The regulation10.ae platform
A turnkey Reg 10 evidence stack — onboarding wizard, risk classification, Article 5 screener, DPIA, transparency notice, audit trail, evidence pack, ASO appointment letter and AI System Register entry. Truth-anchored to the v2.3 build description.
What the platform is
One tenant, every Reg 10 artefact, hash-pinned end to end
regulation10.ae is a multi-tenant SaaS that produces the Regulation 10 evidence canon as a single signed bundle. A new tenant moves from a five-step onboarding wizard to a complete evidence pack — DPIA, transparency notice, ASO appointment letter, audit-trail extract and manifest — in a single session. Re-runs regenerate the pack in under ten minutes.
Every artefact carries a citation block, a SHA-256 content hash and a WORM audit-trail row. Nothing is generated without a pinned reference to a Reg 10, DPL 2020 or EU AI Act clause. The citation-required compliance agent enforces that rule at the engine layer; there is no free-text path that bypasses it.
Shipped state
v2.4 — 24 May 2026
Ten engines live · feat/reg10-ae-mvp
- 23/23vitest suite green
- 91.7%engine coverage
- PASSICP-01/02/03 smoke run
Module by module · v2.4 — 24 May 2026
What ships today
Each card below corresponds to a module engine under packages/module-engines plus the supporting onboarding, register and audit surfaces in apps/web. The list reflects the v2.4 amendment (24 May 2026) — ten engines shipped including Modules 2.1 (Bias), 2.2 (Threat Model), 3.2 (Complaints SLA) and 4.4 (ISO 42001 + NIST AI RMF + OECD cross-walk).
Architecture
How the platform is wired
UAE-North primary, UAE-Central paired. Authenticated app (app.regulation10.ae) runs on Azure Container Apps behind Front Door and a WAF. Cosmos DB holds tenant and audit data; Azure Storage WORM blobs hold evidence packs. Azure OpenAI in UAE North powers the citation-required agent.
| Layer | Components | Region |
|---|---|---|
| Public marketing | regulation10.ae on Vercel dxb1 — static plus ISR, no regulated data. | Dubai (dxb1) |
| Authenticated app | app.regulation10.ae — Azure Container Apps, Next.js 14 App Router, behind Azure Front Door + WAF. | UAE North |
| Data plane | Cosmos DB zone-redundant, Azure Storage WORM blobs for evidence packs, Azure DB for PostgreSQL Flex when richer relational workloads land. | UAE North |
| AI plane | Azure OpenAI in UAE North, fronted by an internal gateway that injects the prompt firewall, PII redactor and citation-required agent. | UAE North |
| Observability | Sentinel, Application Insights, Defender for Cloud. Non-PII telemetry. Cosmos audit + AFD WAF + Entra sign-ins all streamed into the WORM-backed audit trail. | UAE North + UK South |
| Secrets | Azure Key Vault (kv-reg10-uaen). Five staged secrets: runner-token, AOAI endpoint + key, ACS connection string, Stripe secret. MSI-bound roles only. | UAE North |
Compliance frame
One evidence stack, six regulatory frames
We design the Reg 10 artefacts so they remain useful work product under EU AI Act, OECD, ISO 42001 and NIST AI RMF mappings. The authority block on every artefact names the cross-jurisdiction overlay so your group counsel does not need to rewrite it.
DIFC Regulation 10 (DPL 2020)
The primary obligation surface. Every shipped module is mapped to a specific clause — risk classification to 10.2.2, DPIA to 10.2.2(d), audit trail to 10.2.2(b), evidence pack to 10.2.2(c), ASO appointment to 10.3.3(d).
DIFC Data Protection Law 2020
Transparency notices satisfy Articles 13–14. ASO appointment letter is mapped to Articles 17–18. The DPIA workflow is anchored to Article 20 and DPL Article 9 sensitive-data treatment.
EU AI Act
Module 1.1 risk classification carries Annex III HRP categories. Module 1.1b screens Article 5 prohibited use cases. The DPIA authority block names Article 27 fundamental-rights impact assessment as the cross-jurisdiction overlay.
OECD AI Principles
The DPIA authority block declares OECD AI Principles as an assessment-model lens. Risk taxonomy rows cite Principle 1.2 (inclusivity) on bias risks; HITL section ties to Principle 1.4 (human-centred values).
ISO/IEC 42001 AIMS
Evidence-pack manifest plus audit-trail WORM blobs are sized to feed a Stage-1 readiness audit. DPIA §5 FRIA overlay aligns with ISO 42001 §6.1.4 risk and impact assessment.
NIST AI RMF
Govern, Map, Measure, Manage functions surface in the module set: Map (1.1, 1.1b), Measure (3.3 audit trail), Manage (4.1 evidence pack + 1.2 DPIA mitigations), Govern (ASO appointment letter + register).
Data residency
UAE North primary. UAE Central paired.
Every regulated artefact — DPIA, transparency notice, audit trail, evidence-pack manifest — is written into Cosmos DB or Azure Storage in UAE North. The Cosmos write region is pinned at the schema level. Azure OpenAI is provisioned in UAE North; cross-region inference falls back only under documented Key Vault override and is captured as a structured audit event.
The Sentinel observability layer sits in UK South per the 9 May decision lock and handles non-PII telemetry only. Regulated payloads never leave UAE North. Secrets sit in kv-reg10-uaen and are rotated on a ≤ 90-day cadence; no static service-principal credentials exist anywhere in the deploy chain.
Primary region
UAE North
Paired region
UAE Central
Secrets
Key Vault, MSI-bound roles
Cross-cutting controls
Guardrails the auditor sees first
Bearer-auth runner
/api/runner/* routes authenticate via a Key-Vault-staged reg10-runner-token. Anonymous module invocation is impossible.
Citation-required agent
The compliance agent rejects any model output without a pinned citation to a Reg 10, DPL or EU AI Act clause. Banned-token list blocks unsafe phrasing.
Hash-pinned manifest
Every evidence pack ships with a Manifest.json listing SHA-256 hashes of each artefact. Tamper detection is a single diff away.
Walk the platform
See the modules end to end on your own system facts.
A 45-minute platform walkthrough runs your system through onboarding, classification, Article 5 screening, DPIA generation and evidence-pack export — on synthetic fixtures or your own data, your call.