nebbos
Log inBook a demo →

Oversight & compliance

Oversight isn't a setting. It's the architecture.

A system that observes how people work is high-risk under the EU AI Act. Most vendors answer that with a policy document. Nebbos answers with how it's built — and you can read the guarantees below.

EU AI Act · high-risk readyGDPR-alignedBuilt to the SOC 2 control frameworkAligned with ISO 27001

We build to the SOC 2 and ISO 27001 control frameworks. These describe how the platform is engineered — not a formal certification we currently hold.

The guarantees

Four things that are true by construction.

A human on every consequential move.

Changes to how work runs route through an approval gate — there is no path that lets the system act on the consequential things without sign-off.

Every decision is sourced.

What was decided, by whom, on what evidence, and why — all recorded and queryable, all the time.

Bounded, reversible autonomy.

Pearl only acts within limits it has demonstrably earned, and any action it takes can be undone.

Your data, your tenant.

Isolation is enforced at the database for every row — not promised in a clause.

Defence in depth

The approval gate is enforced in five places.

Oversight that lives in one layer can be bypassed in another. Nebbos enforces the human checkpoint at every level of the stack, so a change to how work runs can’t slip through.

Layer 1

Interface

Changes are submitted to an approval flow, not pushed straight through.

Layer 2

API

Workflow changes require a valid approval token, or they're refused.

Layer 3

Agent policy

The agent pauses on consequential tools and cannot proceed without a human resume.

Layer 4

Tool permissions

Tools check the approval context before any logic runs.

Layer 5

Database

Unauthorised writes to workflow tables are caught — with alert and rollback.

Break-glass

Emergency override

Requires two senior approvers, a priority alert, and an automatic post-incident review.

Data handling

It reads the shape of work — not the contents.

Nebbos stores structured signal — patterns, thresholds, relationships, timing — rather than the raw text of your messages and documents. The Operational Graph is a map of how work moves, not an archive of what everyone said.

What’s stored vs. what isn’t

KEEPS — events, patterns, thresholds, relationships, outcomes

SKIPS — raw message bodies and document contents

SCOPES — access by role; surfaces sensitive gaps to leads, not peers

Bring the security questionnaire. We built for it.

Talk to us →How governance works