Fintech AI Evidence
For AI vendors selling into banks and fintechs — and the risk teams on the other side of vendor review. Scans every run against EU AI Act, DORA, and SOC 2; exports the audit-ready evidence pack the reviewer asks for.
Connect your agents out-of-band. Dobby scans every run against the frameworks that apply and exports the evidence pack procurement and auditors accept.
Connect your agents and Dobby sees every run — what it did, which team ran it, and what it cost in tokens — then governs it against your policy and turns it into evidence you can prove. Activity in, evidence out.
Every organization writes data policy. Then AI runs on top of it — making decisions about what data is touched, where it goes, who reviewed it — that humans can no longer trace or prove. A regulator, an auditor, or a procurement team asks for the evidence, and today you can't produce it.
Dobby watches your AI activity out-of-band, scans every run against the compliance modules each tenant has activated, and packages the result as audit-ready evidence — per framework, per module.
A credit-decisioning workflow runs. Dobby scans it against EU AI Act and DORA, finds the gaps, and produces the pack you would hand an auditor — the exact shape a bank's risk team asks for in vendor review.
Dobby reads your run telemetry. It never sits in the request path. Non-custodial by design — for regulated modules (Fintech AI Evidence) raw payloads are enforced into a customer-owned store, and that routing is available opt-in elsewhere.
Art 14 failed — a decision was finalised with no human reviewer recorded. You see it before the auditor does.
Control matrix, gap report, findings, and a SHA-256 manifest — the package a bank's risk team actually asks for.
Each tenant activates the compliance modules it needs. Out-of-band and framework-agnostic — the same engine, scoped to the frameworks you've turned on. Non-custodial by design: raw payloads can be routed to a customer-owned dataset (enforced for regulated modules, available opt-in elsewhere).
For AI vendors selling into banks and fintechs — and the risk teams on the other side of vendor review. Scans every run against EU AI Act, DORA, and SOC 2; exports the audit-ready evidence pack the reviewer asks for.
Organization-wide data-policy enforcement for regulated mid-market and enterprise — across every model, agent, and pipeline in the AI estate.
Clinical AI vendors and hospital compliance leads — verifiable patient-data policy across model and pipeline.
For AI vendors selling into government and agencies — evidence shaped to public-sector procurement and trust frameworks.
More modules in development. Marketplace and third-party developer SDK on the roadmap.
One control plane. Each module activates a slice of it. Everything below is shared platform infrastructure — framework-agnostic and out-of-band. Non-custodial by design: enforced for regulated modules, available opt-in elsewhere.
We treat security and data handling the way procurement reviewers ask us to. No false claims, no logos we haven't earned — just the posture we run today, and the certifications we're working toward.
Built for the AI vendors answering the AI evidence demands procurement and audits ask for today — and the bank, fintech, and enterprise reviewers on the other side.
Dobby holds metadata, findings, and signed evidence. For regulated modules (Fintech AI Evidence) raw payloads are enforced into a customer-owned dataset; elsewhere that routing is available opt-in. Until a workload is pointed at your own dataset, the scanner reads run payloads in Dobby's regional store. Always out-of-band — Dobby never sits in the request path.
Workspace data is pinned at creation to IL · EU · US. Region is permanent; cross-region writes never happen.
Lawful-basis docs, DSAR workflow, sub-processor list, 365-day audit retention. Enterprise DPA with SCCs available.
Platform is architected to SOC 2 controls — access, change tracking, immutable audit trail. Type II certification underway.
AES-256 at rest for all sensitive data, TLS in transit, SHA-256 hashing for keys. Per-tenant KEK derivation for provider credentials.
Four-state engine — compliant, violated, needs-review, unverifiable. We never paper over a gap as “compliant.”
Full posture, sub-processors, retention, and security contact — visit the Trust Center →
The procurement questions we get every week. If something is missing, write us — we'd rather have the conversation than dodge it.
pip install dobby-collector / npm install @dobbyai/collector), an out-of-band gateway, or a webhook from your existing observability stack. No new failure mode, no latency surface, no key custody.Start with Fintech AI Evidence — connect a workflow, scan it against EU AI Act + DORA + SOC 2, export the evidence pack. Start free, no credit card required.