Fintech AI Evidence
Audit-ready evidence for AI vendors selling into banks and fintechs. Scans every run against EU AI Act, DORA, and SOC 2 Type II; surfaces gaps before procurement reviewers do.
What this module does
The Fintech AI Evidence module of the Dobby Data Policy Platform connects to your AI workloads out-of-band — Dobby never sits in the request path and never takes custody of your raw logs. It scans every run against the frameworks you activate (EU AI Act, DORA, SOC 2), surfaces gaps with a four-state verdict (compliant · violated · needs-review · unverifiable), and exports an audit-ready evidence pack on demand.
The artifact is the same shape every time: the procurement reviewer opens the pack, runs the SHA-256 verification, reads the control matrix + gap report, and signs off. No deck. No bespoke document.
Quickstart (5 minutes)
- 1. Install the Dobby Collector SDK
Python or Node.js — both supported across CrewAI, LangChain, OpenAI, Google ADK, AWS Bedrock, or your custom framework.
# Python pip install dobby-collector # Node.js npm install @dobbyai/collector - 2. Get a gateway key
Sign in at dobby-ai.com, go to Settings → API Keys, and create a
gk_svc_service key. Copy it once. - 3. Start emitting telemetry
The collector auto-detects your framework. One call to
setup()wires the rest.from dobby_collector import setup setup(api_key="gk_svc_...", workload="credit-scoring-agent") - 4. Activate frameworks
In the dashboard, go to Compliance → Frameworks and toggle the ones your buyers ask for: EU AI Act, DORA, SOC 2. Each runs deterministic rules + AI evaluation across Dobby's 4-layer policy hierarchy (Platform → Org → Tenant → Process).
- 5. Export the evidence pack
Once a few runs have been scanned, go to Compliance → Evidence Pack and click Export. You get HTML, JSON, or a ZIP bundle — the same shape every framework, every scan.
Frameworks covered
All three frameworks are activated per tenant. Toggle on what your buyer asks for; the scanner only evaluates against the active set. The detector text is legally reviewed before each framework is marked production-ready.
EU AI Act
Aug 2, 2026 — enforcement| Art 12 | Record-keeping — every high-risk AI decision logged |
| Art 14 | Human oversight — reviewer must be in the loop |
| Art 28 | ICT third-party — supplier compliance flow-down |
| Annex III | High-risk system classification (credit scoring, biometric, more) |
DORA
In force since Jan 17, 2025| Art 5 | ICT governance — board-level accountability |
| Art 7 | ICT risk management — identification, protection, detection |
| Art 9 | Protection & prevention — data + system controls |
| Art 28 | ICT third-party arrangements — AI vendor obligations flow down |
SOC 2 Type II
Vendor procurement table stakes| CC2.1 | Communication of information — control objectives, policies, procedures |
| CC6.1 | Logical access — authorized access only |
| CC6.6 | System boundaries — separation of customer environments |
| CC7.2 | Detection of anomalies — monitoring + alerting |
What's in the evidence pack
Six components per export. Same structure every framework, every scan. The package a bank's risk team actually asks for — not a deck.
Executive summary
One-page overview — frameworks scanned, overall verdict, top three gaps. Written for the reviewer, not the engineer.
Control matrix
Every control mapped to every run that exercised it. Verdict per control, evidence per verdict.
Gap report
Every gap ranked by severity — what is missing, why it matters, the fix. Procurement-ready language.
Findings
Each individual finding — timestamp, run ID, framework, control, verdict, AI reasoning. Auditable.
Framework coverage
Verifiable % per framework — how much of the framework your runs actually exercised. Honest about gaps.
SHA-256 manifest
Tamper-evident hash chain over every component. The auditor re-hashes to confirm nothing changed.
Export formats: html · json · zip (all six components + signature).
The four-state verdict
Dobby is honest about gaps by design. Every scanned control returns one of four states — never a binary pass/fail.
Evidence found, control satisfied. Confidence ≥ threshold.
Evidence found, control failed. Surfaced before the reviewer finds it.
Ambiguous evidence — human reviewer flag. The platform never guesses on a hard call.
Telemetry didn't carry the signal needed to evaluate this control. Capability gap, not a failure.
Further reading
- Module landing page — buyer-facing overview with the demo terminal
- SDK reference — Python + Node.js collector APIs
- Platform quickstart — workspace setup, regions, agents
- Module library — other modules of the Data Policy Platform (coming soon)
- EU AI Act (Regulation 2024/1689) — official text
- DORA (Regulation 2022/2554) — official text