Skip to content
The Data Policy Platform for AI

Your AI makes decisions you can't prove. Dobby produces the evidence.

Connect your agents out-of-band. Dobby scans every run against the frameworks that apply and exports the evidence pack procurement and auditors accept.

4-layer policy hierarchyevery workload traverses all four · stricter wins
01
Platform
Read-only Dobby invariants.
02
Org
CISO-authored, org-wide.
03
Tenant
Per-space. Can't loosen Org.
04
Process
Per-workload overrides.
The control plane

One place for everything your AI is actually doing.

Connect your agents and Dobby sees every run — what it did, which team ran it, and what it cost in tokens — then governs it against your policy and turns it into evidence you can prove. Activity in, evidence out.

sees · activity

Every run, one place

Every agent, workflow, and pipeline run you connect — what ran, when, and what data it touched. The end of the black box.
agents · workflows · pipelines
sees · teams

What each team does

Attribution across your whole AI estate — which team's agents ran what, so every run has an owner, not just a log line.
per team · per workload
sees · cost

What it costs

The token spend behind every run and every team. See what your AI actually costs — and who is spending it — next to the policy view.
tokens · per model
sees · policy

The policy on top

A 4-layer policy hierarchy governs all of it — Platform → Org → Tenant → Process, stricter-wins. The same rules become your evidence.
4 layers · stricter-wins
The problem

Your AI makes data-policy decisions you can't prove.

Every organization writes data policy. Then AI runs on top of it — making decisions about what data is touched, where it goes, who reviewed it — that humans can no longer trace or prove. A regulator, an auditor, or a procurement team asks for the evidence, and today you can't produce it.

Today's lensModule #1 — Fintech AI Evidence. Other modules surface their own urgency once activated.
EU AI Act
High-risk rules land Dec 2027
Credit scoring and underwriting must show logging, human oversight, and risk records. Enforcement moved to December 2027 under the Digital Omnibus — but procurement asks for the evidence today.
DORA
In force since 2025
ICT third-party obligations flow down — a fintech's AI vendors must satisfy its operational-resilience programme. Their AI vendors inherit the requirement.
The audit gap
Most vendors have zero evidence
When procurement asks for an audit trail, most AI vendors can't produce it — and the deal stalls in vendor review.
How it works

Connect once. Activate the modules. Get the evidence.

Dobby watches your AI activity out-of-band, scans every run against the compliance modules each tenant has activated, and packages the result as audit-ready evidence — per framework, per module.

step · 01

Connect

Point Dobby at your AI activity — CrewAI, LangChain, OpenAI, Google ADK, or a custom SDK. Out-of-band: Dobby never sits in the request path; it reads run telemetry after the fact.
no gateway
step · 02

Activate modules

Each tenant picks the compliance modules it needs. Today: Fintech AI Evidence. Tomorrow: additional modules across regulated domains.
per tenant
step · 03

Scan + find gaps

Every run is checked against the activated frameworks by deterministic rules plus AI evaluation. Compliant, violated, needs-review, or unverifiable — never false compliance.
four-state verdict
step · 04

Evidence Pack

Export a self-contained package per framework — control matrix, gap report, findings, signed manifest — built for procurement and audit review.
PDF · ZIP
Module #1 in action

Fintech AI Evidence — today's flagship.

A credit-decisioning workflow runs. Dobby scans it against EU AI Act and DORA, finds the gaps, and produces the pack you would hand an auditor — the exact shape a bank's risk team asks for in vendor review.

dobby — evidence scanreplay ↺
$ dobby scan credit-decisioning-agent
scanning out-of-band · never in the request path
 
11 runs · 22 controls · eu_ai_act + dora
  ├ Art 12 record-keeping · compliant
  ├ Art 14 human oversight · violated — no reviewer
  ├ Art 28 ICT third-party · needs review
  └ evidence-pack · assembled
 
control-matrix · gap-report · findings · sha-256 manifest
22 controls · 1 gap · evidence pack ready
 
