Compliance
Built for the rules that govern AI that observes people.
Nebbos is designed for the high-risk bar from day one — not retrofitted to it. The oversight a regulator asks for is a property of how the platform works, and documentation is available for active evaluations.
The premise
Compliance you can demonstrate, not just assert.
The things a regulator looks for in a high-risk AI system — human oversight, traceable decisions, data minimisation, the ability to explain why something happened — are exactly the properties Nebbos is built around. Because the audit trail and the approval gate are part of the architecture, the evidence already exists; you’re not reconstructing it after the fact.
Frameworks
Where Nebbos meets the bar.
High-risk ready by architecture
A system that observes how people work falls under the high-risk requirements. The human approval gate, sourced decisions, full audit trail and bounded autonomy answer those requirements in the build — not in a policy bolted on afterwards.
Data minimisation in the design
Nebbos stores structured operational signal — patterns, thresholds, relationships, timing — not the raw contents of messages or documents, and scopes access by role at the database. Processing terms and the DPA are available on request.
Built for regulated work
For education, FERPA is handled as an aggregate, structural posture — never per-student records. For other regulated settings, the same minimisation and oversight model applies. Sector specifics are confirmed with counsel before we publish a named claim.
Control frameworks
The controls we build to, stated honestly.
Nebbos is engineered to the controls behind SOC 2 and ISO 27001 — they shape how the platform is built, not a certificate we currently hold. We don’t present a certification we haven’t earned. For an active evaluation, the security package and supporting documentation are available under NDA.
The frameworks above describe the controls Nebbos is built to — not a formal certification we currently hold.