Sanctify — Purple-Path · ISO27001 · GDPR · AI Act
Sanctify makes governance a runtime concern, not a quarterly slide. Consent, residency and AI-Act proofs travel with the bytes — enforced at every read, every retrieval, every model call.
Critical drift
0 incidents
Consent coverage
100% of PII flows
Audit prep time
− 78%
Deliverables
Everything that ships
- Consent & purpose registryPer-subject, per-purpose, machine-readable, time-bounded.
- Residency policiesRegion-pinned storage + compute, enforced in IaC.
- PII / PHI classifiersAuto-tagging, masking and tokenisation at rest and in flight.
- AI Act risk registerModel cards, risk tier, mitigations, human-in-the-loop gates.
- Attestation packAuditor-ready evidence for ISO27001, SOC2, GDPR, EU AI Act.
Pod composition
- DPO
- Security Architect
- Governance Lead
Example output · Policy · customer_360.readrego
package data.customer_360
allow {
input.subject.role == "agent"
input.purpose == "service"
input.region == data.subject.residency
not data.subject.consent_revoked
}Timeline
Weeks 3–8 · attestation pack signed by day 56
- 1Weeks 3–4Classification sweep
Auto-tag PII/PHI; baseline residency map across all sources.
- 2Weeks 4–6Policy mesh
OPA/Rego policies + consent registry wired into Serve gateway.
- 3Weeks 6–8Attestation pack
Evidence pipeline + signed pack for ISO/SOC2/GDPR/AI Act.
FAQs
Things prospects ask
Do you cover EU AI Act high-risk systems?
Yes — model cards, risk tier, HITL gates and post-market monitoring are built into the Settle ledger.
Can we keep data in-region?
Residency is IaC-enforced. Compute and storage are pinned; cross-region calls require a signed exception.
Commission · S3 Sanctify
Stand up Sanctify in Weeks 3–8.
We'll respond within one business day with a scoping note, a fixed-price outcome contract, and a named principal. Your details sync straight into our concierge queue.
- • Outcome-priced — no T&M.
- • Sovereign by default — your data, your region, your keys.
- • Wired into the Fuel Pressure gauge from day one.