Six frameworks. One chain. The mapping is the product.
Six frameworks, one append-only chain, one replay-verifiable export bundle. The mapping is below — public, no login, no SDR funnel.
Six frameworks. One chain.
The same SHA-256 chain underwrites every row below. EU AI Act, GDPR, DORA, ISO 42001, MDR/IVDR, BaFin's MaRisk — six framework groups, one append-only chain, one replay-verifiable export bundle. The chain itself writes on every tier including Sandbox; the gates control read-side access (verify, export, per-clause editing). The table is the product; the dashboard is where you fill in the per-clause evidence narrative.
| Framework | Anchor articles | Obligation | Adjudon artefact | Plan tier | Status | Doc |
|---|---|---|---|---|---|---|
| EU AI Act | Art. 13, 14, 26, 27, 73 | Transparency, human oversight, deployer obligations, FRIA, serious-incident reporting | Decision Hash Chain · Review Queue · Deployer Pack · FRIA Wizard · Multi-Clock | Governance+ | Live | Read |
| GDPR | Art. 9, 17, 22, 28, 33 | Special-category data, right to erasure, automated-decision rights, processor terms, breach notification | PII scrubber · payload-nullify (chain shell preserved) · Multi-Clock GDPR row · DPA | Sandbox+ | Live | Read |
| DORA | Art. 17, 19, 28, 30 | ICT incident process, staged 4 h / 72 h / 30 d reporting, third-party risk register, vendor location | Multi-Clock Incident Hub (DORA row) · sub-processor list · EU-region documentation | Governance+ | Live | Read |
| ISO 42001 | 18 clauses (A.6.2.x – A.10.2) | AI Management System — risk treatment, oversight, lifecycle, traceability, supplier control | ComplianceMappingPage (read-only, per-clause evidence + reviewer) | Governance+ | Live | Read |
| MDR / IVDR | Art. 10(8) · Class IIa/IIb · MDCG 2019-11 | Technical-documentation retention, SaMD audit-trail, software qualification under MDCG | Hash-chain export bundle · 3,650-day retention · per-decision confidenceScore + tags | Enterprise+ | Live | Read |
| BaFin · MaRisk | BaFin Dec 2025 ICT/AI · 9th MaRisk-Novelle AT 9 | ICT-vendor governance, outsourcing register, pre-approval evidence, German-language audit reproducibility | Decision Hash Chain (German-clause-by-clause export) · DORA Multi-Clock parallel row | Governance+ | Live | Read |
Five live artefacts. One honest gap.
The audit-pack a procurement team actually receives — five replay-verifiable artefacts plus one disclosed gap. SOC 2 Type II and ISO 27001 are on the roadmap; we name them here because every other vendor's trust-center claims them and we don't have them yet. The cryptographic side is what we have today.
- LIVEHash-Chain export bundle
Replay-verifiable offline against the published algorithm. The bundle is self-contained — no Adjudon login required at the auditor's end.
GET /api/v1/hash-chain/export · gated hashChainAudit · Governance+ - LIVEAudit-Log PDF (operations chain)
Separate SHA-256 chain over admin events — policy changes, user invitations, key rotations. Exported in BaFin-prüfungsreif PDF format.
GET /api/audit/export/pdf · gated auditLogPdf · Enterprise+ - LIVEISO 42001 mapping (18 clauses)
Per-clause evidence narrative + reviewer attribution + last-updated date. The dashboard is the auditor's read-surface; PATCH writes a ComplianceMappingNote.
ComplianceMappingPage · gated complianceMapping · Governance+ - LIVESub-processor list
Five rows, all EU-resident (Option-B cutover 2026-05-11 removed OpenAI; no third-country transfers). Published with region, purpose, and contractual basis. Copies cleanly into a DORA Article 30 register.
docs.adjudon.com/compliance/data-residency · public - LIVEDPA template
GDPR Article 28 contract — subject matter, duration, sub-processors, international transfers, audit rights. Available on request.
[email protected] · counter-signed PDF returned - ROADMAPSOC 2 Type II · ISO 27001
We do not currently hold either certification. Roadmap commitment without a published timeline — we name them here rather than imply a status that does not exist.
no certification yet · cryptographic side carries today
The mapping is public. The conversation is private.
The mapping above is the public surface. The deeper read is the data-residency map at docs.adjudon.com — sub-processor list, encryption, certification disclosures. The compliance call is for the conversation: Article 28 negotiations, FRIA edge-cases, the ISO 42001 clause your auditor flagged. Same engineer reads both sides.