Module #1 · Live · part of the Dobby platform

Pass bank procurement with the evidence reviewers ask for.

Fintech AI Evidence scans every run of your AI workloads against EU AI Act, DORA, and SOC 2 Type II; surfaces gaps before the reviewer does; and exports the audit-ready package a bank's risk team signs off on. Out-of-band, non-custodial.

EU AI Act Annex III enforcement begins August 2, 2026. DORA has been in force since January 17, 2025. Vendor procurement reviews ask for both — today.

Book a demoSee how it works →
Active frameworks
EU AI Act
Art 12 · 14 · 28 · Annex III
Aug 2, 2026
DORA
Art 5 · 7 · 9 · 28 ICT third-party
In force
SOC 2 Type II
CC2.1 · CC6.1 · CC6.6 · CC7.2
Procurement
3 frameworks · 1 evidence pack · 0 log custody
§01 Who it's for

Two sides of the same vendor review.

AI vendors selling into banks. Risk teams reviewing AI vendors. Either side, the question is the same: where is the evidence?

Seller side

AI vendors selling into banks and fintechs

Procurement asks: where is the EU AI Act evidence? The DORA ICT-third-party register? The SOC 2 controls mapping? Today your engineering team scrambles a deck. Dobby gives you the actual artifact — same shape, every framework, every reviewer.

Reviewer side

Risk teams reviewing AI vendors

Twenty AI vendors are in your pipeline. Each one shows up with a different deck, a different controls map, a different story. Dobby gives every vendor the same shape — control matrix, gap report, manifest — so you compare apples to apples.

Either way, the artifact is the same.

§02 Framework coverage

Three frameworks, one evidence pack.

The same scan exports the same shape for all three. Frameworks activate per tenant; controls fail or pass per run.

EU AI Act

Annex III — High-risk AI

Art 12 record-keeping. Art 14 human oversight. Art 28 ICT third-party. Enforcement begins August 2, 2026 for high-risk AI systems — credit scoring, underwriting, biometric.
~12 controls·
DORA

Digital Operational Resilience

Art 5 governance · Art 7 ICT risk · Art 9 protection · Art 28 third-party. In force since January 17, 2025. Every fintech's AI-vendor procurement now flows down DORA obligations.
~10 controls·
SOC 2 Type II

Vendor procurement table stakes

CC2.1 communication · CC6.1 logical access · CC6.6 system boundaries · CC7.2 detection. The first artifact a bank's procurement table asks for.
10 controls·

All three are activated per tenant — switch on what you need, scan against only the active set.

§03 How it works

Four steps, non-custodial throughout.

Your runs stay in your environment. Dobby reads telemetry, scans against active frameworks, and exports evidence. We never sit in the request path, never take custody of your logs.

Step 01

Connect

pip install dobby-collector Stream run telemetry from CrewAI, LangChain, OpenAI, Google ADK, AWS Bedrock, or a custom SDK.
Step 02

Activate frameworks

Toggle EU AI Act, DORA, SOC 2 per tenant. Each framework is a control set — Dobby scans only against the active ones.
Step 03

Scan + find gaps

Every run checked by deterministic rules + AI evaluation, across the 4-layer policy hierarchy. Four-state verdict: compliant · violated · needs-review · unverifiable.
Step 04

Export evidence

One command — `dobby export` or the UI — produces the package procurement asks for: HTML or ZIP, with SHA-256 manifest for tamper-evident integrity.
§04 Evidence pack contents

The exact shape a reviewer signs off on.

Six components per export. Same structure, every framework, every scan. The package a bank's risk team actually asks for — not a deck.

§01

Executive summary

One-page overview — frameworks scanned, overall verdict, top three gaps. Written for the reviewer, not the engineer.

§02

Control matrix

Every control mapped to every run that exercised it. Verdict per control, evidence per verdict.

§03

Gap report

Every gap ranked by severity — what is missing, why it matters, the fix. Procurement-ready language.

§04

Findings

Each individual finding — timestamp, run ID, framework, control, verdict, AI reasoning. Auditable.

§05

Framework coverage

Verifiable % per framework — how much of the framework your runs actually exercised. Honest about gaps.

§06

SHA-256 manifest

Tamper-evident hash chain over every component. The auditor re-hashes to confirm nothing changed.

Export format: HTML · JSON · ZIP (all six components + signature).

Pass your next bank procurement review.

Start with Fintech AI Evidence. Connect a workload, activate the frameworks, export the evidence pack. The same shape every reviewer asks for — out-of-band, non-custodial, audit-ready.

Book a demoRead the docs

Free to try · No credit card · Out-of-band · Non-custodial

Dobby AI Platform - AI Agents That Execute Real Work With Full Control