Dobby is the control plane for data policy in the AI era — one platform, multiple compliance modules.
Each tenant activates the frameworks it needs, the engine enforces them across every layer of the organization, and exports audit-ready evidence per framework. Out-of-band, non-custodial.
Today's flagship module: Fintech AI Evidence — EU AI Act · DORA · SOC 2 — for AI vendors passing bank procurement. EU AI Act Annex III enforcement begins August 2, 2026.
Every AI workload traverses every layer. Stricter wins.
Each tenant activates the compliance modules it needs. Out-of-band, non-custodial, framework-agnostic — the same engine, scoped to the frameworks you've turned on.
For AI vendors selling into banks and fintechs — and the risk teams on the other side of vendor review. Scans every run against EU AI Act, DORA, and SOC 2; exports the audit-ready evidence pack the reviewer asks for.
Organization-wide data-policy enforcement for regulated mid-market and enterprise — across every model, agent, and pipeline in the AI estate.
Clinical AI vendors and hospital compliance leads — verifiable patient-data policy across model and pipeline.
For AI vendors selling into government and agencies — evidence shaped to public-sector procurement and trust frameworks.
More modules in development. Marketplace and third-party developer SDK on the roadmap.
Every organization writes data policy. Then AI runs on top of it — making decisions about what data is touched, where it goes, who reviewed it — that humans can no longer trace or prove. A regulator, an auditor, a bank's procurement team asks for the evidence, and today you can't produce it.
Dobby watches your AI activity out-of-band, scans every run against the compliance modules each tenant has activated, and packages the result as audit-ready evidence — per framework, per module.
A credit-decisioning workflow runs. Dobby scans it against EU AI Act and DORA, finds the gaps, and produces the pack you would hand an auditor — the exact shape a bank's risk team asks for in vendor review.
Dobby reads your run telemetry. It never sits in the request path and never takes custody of your data.
Art 14 failed — a decision was finalised with no human reviewer recorded. You see it before the auditor does.
Control matrix, gap report, findings, and a SHA-256 manifest — the package a bank's risk team actually asks for.
One control plane. Each module activates a slice of it. Everything below is shared platform infrastructure — framework-agnostic, out-of-band, non-custodial.
We treat security and data handling the way procurement reviewers ask us to. No false claims, no logos we haven't earned — just the posture we run today, and the certifications we're working toward.
Built for the AI vendors preparing for the EU AI Act Annex III enforcement deadline of August 2, 2026 — and the bank, fintech, and enterprise reviewers on the other side.
Dobby holds metadata, findings, and signed evidence — not your raw logs or customer PII. Run telemetry stays in your environment.
Workspace data is pinned at creation to IL · EU · US. Region is permanent; cross-region writes never happen.
Lawful-basis docs, DSAR workflow, sub-processor list, 365-day audit retention. Enterprise DPA with SCCs available.
Platform is architected to SOC 2 controls — access, change tracking, immutable audit trail. Type II certification underway.
AES-256 at rest for all sensitive data, TLS in transit, SHA-256 hashing for keys. Per-tenant KEK derivation for provider credentials.
Four-state engine — compliant, violated, needs-review, unverifiable. We never paper over a gap as “compliant.”
Full posture, sub-processors, retention, and security contact — visit the Trust Center →
The procurement questions we get every week. If something is missing, write us — we'd rather have the conversation than dodge it.
pip install dobby-collector / npm install @dobbyai/collector), an out-of-band gateway, or a webhook from your existing observability stack. No new failure mode, no latency surface, no key custody.Start with Fintech AI Evidence — connect a workflow, scan it against EU AI Act + DORA + SOC 2, export the evidence pack. Start free, no credit card required.