lists, amount thresholds, rate limits, and custom conditional rules. Per-agent overrides. | |
| FINRA | Rule 3110 — Supervisory procedures for automated systems | ✓Human review workflow with documented rationale. Policy rules enforce supervisory controls. Admin audit log tracks all policy changes. |
| 2026 Oversight Report — Recordkeeping for autonomous agent actions | ✓Compliance evidence exports with chain verification proof. Verifiable receipts per event with offline verification via CLI. | |
| SEC | Rule 17a-4 — Immutable recordkeeping (WORM) | S3 Object Lock (Compliance mode, 7-year retention). Even the AWS root account cannot delete records during the retention period.Coming soon |
| SOC 2 | CC6.1 — Logical access controls | ✓Policy engine enforces tool-level access control. Allow lists provide secure-by-default posture. API key auth with SHA-256 hashing and revocation. |
| CC7.2 — Monitoring and detection | ✓Real-time dashboard with auto-refresh. Email, Slack, and webhook notifications on policy violations. Admin audit log for SOC 2 evidence. |
How estoppl provides compliance controls
Tamper-Evident Audit Trail
Every tool call is signed with Ed25519 and hash-chained to the previous event. If any event is modified, the chain breaks — detectable via CLI or cloud verification. Zero raw data retention by default; configurable field redaction for PII.
Blocking Human Review
High-risk tool calls pause until a human approves or denies. One-click approve/deny via email, Slack, webhook, or dashboard. Configurable per tool, per agent, and per amount threshold. Review decisions are logged with rationale.
Remote Kill Switch
Block any tool or shut down any agent from the cloud dashboard. Every proxy picks up the change within 5 seconds. No agent restart required. Policy changes are tracked in the admin audit log.
Compliance Evidence Exports
Download a complete evidence pack with chain verification proof, summary statistics, and all events with cryptographic signatures. Filterable by date range. Offline-verifiable — no network access needed to validate.
Cloud resilience
What happens if estoppl cloud goes down?
The proxy never stops. Events are never lost.
- ✓The proxy runs locally — no cloud dependency for interception, policy enforcement, or audit logging
- ✓Policy is cached locally and enforced even when the cloud is unreachable
- ✓Events persist to local SQLite first, always — cloud sync is best-effort with automatic retry
- ✓When connectivity returns, unsynced events are automatically reconciled with gap detection
- ✓Hash chain integrity is maintained regardless of cloud connectivity
Ready to meet your compliance requirements?
Set up in 2 minutes. Free during early access. No credit card required.