$  
11 runs · 22 controls · 1 gap✓ evidence pack ready

Scanned out-of-band

Dobby reads your run telemetry. It never sits in the request path. Non-custodial by design — for regulated modules (Fintech AI Evidence) raw payloads are enforced into a customer-owned store, and that routing is available opt-in elsewhere.

runs 11controls 22frameworks 2

The gap, surfaced

Art 14 failed — a decision was finalised with no human reviewer recorded. You see it before the auditor does.

severity highframework EU AI Act

Audit-ready in one export

Control matrix, gap report, findings, and a SHA-256 manifest — the package a bank's risk team actually asks for.

Module library

One platform. Pick your modules.

Each tenant activates the compliance modules it needs. Out-of-band and framework-agnostic — the same engine, scoped to the frameworks you've turned on. Non-custodial by design: raw payloads can be routed to a customer-owned dataset (enforced for regulated modules, available opt-in elsewhere).

Live

Fintech AI Evidence

For AI vendors selling into banks and fintechs — and the risk teams on the other side of vendor review. Scans every run against EU AI Act, DORA, and SOC 2; exports the audit-ready evidence pack the reviewer asks for.

EU AI Act · DORA · SOC 2
See the flow →
Coming soon

Enterprise Data Policy

Organization-wide data-policy enforcement for regulated mid-market and enterprise — across every model, agent, and pipeline in the AI estate.

ISO 27001 · NIST CSF · GDPR
Coming soon

Healthcare AI Compliance

Clinical AI vendors and hospital compliance leads — verifiable patient-data policy across model and pipeline.

HIPAA · HITRUST · MDR
Coming soon

Public Sector AI Trust

For AI vendors selling into government and agencies — evidence shaped to public-sector procurement and trust frameworks.

NIST AI RMF · FedRAMP

More modules in development. Marketplace and third-party developer SDK on the roadmap.

Platform capabilities

The engine, underneath every module.

One control plane. Each module activates a slice of it. Everything below is shared platform infrastructure — framework-agnostic and out-of-band. Non-custodial by design: enforced for regulated modules, available opt-in elsewhere.

Connect

Out-of-Band Connectors

Stream run telemetry from CrewAI, LangChain, OpenClaw, OpenAI, or a custom SDK. Dobby never sits inline.
any framework
Frameworks

Compliance Frameworks

Import EU AI Act (Annex III), DORA, SOC 2, ISO 42001, GDPR, or HIPAA as control sets — or author your own. A module bundles the frameworks for its domain.
6 frameworks
Scan

Compliance Scanner

Every run checked by deterministic rules plus AI evaluation, against a 4-layer policy hierarchy.
rules + AI
Scan

Four-State Verdict

Compliant, violated, needs-review, or unverifiable. Dobby never reports false compliance — gaps surface as gaps.
honest by design
Evidence

Evidence Pack

A self-contained audit package — executive summary, control matrix, findings, framework coverage.
PDF · ZIP
Evidence

Gap Report

Every gap ranked by severity — what is missing and the fix — written for the procurement reviewer.
severity-ranked
Evidence

Tamper-Evident Manifest

A SHA-256 hash chain over every component. The auditor re-hashes to confirm nothing changed.
SHA-256
Trust

Your Data, Non-Custodial by Design

Dobby holds metadata, findings, and signed evidence. For regulated modules (Fintech AI Evidence) raw prompt/response payloads are enforced into a customer-owned dataset — never Dobby's; elsewhere that routing is available opt-in.
non-custodial
+ more

Everything else

4-layer policy hierarchy, regional residency (IL / EU / US), immutable audit trail, RBAC, SSO.
browse all
Trust posture

Built for vendor review.

We treat security and data handling the way procurement reviewers ask us to. No false claims, no logos we haven't earned — just the posture we run today, and the certifications we're working toward.

