# Dobby AI > The Data Policy Platform for AI — one control plane, multiple compliance modules. Today's flagship: Fintech AI Evidence. Dobby is a Data Policy Platform for AI. Organizations have always governed data through policy — written rules, approval chains, audit trails a regulator could read. AI breaks that: every model, agent, and pipeline now makes data-policy decisions humans can no longer trace or prove. Dobby connects to your AI activity out-of-band, scans every run against the compliance frameworks that apply, surfaces gaps with an honest four-state verdict, and exports an audit-ready evidence pack per framework. It is not a gateway, and it is out-of-band: Dobby never sits in the request path. Non-custodial by design — raw prompt/response payloads can be routed to a customer-owned dataset, enforced for regulated modules (Fintech AI Evidence) and available opt-in elsewhere. ## How it works 1. **Connect, out-of-band** — Dobby reads run telemetry from your AI workflows (CrewAI, LangChain, OpenAI, Google ADK, or a custom SDK). It never sits in the request path (always out-of-band). Non-custodial by design: raw payloads can be routed to a customer-owned dataset — enforced for regulated modules, available opt-in elsewhere. 2. **Activate modules per tenant** — each tenant picks which compliance frameworks to enforce from Dobby's module library. 3. **Scan across four layers** — every run is evaluated by deterministic rules plus AI evaluation, against the activated frameworks and your own policies, across a Platform → Org → Tenant → Process hierarchy (stricter-wins). 4. **Four-state verdict** — compliant, violated, needs-review, or unverifiable. Dobby never reports false compliance: when the evidence is not sufficient to prove a control, it says so. 5. **Export the evidence pack** — a self-contained, audit-ready package per framework: executive summary, control matrix, a severity-ranked gap report with remediation, findings, framework coverage, and a tamper-evident SHA-256 manifest. ## Module library - **Fintech AI Evidence** (Live) — EU AI Act (Art 12 record-keeping, Art 14 human oversight), DORA, SOC 2. For AI vendors passing bank procurement / vendor-risk reviews, and the fintech risk teams reviewing them. - **Enterprise Data Policy** (in development) — ISO 27001, NIST CSF, org-wide GDPR. - **Healthcare AI Compliance** (in development) — HIPAA, HITRUST, MDR for clinical AI. - **Public Sector AI Trust** (in development) — NIST AI RMF, FedRAMP. ## Who it's for AI vendors selling into banks and fintechs who must pass a procurement or vendor-risk review now — and the risk teams on the other side of that review. ## What makes Dobby different - **Out-of-band and non-custodial by design** — connects without sitting inline; raw payloads can be routed to a customer-owned dataset, enforced for regulated modules (Fintech AI Evidence) and available opt-in elsewhere. Dobby always holds the findings and signed evidence pack. - **The honest four-state verdict** — the "unverifiable" state means Dobby knows when it cannot prove a control, instead of reporting a false pass. - **The evidence pack is the deliverable** — a procurement-ready artifact, not just a dashboard the buyer must log into. ## Connect your agents - Python: `pip install dobby-collector` - Node.js / TypeScript: `npm install @dobbyai/collector` - Works with LangChain, CrewAI, AutoGen, OpenAI SDK, Google ADK, Vercel AI SDK, or manual instrumentation — any framework. ## Inline Control Points (developer SDK) Beyond out-of-band telemetry, Dobby's Python SDK exposes an inline **control point**: ask Dobby for a policy verdict *before* an agent runs a risky action, let your own code enforce the decision, and report back what it did. This is the classic PDP/PEP split (Dobby decides, your code enforces) — not a gateway, and the same family as OPA / Cerbos / Cedar (ask-the-PDP-in-code). The honored-vs-overridden report becomes an auditable **adherence** signal (continuous control attestation) a gateway cannot produce. Install: `pip install "dobby-ai-sdk>=0.3.0"`. Canonical idiom: from dobby_sdk import DobbyClient, DobbyPolicyDenied client = DobbyClient(api_key="sk_live_...", org_id="org_...", tenant_id="tenant_...") try: client.controls.enforce("send_external_email", arguments={"to": addr}) send_external_email(addr) # runs only if the policy allowed it except DobbyPolicyDenied as denied: client.controls.report(denied.verdict.decision_id, honored=True, action_taken="stopped") Use check() instead of enforce() to branch yourself (returns a Verdict, never raises). Always report() what your code did — honored=True (stopped) or honored=False (overridden); the honored/(honored+overridden) ratio is the adherence rate. Docs: https://dobby-ai.com/docs/sdk/python#control-points ## Pricing Free $0/mo · Pro $99/mo · Team $499/mo · Enterprise from $2,500/mo. See https://dobby-ai.com/pricing ## Company Dobby AI, Inc. — a Delaware C-Corp, built in Israel with offices in Tel Aviv and Northern Israel. Regional data residency in Israel, the EU, and the US. ## Links - Website: https://dobby-ai.com - About: https://dobby-ai.com/about - Pricing: https://dobby-ai.com/pricing - Documentation: https://dobby-ai.com/docs - Blog: https://dobby-ai.com/blog - Contact: https://dobby-ai.com/contact - Full LLM context: https://dobby-ai.com/llms-full.txt