Compliance & Data Sovereignty
TameFlare's architecture is designed to align with EU data protection and cybersecurity regulations. This page explains how TameFlare's design maps to specific compliance requirements.
Important: TameFlare is not certified under any compliance framework. The statements below describe architectural alignment, not certification. Compliance is your organization's responsibility - TameFlare's architecture makes it easier.
Architecture overview
TameFlare has two components with different data residency characteristics:
| Component | Where it runs | What data it holds |
|---|---|---|
| Dashboard (tameflare.com) | Hosted by TameFlare (EU) | Gateway configs, permissions, traffic metadata (domain, action type, decision, latency), user accounts, audit events |
| Cloud gateway (proxy.tameflare.com) | Hosted by TameFlare (EU) | Cached config, credential vault. Traffic transits through the proxy and is forwarded to upstream APIs. |
What the dashboard sees
The dashboard receives traffic metadata from the gateway (domain, action type, decision, status code, latency). It does not receive request bodies, response bodies, or API credentials. Your actual API traffic flows directly from the gateway to upstream APIs.
What the dashboard does NOT see
- Request/response bodies
- API keys or credentials (when using the CLI credential path, stored in the local encrypted vault)
- The content of your agent's prompts or outputs
| Property | TameFlare | Typical SaaS competitor |
|---|---|---|
| Credential storage | Local encrypted vault (CLI path) or hosted encrypted DB (dashboard wizard) | Vendor's cloud |
| Traffic content | Transits cloud gateway for enforcement; bodies are never stored | Often stored or inspected by vendor |
| Traffic metadata | Sent to dashboard for logging | Same |
| Source availability | Source-available (ELv2) - auditable | Closed source |
| Origin | Danish company, EU jurisdiction | US jurisdiction (CLOUD Act exposure) |
GDPR (General Data Protection Regulation)
Relevance: Directly applicable to any EU organization using AI agents.
| GDPR Principle | How TameFlare aligns |
|---|---|
| Data minimization (Art. 5) | Dashboard receives only traffic metadata (domain, action type, decision). No request/response bodies. |
| Data residency | Dashboard hosted in EU. Traffic transits the cloud gateway (EU-hosted) for enforcement; bodies are never stored. CLI credentials stay local; dashboard wizard credentials are encrypted in the hosted DB. |
| Right to erasure (Art. 17) | Export and delete your data from the dashboard at any time. |
| Privacy by design (Art. 25) | Credentials are encrypted at rest (AES-256-GCM) in the dashboard. The cloud gateway injects them at request time. No request/response bodies are stored. |
Key point: TameFlare's cloud gateway processes traffic for enforcement. Only metadata (domain, action type, decision, latency) is logged in the dashboard. No request/response bodies are stored. Credentials are encrypted at rest (AES-256-GCM) in the dashboard (EU-hosted). TameFlare is a Danish company operating under EU jurisdiction.
NIS2 (Network and Information Security Directive 2)
Relevance: Applicable to organizations in critical sectors (energy, transport, health, finance, digital infrastructure). Effective October 2024.
| NIS2 Requirement | How TameFlare aligns |
|---|---|
| Supply chain security (Art. 21) | Governs what AI agents can access in your supply chain. Deny-by-default prevents unauthorized access. |
| Risk management (Art. 21) | Policy engine + kill switch + approval workflows = documented risk controls for autonomous systems. |
| Incident reporting (Art. 23) | Audit trail provides evidence for incident investigation. Every blocked action logged with decision and timestamp. |
| Access control | Per-gateway permissions, credential vault isolation, RBAC on dashboard. |
DORA (Digital Operational Resilience Act)
Relevance: Applicable to financial sector organizations. Effective January 2025.
| DORA Requirement | How TameFlare aligns |
|---|---|
| ICT risk management (Art. 6) | Enforces what AI agents can do with financial APIs. Policy engine prevents unauthorized transactions. |
| Third-party risk (Art. 28) | Cloud gateway hosted in EU. Credentials encrypted at rest (AES-256-GCM). No request/response bodies stored. |
| Incident classification (Art. 18) | Audit trail classifies every action by risk level, outcome, and policy match. |
| Testing (Art. 26) | Monitor enforcement level enables testing policies before production enforcement. |
What we say and don't say
Accurate claims
- "Architecturally aligned with EU data sovereignty requirements"
- "Cloud gateway hosted in EU at proxy.tameflare.com - no request/response bodies stored"
- "Credentials encrypted at rest (AES-256-GCM) in our hosted DB (EU)"
- "Source-available under ELv2 - fully auditable"
- "Danish company, EU jurisdiction"
- "Dashboard hosted in EU"
Claims we do NOT make
"GDPR certified"- there is no such certification"NIS2 compliant"- compliance is your responsibility, not ours"DORA certified"- same"SOC2 compliant"- we do not have SOC2 (yet)"Zero telemetry"- the gateway sends traffic metadata to the dashboard for logging
For regulated industries
If your organization is subject to GDPR, NIS2, DORA, or similar regulations and you're deploying AI agents that interact with external APIs, TameFlare provides:
- Enforcement - Policy-based controls on every agent action
- Audit - Append-only log of every action, decision, and approval
- Isolation - Agents never see real API credentials. CLI credentials stay local; dashboard wizard credentials are encrypted in hosted DB (EU)
- Control - Kill switch for immediate halt of all agent traffic
- EU jurisdiction - Danish company, dashboard hosted in EU
For Enterprise plans with compliance documentation and dedicated support, contact enterprise@tameflare.com.