Built for the AI vendors answering the AI evidence demands procurement and audits ask for today — and the bank, fintech, and enterprise reviewers on the other side.

Today

Non-custodial by design

Dobby holds metadata, findings, and signed evidence. For regulated modules (Fintech AI Evidence) raw payloads are enforced into a customer-owned dataset; elsewhere that routing is available opt-in. Until a workload is pointed at your own dataset, the scanner reads run payloads in Dobby's regional store. Always out-of-band — Dobby never sits in the request path.

Today

Regional data residency

Workspace data is pinned at creation to IL · EU · US. Region is permanent; cross-region writes never happen.

Today

GDPR-aligned, DPA on request

Lawful-basis docs, DSAR workflow, sub-processor list, 365-day audit retention. Enterprise DPA with SCCs available.

In progress

SOC 2 Type II

Platform is architected to SOC 2 controls — access, change tracking, immutable audit trail. Type II certification underway.

Today

Encryption everywhere

AES-256 at rest for all sensitive data, TLS in transit, SHA-256 hashing for keys. Per-tenant KEK derivation for provider credentials.

Today

Honest verdicts only

Four-state engine — compliant, violated, needs-review, unverifiable. We never paper over a gap as “compliant.”

Full posture, sub-processors, retention, and security contact — visit the Trust Center →

Frequently asked

Answers before you ask.

The procurement questions we get every week. If something is missing, write us — we'd rather have the conversation than dodge it.

Where does my data live?
Workspaces pin a region at creation — IL (GCP me-west1), EU (europe-west1), or US (us-central1). Region is permanent. All tenant data (runs, findings, audit trail, evidence) stays in the selected region.
Do you store our prompts, completions, or customer PII?
Non-custodial by design. Dobby holds metadata, the policy verdict, and the signed evidence package. For regulated modules (Fintech AI Evidence) raw payloads are enforced into a customer-owned dataset — never Dobby's store. Elsewhere it's available opt-in: until you point a workload at your own dataset, the compliance scanner reads run payloads in Dobby's regional store to evaluate prompt and completion content (so yes, that content — including any PII it carries — sits in Dobby's store by default). Always out-of-band — Dobby never sits in the request path.
Are you SOC 2 certified?
SOC 2 Type II is actively in progress — the platform is architected to the controls (access management, change tracking, immutable audit trail) and certification is underway. We'll publish the report and the audit window on the Trust Center the moment it lands. Until then we sign Enterprise DPAs and answer security questionnaires directly.
Which compliance frameworks does Module #1 cover today?
Fintech AI Evidence ships scanners and an Evidence Pack for EU AI Act (Annex III high-risk AI controls), DORA (ICT third-party obligations that flow down to AI vendors), and SOC 2 Type II Common Criteria. Other frameworks (ISO 27001, ISO 42001, NIST AI RMF, HIPAA, GDPR) exist as control sets you can author against — but they ship as full modules later in the year.
What does “out-of-band” mean in practice?
Dobby never sits in the request path. Your AI calls the LLM provider directly. Dobby reads run telemetry after the fact — through the Dobby Collector SDK (pip install dobby-collector / npm install @dobbyai/collector), an out-of-band gateway, or a webhook from your existing observability stack. No new failure mode, no latency surface, no key custody.
How do I trial Module #1?
Two paths. Self-serve: sign up, install the Collector with two lines of code, run a workflow, export your first Evidence Pack — free, no credit card. Design partner: book a 30-minute call and we'll wire your real credit-decisioning workflow against the frameworks that apply, end to end.
Get started

Get your AI through the review.

Start with Fintech AI Evidence — connect a workflow, scan it against EU AI Act + DORA + SOC 2, export the evidence pack. Start free, no credit card required.

$ pip install dobby-collector
$ # instrument your agent — two lines
✓ connected · scanning against eu_ai_act + dora
your first evidence pack is ready to export.
Dobby — The Data Policy Platform for AI