Compliance Support¶
SIX does not provide compliance certification. SIX provides cryptographic evidence that supports your compliance and audit workflows. Customers determine sufficiency for their jurisdiction.
This section maps SIX capabilities to specific regulatory requirements across HIPAA, SOX, GDPR, and other frameworks.
Self-Attested Alignment
Compliance badges and framework mappings on six-sov.com represent architectural alignment with regulatory requirements, not formal certification. SIX provides cryptographic primitives and verifiable audit trails that support compliance -- your compliance officer, legal counsel, or auditor makes the final determination.
Supported Frameworks¶
| Framework | Jurisdiction | Primary Concern | SIX Guide |
|---|---|---|---|
| HIPAA | United States | Healthcare data privacy and security | HIPAA Guide |
| SOX | United States | Financial reporting integrity and audit controls | SOX Guide |
| GDPR | European Union | Data protection and processing sovereignty | GDPR Guide |
| FedRAMP | United States | Federal cloud security | Coming soon |
| FRCP | United States | Federal e-discovery rules | Coming soon |
| SOC 2 | International | Service organization controls | Coming soon |
How SIX Supports Compliance¶
SIX does not replace your compliance program. It provides cryptographic tools that make compliance demonstrable rather than promissory.
The Problem¶
When you use AI in a regulated environment, auditors and regulators ask:
- Did this AI output come from the claimed model? (Execution integrity)
- Was the data processed in the required jurisdiction? (Data sovereignty)
- Can you prove the output wasn't modified? (Tamper evidence)
- Do you have an audit trail? (Audit controls)
- Can a third party verify your claims? (Independent verification)
Traditional AI providers answer these questions with contractual assurances. SIX answers them with mathematical proof.
What SIX Provides¶
| Capability | Compliance Value | How It Works |
|---|---|---|
| Signed receipts | Verifiable audit trail | Every inference returns a cryptographically signed receipt |
| Tamper-evident commitments | Data integrity proof | Modify any field and the proof breaks |
| Routing attestation | Data sovereignty proof | Cryptographic confirmation of where data was processed |
| Independent verification | Third-party auditability | Anyone can verify a receipt without trusting SIX |
| Settlement anchoring | Immutable record | Execution records anchored to an independent ledger |
Compliance Integration Pattern¶
Regardless of framework, the integration pattern is the same:
1. CONFIGURE: Set privacy tier for your regulatory requirement
2. EXECUTE: Make inference through SIX
3. RECEIVE: Get signed receipt with every response
4. STORE: Save receipt in your audit system
5. VERIFY: Independently verify receipt (now and periodically)
6. REPORT: Present receipts and verification results to auditors
Example: Audit-Ready Inference¶
import json
from datetime import datetime
# 1. Configure for sovereign routing (regulated data)
response = requests.post(
f"{SIX_ENDPOINT}/v1/chat/completions",
headers={"Authorization": f"Bearer {SIX_API_KEY}"},
json={
"model": "default",
"messages": [{"role": "user", "content": prompt}],
"privacy_tier": "sovereign",
}
)
data = response.json()
receipt = data["receipt"]
# 2. Store in your audit system
audit_record = {
"timestamp": datetime.utcnow().isoformat(),
"action": "ai_inference",
"receipt_id": receipt["receipt_id"],
"routing": receipt["routing"],
"verified_at_issuance": receipt["verified"],
"privacy_tier": "sovereign",
"framework": "hipaa", # or sox, gdpr, etc.
}
# 3. Verify independently
verify_resp = requests.get(
f"{SIX_ENDPOINT}/v1/verify/{receipt['receipt_id']}",
headers={"Authorization": f"Bearer {SIX_API_KEY}"}
)
audit_record["independent_verification"] = verify_resp.json()["status"]
# 4. Save to your audit log
save_to_audit_system(audit_record)
Framework Mapping Summary¶
| Requirement | HIPAA | SOX | GDPR | SIX Capability |
|---|---|---|---|---|
| Audit trail | 164.312(b) | Sec. 802 | Art. 30 | Signed receipts + verification |
| Access control | 164.312(a) | Sec. 302 | Art. 25 | Cryptographic authentication |
| Data integrity | 164.312(c) | Sec. 404 | Art. 5(1)(f) | Tamper-evident commitments |
| Data sovereignty | 164.308 | -- | Art. 44-49 | Privacy tiers + routing attestation |
| Non-repudiation | 164.312(c) | Sec. 302 | -- | Digital signatures |
| Third-party audit | 164.308(a)(8) | Sec. 404 | Art. 28 | Independent verification |
Next Steps¶
- HIPAA Compliance -- Healthcare regulatory mapping
- SOX Compliance -- Financial audit trail mapping
- GDPR Compliance -- Data sovereignty and processing verification
- Verification Overview -- How to verify independently