Regulatory mapping

Vouch Protocol™ against the frameworks
your compliance team asks about

For each major regulation, we publish a clause-by-clause mapping showing which requirements Vouch's mechanisms satisfy and which it explicitly does not address. These are informative, not normative; legal compliance depends on the full deployment.

GDPR

EU · minimum recommended: L2

Full mapping →

EU General Data Protection Regulation (Regulation 2016/679). Vouch directly supports integrity, accountability, and data-protection-by-design requirements.

Vouch helps

  • Art. 5(1)(f) Integrity and confidentiality
  • Art. 5(2) Accountability
  • Art. 25 Data protection by design and default
  • Art. 32 Security of processing
  • Art. 33 Breach notification (earlier signals via canary chain)

Out of scope

  • Data subject rights (Art. 12-22)
  • Lawful basis of processing (Art. 6)
  • Cross-border transfer mechanisms

EU AI Act

EU · minimum recommended: L3

Full mapping →

Regulation (EU) 2024/1689. Vouch supports record-keeping, transparency, human-oversight, and cybersecurity requirements for high-risk AI systems.

Vouch helps

  • Art. 12 Automatic logging for high-risk AI systems
  • Art. 13 Transparency to deployers
  • Art. 14 Human oversight (trusted-principal anchoring)
  • Art. 15 Accuracy, robustness, cybersecurity
  • Art. 50 Transparency about AI-generated actions

Out of scope

  • Risk classification (Annex III)
  • Bias and fairness assessment
  • Conformity assessment (Art. 43)

NIST SP 800-63

US (federal) · minimum recommended: L2

Full mapping →

Digital Identity Guidelines. Vouch addresses AAL (Authentication Assurance) and FAL (Federation Assurance) for autonomous agents; IAL (Identity Assurance) is upstream.

Vouch helps

  • AAL2 multi-factor authentication
  • AAL3 hardware-isolated authenticators (Sidecar + HSM)
  • FAL2 / FAL3 assertion protection
  • Phishing-resistant authentication (with hardware keys)
  • Reauthentication via Heartbeat + Trust Entropy

Out of scope

  • IAL (identity proofing) at any level - upstream of the protocol

HIPAA

US (healthcare) · minimum recommended: L3

Full mapping →

US Health Insurance Portability and Accountability Act. Vouch supports the Security Rule's access-control, audit, and integrity requirements for AI agents touching PHI.

Vouch helps

  • §164.312(a) Unique user identification (DIDs)
  • §164.312(b) Audit controls (per-action signed credentials)
  • §164.312(c) Integrity controls (Data Integrity proofs)
  • §164.308(a)(4) Access establishment and modification (Sidecar allow-list)
  • §164.502(b) Minimum-necessary rule (delegation narrowing)

Out of scope

  • Privacy Rule substantive provisions
  • Breach notification workflow itself
  • PHI encryption at rest (Vouch is identity, not encryption)

Mappings in preparation

We are extending the mapping to these frameworks. If you need one prioritised, email ask@vouch-protocol.com.

  • SOC 2

    US (audit standard)

  • ISO/IEC 27001

    International

  • DPDPA

    India