The organisation shall plan, implement and maintain processes to address risks and opportunities relating to AI systems, including the determination of acceptance criteria.
For CISO + procurement
Enterprise here means audit-evidence depth, not dedicated tenancy.
Nine more compliance features above Governance. Two only on Custom. Five sub-processors — every one EU-resident.
Nine more at Enterprise. Two more at Custom.
Enterprise-tier in many SaaS catalogs means dedicated tenancy, customer KMS keys, and white-label. Adjudon's Enterprise tier means none of those — it means nine compliance features that gate above Governance, plus two more reserved for Custom. Below: what each row actually does.
| Feature | Governance | Enterprise | Custom |
|---|---|---|---|
| auditLogPdf Audit-Log PDF export (BaFin-prüfungsreif format) | — | ✓ | ✓ |
| iso42001Pdf ISO 42001 PDF export (sector-certification format) | — | ✓ | ✓ |
| decisionMining HITL Decision Mining (pattern discovery on flagged traces) | — | ✓ | ✓ |
| autoApprovalEngine Auto-Approval (rules-based pre-approval for low-risk paths) | — | ✓ | ✓ |
| cpiFeedbackIngest CPI Feedback Ingest (continuous-improvement signals) | — | ✓ | ✓ |
| c2paContentCredentials C2PA Content Credentials (provenance-attached output) | — | ✓ | ✓ |
| sigstoreEvidence Sigstore Evidence (cryptographically-signed bundle) | — | ✓ | ✓ |
| gpaiPack GPAI Pack (General-Purpose AI compliance bundle) | — | ✓ | ✓ |
| privacyBudget Privacy Budget (differential-privacy accounting) | — | ✓ | ✓ |
| federatedLearning Federated Learning (cross-tenant pattern aggregation) | — | — | ✓ |
| teeAttestation TEE Attestation (proof compute ran in trusted enclave) | — | — | ✓ |
Several rows are Phase 2 / 2b / 3 backend implementations per the requirePlan.js phase-comments. Each gate is enforced in production today; the maturity-grade behind each row is documented at docs.adjudon.com/concepts/plans-and-features.
Five sub-processors. Every one EU-resident.
The full sub-processor list, in order of who handles what. Every entry lives entirely in the EU. As of 2026-05-11, OpenAI L.L.C. has been removed from the list — Confidence Engine Pillar 3 embeddings are now generated by a self-hosted TEI sidecar in the same Frankfurt Fly.io region as the rest of the API.
| Sub-processor | Purpose | Region | Status |
|---|---|---|---|
| MongoDB Atlas | Primary database — traces, audit log, configurations | Frankfurt eu-central-1 | EU-resident |
| Fly.io | API server hosting | Frankfurt | EU-resident |
| Cloudflare | Dashboard + docs CDN | EU edge | EU-resident |
| Stripe | Payment processing | Ireland | EU-resident |
| Resend | Transactional email | EU | EU-resident |
Live list with sub-processor change history at /legal/subprocessors. Procurement copies the rows into the vendor register that DORA Article 30 expects to see.
We ship the row. You file the register.
DORA Article 28 makes the financial entity the legal owner of the third-party-risk register, the contract, and the exit plan. Adjudon is one of the rows in that register. What we ship is the row's source data — in a shape your procurement team copies into its filings, not in a shape that pretends to be the filing itself.
Adjudon ships
- Sub-processor list with regions and SCC notesArt. 30 register source data
- SHA-256 hash-chain export, replay-verifiable offlineArt. 28(7) audit-evidence handover
- EU-region documentation (Frankfurt eu-central-1)Art. 28(2)(a) data-localisation
- DORA Multi-Clock incident timing per decisionArt. 19 reporting-deadline countdown
- No third-country sub-processor (in-region TEI sidecar since 2026-05-11)GDPR Chapter V — no transfer mechanism required
You file
- Register entry for Adjudon as ICT third-partyArt. 30 register of contractual arrangements
- Risk assessment of the Adjudon dependencyArt. 28(2) pre-engagement assessment
- Exit plan and substitutability documentationArt. 28(8) exit-strategy obligation
- Incident notification to your competent authorityArt. 19 reporting workflow
- Critical-or-important-function classificationArt. 28(2)(b) internal classification
The full clause-by-clause split — including which fields from the chain export populate which line of the register — is documented at docs.adjudon.com/compliance/dora.
Procurement gets the row. Engineering takes the call.
The procurement-row is on this page. The DPA, sub-processor change-log, and ISO 42001 evidence sit one click away in legal and trust-center. If vendor-risk needs an actual conversation about the exit-plan or the SCC chain, the engineer who wrote them is one cal.com link away — not behind an SDR queue.
Primary sourcesISO/IEC 42001:2023§ 6.1.3 EU AI ActArt. 26 SOC 2 Type IITSC CC7.2
The text the regulator actually wrote.
Deployers of high-risk AI systems shall take appropriate technical and organisational measures to ensure they use such systems in accordance with the instructions for use.
The entity monitors system components and the operation of controls to detect anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives.