If you're a regulator, oversight body, or supervisory authority, you don't need DEFONEOS. You need the audit trail for every AI system below you. DEFONEOS provides that โ for free, in a 30-day sandbox, with Ed25519-signed receipts at every step.
No credit card. No obligation. Auto-expires. Cancel anytime.
Sandbox auto-upgrades to Pro (ยฃ499/mo) after 30 days โ cancel anytime in 2 clicks. No fine print.
Formal cooperation agreement available. Defines your audit-trail rights, our MSA cooperation SLAs, mutual non-disclosure scope, and joint-incident-response protocol. Sample available on request (BPSS-cleared signatories only).
Free training for your AI auditors on the SIGIL chain format, OSCAL mappings, EU AI Act Annex IV coverage, and the QMS-9 domains. Designed for the UK AISI curriculum.
Joint research published on AI Office ENISA-style initiatives: technical documentation sufficiency benchmarks, kill-switch latency benchmarks, FRIA effectiveness studies. We bring the substrate. You bring the methodology.
Anonymised SIGIL chain data contributed to regulator-led datasets (e.g., ENISA, NIST AI RMF repository). Privacy-preserving aggregates only. Your attribution as data source.
If DEFONEOS is implicated in a serious incident, the SUBSTRATE automatically initiates joint-IRP: SMS + email to your audit hook within 1h, full SIGIL evidence pack within 24h, full cooperation within 72h. No NDA required.
We have ongoing contributions to ISO/IEC 42001 B.5, ISO/IEC 27001 A.8.16, NIST AI RMF GOVERN-6, and the EU AI Act implementing regulation on Article 26 deployer-side documentation. Your reviewers invited.
| Article | What It Requires | What DEFONEOS Provides | Evidence Page |
|---|---|---|---|
| Art 5 | Prohibited practices | Hard-coded red-line patterns. 7 forbidden classes (kinetic targeting / personal surveillance / civilian harm / sovereignty violation / auto-escalation / lying-to-humans / irreversibility without confirmation). | /defoneos-red-lines |
| Art 9 | Risk management system | 7-step lifecycle (IDENTIFY/SCORE/MITIGATE/TEST/DEPLOY/MONITOR/DOCUMENT). 42 hazards. 156 controls. ISO 14971 aligned. | /defoneos-risk-management |
| Art 12 | Record-keeping / logging | 8 logging categories. SIGIL chain (1Hz, 6mo hot / 5yr cold retention). 0 gaps. Audit-trail access protocol. | /defoneos-record-keeping |
| Art 13 | Transparency to deployers | 12-section instructions for use. Accuracy/robustness/cybersecurity metrics. Known risks. Human oversight. Lifetime. | /defoneos-transparency-deployers |
| Art 14 | Human oversight | 9 oversight layers. 7 escalation tiers. 14 HITL decision types. Kill-switch <2s. BFT 23/33 quorum. | /defoneos-human-oversight-deep |
| Art 17 | Quality management system | 9 quality domains. 84 procedures. 23 CAPA closed. 10 KPIs all GREEN. ISO 9001/13485/42001 structural. | /defoneos-quality-management |
| Art 26 | Deployer obligations | 10 deployer obligations + 7 defence-category mappings. DCP JSON spec. 14 affected-person notices. | /defoneos-deployer-obligations |
| Art 27 | FRIA for certain systems | 5-phase FRIA methodology. 12 fundamental rights. 4 risk levels. 10 mitigation categories. 30-day consultation. | /defoneos-fundamental-rights-impact-assessment |
| Art 47 | EU Declaration of Conformity | Full 7-field declaration template. Module A/C/H variants. JSON spec. 23-language strategy. | /defoneos-eu-declaration |
| Art 48 | CE marking | Visual CE logo spec. 4 affixation rules. 8 preconditions. Notified-body variant. Withdrawal procedure. | /defoneos-ce-marking |
| Art 49 | Registration | 30-field EU Common Data Schema. 7-phase registration. 14d submission SLA. | /defoneos-transparency-register |
| Art 50+52 | Transparency + GPAI | 8 transparency pillars. 7 content-marking modes. C2PA 2.0 manifests. | /defoneos-gpai-transparency |
| Art 71 | EU database registration | Provider ID + GPAI model ID + training data summary + copyright policy. | /defoneos-transparency-register |
| Art 73 | Serious-incident reporting | 15-day serious-incident pipeline (Art 73(3)). 72h critical-incident pipeline. | /defoneos-incident-response |
| Art 74 | Market surveillance cooperation | 4-channel MSA cooperation. 72h access SLA. 6 evidence export formats. | /defoneos-market-surveillance |
| Art 86 | Right to explanation | 5-tier explanation framework. 7-step redress. 3 escalation levels. | /defoneos-right-to-explanation |
| Art 95 | Right to redress | Redress process. Article 22(3) coordination. Subject-rights mapping. | /defoneos-automated-decision |
DEFONEOS audits produce SIGIL-signed evidence in 6 machine-readable formats plus a human-readable PDF:
| Format | Use Case | Tooling |
|---|---|---|
| SIGIL | Authoritative โ full chain, Ed25519-signed | Custom / sigil.csoai.org public registry |
| OSCAL | NIEM-style control assessment, NIST AI RMF / FedRAMP compatible | oscal.io, compliance-trestle |
| JSON-LD | W3C linked data, schema.org-aligned | Any JSON-LD viewer |
| CSV | Spreadsheet / pivot / quick review | Any spreadsheet |
| Human-readable, signed | Any PDF viewer | |
| XCCDF | SCAP-style technical configuration assessment | OpenSCAP, SCAP-compatible tools |
The DEFONEOS external-audit hook gives you read-only access to a SIGIL-verified stream of all sovereign actions โ without requiring write access to the substrate. This is the spine of cooperative regulation.
sigil.csoai.org yourself. False records detectable.
GET https://audit.
X-Client-Cert: CN=ICO-Audit-Client,O=ICO (UK)
X-Audit-Purpose: ENISA_AI_Act_Art_74_cooperation
Accept: application/sigil+json, application/oscal+json, application/x.spdf+pdf
evidence.csoai.org already.Free, no credit card, no obligation. Activated within 4 minutes. Cancel anytime.
4-min auto-provisioning ยท Cooperative agreement available ยท regulator@csoai.org