GDPR
Europe's data-protection law. Two of its obligations bite hardest on AI agents: you need a record of how personal data gets processed, and the record itself has to be tamper-evident. IntentGate logs every agent action and signs the log with a hash chain, so the auditor sees both the activity and the proof nothing was rewritten after the fact. The table below maps each clause to the gateway output.
Obligation to evidence
| Obligation | IntentGate output |
|---|---|
| Art. 30(1) — records of processing activities | Per-call row: which agent, on whose behalf, against which tool, with what inputs |
| Art. 30(1)(g) — security measures applied to the processing | Policy version pinned per row; the rules in force at the moment of processing |
| Art. 32(1)(b) — ongoing confidentiality, integrity, availability of records | Hash-chained store; any modification breaks the chain; verifiable in one command |
| Art. 32(1)(d) — regular testing of effectiveness of measures | Chain-head freshness monitored by the Pro console; alerts on staleness |
| Art. 33 — breach notification to supervisory authority within 72h | Refusal events fire webhooks immediately; audit chain provides the chronology |
Records that any operator can edit do not satisfy Article 32. The hash chain solves this: every write commits the prior chain head into the new row, so a single after-the-fact edit is detectable by running the verification command end to end.
Want the mapping for your specific audit?
Each organisation has a different combination of regulations and a different audit cycle. We can walk through your specific obligations in a 30-minute call.
Start the conversation