Compliance & Data Sovereignty

TameFlare's architecture is designed to align with EU data protection and cybersecurity regulations. This page explains how TameFlare's design maps to specific compliance requirements.

Important: TameFlare is not certified under any compliance framework. The statements below describe architectural alignment, not certification. Compliance is your organization's responsibility - TameFlare's architecture makes it easier.

Architecture overview

| Property | TameFlare | Typical SaaS competitor | |---|---|---| | Data residency | Your infrastructure (anywhere you choose) | Vendor's cloud (usually US) | | Telemetry | Zero - no phone-home, no usage reporting | Often sends telemetry to vendor | | Source availability | Full source (ELv2) - auditable | Closed source | | Vendor dependency | Gateway runs locally, source-available | Requires vendor uptime | | Data processing | No data leaves your network | Data transits vendor infrastructure | | Origin | Danish company, EU jurisdiction | US jurisdiction (CLOUD Act exposure) |

GDPR (General Data Protection Regulation)

Relevance: Directly applicable to any EU organization using AI agents.

| GDPR Principle | How TameFlare aligns | |---|---| | Data minimization (Art. 5) | Processes only what's needed for policy enforcement. No data collection beyond audit logs. | | Data residency | All data stays on your infrastructure. No cross-border transfers to vendor. | | Right to erasure (Art. 17) | You control all data - delete audit logs, traffic logs, user data at will. | | Data processing agreements | Not needed - TameFlare never processes your data. The software runs on your servers. | | Privacy by design (Art. 25) | Local gateway architecture means privacy is structural, not contractual. |

Key point: TameFlare never sees your data. Your agent traffic, audit logs, and credentials stay on your infrastructure. No DPA needed - we're software, not a data processor.

NIS2 (Network and Information Security Directive 2)

Relevance: Applicable to organizations in critical sectors (energy, transport, health, finance, digital infrastructure). Effective October 2024.

| NIS2 Requirement | How TameFlare aligns | |---|---| | Supply chain security (Art. 21) | Governs what AI agents can access in your supply chain. Deny-by-default prevents unauthorized access. | | Risk management (Art. 21) | Policy engine + kill switch + approval workflows = documented risk controls for autonomous systems. | | Incident reporting (Art. 23) | Audit trail provides evidence for incident investigation. Every blocked action logged with policy match and timestamp. | | Access control | Per-gateway permissions, credential vault isolation, RBAC on dashboard. |

DORA (Digital Operational Resilience Act)

Relevance: Applicable to financial sector organizations. Effective January 2025.

| DORA Requirement | How TameFlare aligns | |---|---| | ICT risk management (Art. 6) | Enforces what AI agents can do with financial APIs. Policy engine prevents unauthorized transactions. | | Third-party risk (Art. 28) | Gateway runs locally. Agent traffic never transits third-party infrastructure. | | Incident classification (Art. 18) | Audit trail classifies every action by risk level, outcome, and policy match. | | Testing (Art. 26) | Demo sandbox + dry-run API enables testing enforcement policies before production. |

What we say and don't say

Accurate claims

  • "Architecturally aligned with EU data sovereignty requirements"
  • "Gateway runs locally - your agent traffic never leaves your machine"
  • "Source-available under ELv2 - fully auditable"
  • "Danish company, EU jurisdiction"
  • "Zero telemetry, zero phone-home"
  • "No DPA needed - we're software, not a data processor"

Claims we do NOT make

  • ~~"GDPR certified"~~ - there is no such certification
  • ~~"NIS2 compliant"~~ - compliance is your responsibility, not ours
  • ~~"DORA certified"~~ - same
  • ~~"SOC2 compliant"~~ - we do not have SOC2 (yet)
  • ~~"EU-hosted"~~ - the gateway runs locally on your machine, not in an EU cloud

For regulated industries

If your organization is subject to GDPR, NIS2, DORA, or similar regulations and you're deploying AI agents that interact with external APIs, TameFlare provides:

  1. Enforcement - Policy-based controls on every agent action
  2. Audit - Immutable log of every action, decision, and approval
  3. Isolation - Agents never see real API credentials
  4. Control - Kill switch for immediate halt of all agent traffic
  5. Sovereignty - Everything runs on your infrastructure, in your jurisdiction

For Enterprise plans with compliance documentation and dedicated support, contact enterprise@tameflare.com.