Compliance

AI Act-ready
from day one.

GDPR, EU AI Act, NIS2 and ISO 27001 — documented automatically. Every AI call logged, classified and provable. When the regulator calls, you have the answer in minutes, not weeks.

Calculate your exposure
Exposure calculator

What does one uncontrolled AI prompt cost?

GDPR Art. 83(5) and EU AI Act Art. 99 set the ceiling. Enter your annual revenue — see the concrete number a regulator could theoretically impose.

LIVE · Exposure calculator
DKK

For public-sector organizations: use your operating budget.

Quick select
Maximum regulatory exposure
GDPR fineDKK 80,000,000
Regulation (EU) 2016/679 · Art. 83(5)
Up to 4% of global annual turnover (proportionality principle).
AI Act fineDKK 60,000,000
Regulation (EU) 2024/1689 · Art. 99(3)
Up to 3% of global annual turnover (proportionality principle).
Combined worst caseDKK 140,000,000
GDPR + AI Act penalties can be imposed in parallel for the same incident.

Calculation: percentage of annual turnover. Conversion: €1 = DKK 7.46 (ECB average).

Proportional exposure based on annual turnover. The regulations also define absolute ceilings (€20M GDPR / €15M AI Act) that apply to large-scale violations. Actual fines are determined case-by-case by national data-protection and AI Act authorities. Not legal advice.
Operational reality check

What do you actually have — when the regulator calls?

GDPR gives you 72 hours. The AI Act requires evidence on demand. Here's what you must document — and what CareProxy delivers automatically.

DPIA — Data Protection Impact Assessment
GDPR Art. 35
✕ Without CareProxy

Manual assessment for every AI tool employees use. Rarely updated. Documentation scattered across Word files.

✓ With CareProxy

Auto-generated from the policy engine + actual AI traffic logged per triage decision.

ROPA — Record of Processing Activities
GDPR Art. 30
✕ Without CareProxy

Must list every AI-related processing activity, legal basis, and recipients. Problem: you don't know precisely what employees send where.

✓ With CareProxy

Every AI call is classified, routed, and logged. ROPA can be exported directly from the audit system.

Transfer Impact Assessment (Schrems II)
GDPR Art. 44–49
✕ Without CareProxy

Required for any data transfer outside EU/EEA. Public cloud AI = US transfer. No log = documentation gap.

✓ With CareProxy

High-risk data stays on EU soil. For low-risk: hash-chained evidence of exactly what was sent.

AI Act Conformity Assessment
AI Act Art. 43
✕ Without CareProxy

High-risk AI systems require formal conformity assessment before use. Employees use tools you have never assessed.

✓ With CareProxy

Policy engine enforces that unassessed AI tools are blocked. Audit trail shows what is actually in production.

Data Processing Agreement (DPA)
GDPR Art. 28
✕ Without CareProxy

Requires a contract with every AI provider. Employees bypass procurement = shadow IT. Legal exposure.

✓ With CareProxy

Only approved AI destinations receive traffic. Everything else is fail-closed. No shadow IT.

Subject Access / breach notification
GDPR Art. 15 · Art. 33 (72 hours)
✕ Without CareProxy

Data subject requests insight into AI processing of their data. Without a central log, response time breaks the 72-hour rule.

✓ With CareProxy

Query session-ID → get a SHA-256-verified list of routing decisions, trigger rules, destinations. Minutes, not days.

Basis: GDPR Regulation (EU) 2016/679 · AI Act Regulation (EU) 2024/1689 · Danish DPA guidance 2024–2025.

Evidence in an incident

What you can actually document — when authorities call

The audit chain, the one-click export, and the external timestamp anchor together cover three regulatory frames. Technical depth lives on the architecture page — here is the essence.

01 · What you can prove

For every clinical request: which user, which department, which model, what went in, what came back, which rules triggered a block. Hashed, signed, tamper-evident. The chain survives restart — verifiable from the database alone.

02 · How you prove it

One-click export from the CISO dashboard produces a self-contained JSON file with the chain, public key, and verification instructions. The receiver runs openssl ts -verify plus sha256sum. If anything has been touched, verification fails — proof in itself.

03 · What it covers

ISO 27001 A.12.4 (logging and monitoring), GDPR Art. 32 (security of processing), NIS2 Art. 21(2)(c) (incident handling). The concrete requirements are listed below.

The concrete frames

ISO 27001
A.12.4 · Logging and monitoring

Requires retained, protected, and tamper-evident event logs. Our hash chain + Ed25519 signature + Postgres persistence covers A.12.4.1 through A.12.4.4 in a single mechanism.

GDPR
Art. 32 · Security of processing

The duty to ensure "ongoing confidentiality, integrity, availability, and resilience" of processing systems. The external RFC 3161 timestamp anchor documents integrity independently of your own signing key.

NIS2
Art. 21(2)(c) · Incident handling

The one-click export gives compliance leads something concrete to hand over to authorities — not a CSV dump without integrity proof.

Technical depth on the architecture page

Trust & Compliance

Built for the strictest requirements in European healthcare.

GDPR Ready

Full compliance with the data protection regulation. Data never leaves the network.

EU AI Act

Compliant with the European AI Regulation. Supports risk management and data governance per AI Act Art. 10 & 28.

ISO 27001

Information security to international standards.

Ready to take control of your AI infrastructure?

CareProxy is under active development. Join the waitlist to be notified as soon as pilot installations open.

See zero-trust routing — live

Or reach out directly kontakt@careproxy.dk

Join the waitlist

Be among the first hospitals to get access to CareProxy's zero-trust AI routing. We'll reach out as soon as pilot installations open.