A requirement-by-requirement mapping of Authproof features to HIPAA, SOC 2, EU AI Act, and PCI-DSS obligations for AI agent authorization and audit logging.
HIPAA's Security Rule imposes specific technical safeguards on systems that create, receive, maintain, or transmit electronic protected health information (ePHI). AI agents that access patient data must have verifiable authorization controls and audit trails.
| Requirement | Citation | How Authproof addresses it | Status |
|---|---|---|---|
| Audit Controls | ยง164.312(b) | Every receipt is cryptographically signed and written to a tamper-evident, append-only log before the agent acts. Modifications break the hash chain. The log is independently verifiable without trusting Authproof's servers. | Addressed |
| Access Controls | ยง164.312(a)(1) | Scope-limited authorization receipts define exactly what the agent is allowed to access before execution begins. The pre-execution gate enforces these limits โ out-of-scope actions are blocked before they run. | Addressed |
| Integrity Controls | ยง164.312(c)(1) | ECDSA P-256 signatures make every receipt tamper-evident. Any modification to a receipt or audit log entry is immediately detectable by any party holding the public key โ including your auditor. | Addressed |
| Transmission Security | ยง164.312(e)(1) | All data is transmitted over TLS 1.2+. Receipts are signed before transmission โ the cryptographic signature is independently verifiable regardless of the transport layer. | Addressed |
| Authorization and Supervision | ยง164.308(a)(3) | Receipts encode the authorizing party's identity and the precise scope granted. Every agent action has a pre-issued authorization on record that predates execution โ not reconstructed after the fact. | Addressed |
| Minimum Necessary Standard | ยง164.514(d) | Scope fields explicitly enumerate what the agent is permitted to access. Agents cannot access ePHI outside their issued scope. Scope is defined per session โ not globally for the agent. | Addressed |
| Security Incident Procedures | ยง164.308(a)(6)(i) | Webhook notifications fire immediately when an agent action is blocked or a session's trust score degrades below threshold. Your security team is alerted in real time without building a separate monitoring stack. | Addressed |
| Audit Log Retention | ยง164.312(b) | HIPAA requires records to be retained for 6 years from creation or last effective date. Pro includes 90-day retention. Enterprise includes up to 6-year retention with legal hold to meet this requirement. | Pro & Enterprise |
| Business Associate Agreement | ยง164.308(b)(1) | A BAA is required before a business associate may access ePHI on your behalf. Authproof's BAA is available on Pro and Enterprise plans. On Enterprise it is pre-executed and included. | Pro & Enterprise |
| Person or Entity Authentication | ยง164.312(d) | Authentication of the authorizing party is the customer's responsibility. Authproof signs and logs receipts issued by your system โ it does not perform identity authentication of your users or systems. | Customer Responsibility |
SOC 2 Trust Services Criteria require organizations to demonstrate ongoing controls over security, availability, processing integrity, confidentiality, and privacy. AI agent deployments must show that access is controlled, monitored, and verifiable.
| Criteria | Citation | How Authproof addresses it | Status |
|---|---|---|---|
| Logical Access Security | CC6.1 | Access to AI agent capabilities is gated by cryptographically signed receipts. No receipt, no execution. The pre-execution gate enforces this at the tool-call level โ not just at login. | Addressed |
| Logical Access Restrictions | CC6.6 | Scope restrictions are encoded in the receipt and enforced at the pre-execution gate. Agents cannot exceed their authorized scope regardless of instructions received during the session. | Addressed |
| System Monitoring | CC7.2 | Every tool call is verified before execution. Session state tracking detects behavioral anomalies in real time. Trust and risk scores are computed continuously and logged with each action. | Addressed |
| Vendor Risk Management | CC9.2 | The Authproof SDK is MIT-licensed open source โ your auditor can inspect the code. The hosted log service produces independently verifiable receipts. You are never required to trust Authproof's word. | Addressed |
| Availability Commitments | A1.1 | A 99.5% uptime SLA is included on Pro. Enterprise includes a 4-hour priority SLA with a named contact. Free tier has no SLA commitment. | Pro & Enterprise |
The EU AI Act imposes obligations on providers and deployers of high-risk AI systems, including requirements for human oversight, technical robustness, transparency, and record-keeping. AI agents operating in regulated sectors typically qualify as high-risk systems.
| Obligation | Citation | How Authproof addresses it | Status |
|---|---|---|---|
| Risk Management | Art. 9 | Pre-execution authorization receipts constitute a documented risk management measure โ demonstrating that human oversight was exercised and scope was constrained before the AI system acted. | Addressed |
| Transparency & Logging | Art. 12โ13 | Every receipt encodes the scope, authorizing party identity, timestamp, and decision in a format readable by humans and machines. Audit exports are structured and signed for auditor review. | Addressed |
| Human Oversight | Art. 14 | Pre-execution gating ensures no AI action executes without an authorized receipt issued by a human or system acting on a human's behalf. Anomaly detection flags and blocks deviations for human review. | Addressed |
| Technical Robustness | Art. 15 | ECDSA P-256 signatures with RFC 3161 timestamps provide cryptographic robustness that survives operator failure or compromise. The append-only log cannot be silently modified. | Addressed |
| Record-Keeping | Art. 12 | The append-only tamper-evident log with configurable retention satisfies EU AI Act record-keeping requirements. Long-term retention and legal hold for up to 6 years are available on Enterprise. | Enterprise |
| Serious Incident Reporting | Art. 73 | Blocked actions, degraded sessions, and flagged anomalies are logged with precise timestamps, scope data, and cryptographic proof. These records can be exported in auditor-ready format for incident reporting obligations. | Addressed |
PCI-DSS v4.0 requires strict access controls and audit logging for systems that touch cardholder data. AI agents operating in payment environments must have verifiable authorization boundaries and tamper-protected audit trails.
| Requirement | Citation | How Authproof addresses it | Status |
|---|---|---|---|
| Restrict Access to System Components | PCI-DSS v4.0 R7 | Scope-limited receipts restrict which data the AI agent can access or modify. Delete and write operations on cardholder data can be explicitly excluded from scope. Scope is cryptographically enforced โ not advisory. | Addressed |
| Log and Monitor All Access | PCI-DSS v4.0 R10 | Every agent action is logged with a cryptographic receipt before execution. The tamper-evident log satisfies Requirement 10's cardholder data environment audit log obligations. RFC 3161 timestamps provide legally verifiable time ordering. | Addressed |
| Protect Audit Logs from Destruction | PCI-DSS v4.0 R10.5 | The append-only architecture and ECDSA signatures prevent unauthorized modification or deletion of audit logs. Any tampered entry breaks the cryptographic chain โ satisfying PCI-DSS tamper-detection requirements. | Addressed |
| Targeted Risk Analysis for AI Systems | PCI-DSS v4.0 R12.3 | Receipt data, blocked-action logs, and trust/risk scoring provide the evidence base for targeted risk analysis of AI system behavior in the cardholder data environment. Exportable in structured format for QSA review. | Addressed |
Start issuing cryptographic authorization receipts today. Free tier includes 1,000 receipts per month โ no card required.