Standards breadth
Built for the standards your auditors care about.
Rosa produces repeatable, verifiable evidence that supports the data-governance requirements of the major AI and security frameworks. One glossary line each, then the mapping.
The standards mapping
| Framework | What it asks at the data layer | Rosa output that supports it |
|---|---|---|
| EU AI Act (Article 10) The European Union's AI law; Article 10 covers data and data governance for high-risk systems | Examination of datasets for possible biases; measures to detect, prevent, and mitigate them | Diagnose, Remove, and the Run Manifest. Dedicated page |
| ISO/IEC 42001 The international standard for AI management systems | Data quality and representativeness, risk register inputs, traceability per run | Dataset Intake Report, Run Manifest, comparative run deltas |
| NIST AI RMF The US National Institute of Standards and Technology's AI Risk Management Framework | Map, Measure, Manage: identified risks measured and acted on | Bias diagnosis (Measure), per-run metrics, remediation output (Manage) |
| SOC 2 The audit framework for service organisations' security and confidentiality controls | Processing integrity, evidence integrity, tenant isolation, encryption, logging | Write-once Run Manifest, per-job isolation, hashed API keys, encrypted storage, structured audit logs. Posture: designed toward SOC 2; not yet audited |
| GDPR The EU and UK General Data Protection Regulation | Data minimisation, no unnecessary retention, anti-discrimination | No personal data in logs, short artifact retention, UK/EU processing, debiasing as discrimination-risk reduction |
| EN 304 223 ETSI's European baseline standard for securing AI systems | Secure development, dataset lineage, immutable audit logs | Run Manifest and provenance fields (input hash, config hash, container digest). Designed to support organisations implementing controls aligned with ETSI EN 304 223 at the data-governance and assurance layer |
Data residency and security posture
- Processed in the UK. The shared trial runs in AWS eu-west-2 (London), covered by the EU-UK adequacy decision. Dedicated instances run in the region you choose.
- On-demand compute. The shared instance processing runs only while there is work and stops when idle, shrinking the exposure window.
- Encrypted in transit. All portal and API traffic over HTTPS (TLS), certificates auto-renewed.
- Encrypted at rest. EBS volume encryption on the processing instance.
- API keys hashed. Customer keys are stored as argon2id hashes; the plaintext exists only in your hands.
- Per-job isolation. Every job runs in its own working directory; workspaces are opaque to one another.
- Immutable, hash-verifiable manifests, retained for good. Written once per job and kept indefinitely as the permanent evidence record - the data lives for days, the evidence lives for good. Each manifest holds:
- Per-column statistics - for categorical columns the distinct values and their counts; for numeric columns the minimum, maximum, and standard deviation.
- Bias-detection results - the discriminator's accuracy at recovering the protected attribute and the resulting bias score, plus the post-debiasing residual on training jobs.
- The per-feature debiasing adjustment (diagnose jobs) - indicative of how much each column will be adjusted to remove the protected signal.
- Each feature's association with the protected attribute - its measured univariate association, and on training jobs that association recomputed on the debiased output.
- Job metadata and content hashes - including the SHA-256 input hash, so anyone holding the original file can verify exactly what was processed.
- Structured audit logging. Application and access events as structured logs with per-request ids, no personal data, retained 365 days.
- Request rate limiting. Per-API-key and per-IP request limits guard the API against abuse and credential-stuffing; traffic over the limit is refused with a standard rate-limit response and a retry hint, so the service stays available to legitimate users.
- Dependency vulnerability scanning. Every build audits Rosa's software dependencies for known vulnerabilities and fails on any that are fixable, and automated updates keep dependencies, CI actions, and container base images current - so vulnerable packages are caught and patched, not shipped.
- Secret scanning in CI. Every change is scanned for committed credentials before it can merge, and the full commit history is periodically checked.
- Continuous security monitoring. Application-security monitoring across our code, dependencies, infrastructure, and cloud configuration.
Honest and current; nothing here is a certification claim.
The honesty statement
Rosa is an evidence-producing instrument, not a certification. It helps you meet your obligations; it does not discharge them. No output of Rosa makes you "compliant" with any framework on this page, and we will never claim otherwise. What Rosa gives you is the measured examination, the mitigation, and the verifiable record that your obligations ask for at the data layer.
Show your auditors the data layer is handled.
Diagnose produces audit evidence in one run. Free to try.