Walma

AI that meets GDPR, the EU AI Act and NIS2.

Traceability, data sovereignty and incident handling built in. Compliance you can actually show your auditor, your DPA and your security lead.

The EU AI Act requires logging and oversight. GDPR requires control over where data lives and how long it is kept. NIS2 requires fast incident reporting. AI Hub is built so that all three regulations are addressed automatically. Every request is logged, data stays in your Azure region, retention is yours to set, and security events land in a queue that triggers your incident process.

Some clients & partners

SKBVictoriahemOne MoreInseraJunglemapAlice LabsPublic PartnerOMIFAWS PartnerMicrosoft

Three regulations, one infrastructure, many questions from the auditor.

What you need to be able to answer when AI usage is reviewed.

See how AI Hub addresses it

Where are prompts and responses stored?

GDPR demands an answer for the full data chain. When prompts go to an LLM over the internet they leave your control, often in a region you cannot pin down. That quickly becomes an assessment question you do not want to have.

Who decided, based on what?

The AI Act's Annex III sets traceability requirements for high-risk use. If AI influenced a decision, you must be able to show the prompt, context, model and outcome after the fact.

How quickly do you detect an AI-related incident?

NIS2 requires an early warning within 24 hours and a full report within 72. When AI is used broadly, the attack surface widens. Without central logging you cannot see what happened.

Compliance by design from APIM down.

Not a document in a folder. A living infrastructure.

AI Hub logs every request with the metadata required for GDPR, AI Act traceability and NIS2 incident handling. Data is stored in your Azure tenant, in the region you choose, with retention you configure. The audit log is searchable and exportable for audit. Security events (token leaks, policy bypass attempts, off-hours usage) land automatically in a queue your SOC can hook into.

Audit log and security signals in AI Hub
What you get

Compliance that covers all three regulations

Not three separate projects but one shared infrastructure that addresses GDPR, the AI Act and NIS2 in parallel.

GDPR: data sovereignty and retention

GDPR: data sovereignty and retention

  • All data inside your Azure tenant and Azure region
  • Retention configurable per data type
  • Sub-processor list kept up to date
  • Right to be forgotten: endpoint that erases all data per user
AI Act: roles, logging and Annex III

AI Act: roles, logging and Annex III

  • Audit log satisfies AI Act article 12 (record-keeping)
  • Human oversight documented per use case
  • Support for Annex III assessment per use case
  • Clear roles: you as deployer, the vendors as providers
NIS2: incidents and reporting

NIS2: incidents and reporting

  • Real-time signals on off-hours usage and account anomalies
  • Early warning can be triggered within hours
  • Logs exported in the formats your CSIRT accepts
  • Recorded during intrusion and usable in forensic analysis
Oversight you can show

Oversight you can show

  • Compliance view with share of traffic inside policy
  • Per-tier documentation of which models are approved
  • Audit trail for policy changes (who changed what, when)
  • Reports ready for internal audit and regulator inquiries
Data sovereignty in practice

Your data, your region, your retention

Nothing leaves to a third party without passing controls you put in place.

Region-anchored

APIM, Supabase and Event Hub are provisioned in the Azure region you choose. Sweden Central for Swedish customers, others elsewhere.

Configurable retention

The audit log defaults to 24 months. You can shorten or extend per data type. Longer for security incidents, shorter for prompts if required.

Encrypted at rest and in transit

Everything on disk in Azure with your keys (if you want them). All traffic on TLS 1.3. No exceptions.

Why this is different

Compliance as a tool, not as a project folder

Compliance should not be something you do once a year before audit.

Living documentation

Your policies, tiers and approved models are visible and version-controlled. No gap between what the document says and what the system does.

Oversight in real time

When a developer tries to use a non-approved model it gets logged and blocked. Not 'we will see in the monthly report' but here and now.

Audit-ready every day

If the auditor walks in on a Monday, you have the export ready by Friday afternoon. Everything is already structured.

A regulator meeting gets shorter

Your answers to 'how does AI work here' are not files in a folder. They are dashboards. That shortens the regulatory dialogue significantly.

AI Hub compliance dashboard
Onboarding

From compliance uncertainty to audit-ready in six weeks

We start with risk assessment, end with documented ongoing governance.

1

Risk assessment

We walk through your use cases against AI Act Annex III, GDPR article 35 (DPIA) and NIS2 entity classification.

Week 1
2

Tier and policy design

We design tiers matching your risk level per use case. Human oversight is documented, approved models are confirmed.

Week 2 to 3
3

Implementation

Tiers, policies and logging are configured in AI Hub. SCIM and retention are set up according to the risk assessment.

Week 4 to 5
4

Audit-ready

We deliver an internal audit template, an early warning template per NIS2 and a handover to your DPO and CISO.

Week 6

AI Hub. The gateway between your developers and the AI models.

Get control over cost, security and policy for Claude Code, Codex and every AI tool your teams already use.

Read more

Frequently asked questions about compliance with AI Hub

AI Hub addresses article 12 (logging) and large parts of article 14 (human oversight) at the technical level. For full compliance you also need processes for risk management, quality management and documentation of individual systems. We offer separate services for the remaining work.

In your own Supabase instance, in the Azure region you choose. We have no access to the data. Sub-processors are limited to Microsoft (Azure) and your chosen LLM providers (Anthropic, OpenAI).

There is an endpoint that takes a user ID and removes all prompts, responses and metadata tied to that user from the audit log. The log retains aggregated statistics without personal data.

Not automatically to authorities, since incident classification requires human judgment. But signals are pushed to your incident process (Slack, Teams, Jira) within minutes when thresholds are breached, so your SOC can act quickly.

Every request is stored with full context: prompt, model, tokens, context documents (for RAG), response, who ran it, which policy applied. This satisfies article 12 record-keeping for logging in high-risk systems.

AI Hub is a gateway, not an AI system in the AI Act sense. The vendor's model is the AI system. We as gateway provider are not the provider in the regulatory sense. We can be a processor under GDPR. We walk through role allocation during onboarding.