TRD Network's compliance posture and shipped substrate, mapped to regulatory requirements. Pre-audit readiness statement — not a third-party attestation.
TRD Network has shipped the technical substrate to evidence compliance with the EU AI Act (Regulation 2024/1689) and ISO/IEC 42001:2023 (AI Management System). Every inference, every site build, every operator action that touches an AI system on the TRD platform emits an ed25519-signed receipt that is hash-chained, anchored on Filecoin, and publicly verifiable against a published public key. This goes substantially beyond the EU AI Act's transparency floor.
We are positioned to obtain ISO/IEC 42001 certification on a 6–9 month timeline, and to register as a General-Purpose AI Model relay under Article 53 on a 3-month timeline.
TRD Network operates the following AI systems, classified per Article 6:
| System | Risk class | Rationale |
|---|---|---|
| WhatsLink site generator | Limited risk | Generates marketing websites; no biometric/employment/credit/critical infrastructure use |
| OS conversational agent | Limited risk | Customer-facing chat; Article 50 transparency obligations apply |
| TRD Compute (inference routing) | Foundation model relay | Article 53 obligations apply as a provider of routed GPAI |
| TRD Storage (provenance) | Not in scope | Storage-only service, no AI decisions |
| TRD Sovereign (self-host deployments) | Pass-through | Customer-deployed in their own infrastructure |
No high-risk uses (Article 6 Annex III) are currently in scope.
Requirement: providers of high-risk and limited-risk AI must enable users to interpret system output and use it appropriately.
Evidence shipped: Every customer site built on WhatsLink/OS embeds C2PA-linked content credentials in HTML <head> (Zone 130). Live carbon badge on every page (Zone 131) discloses energy footprint. Certificate of Authorship PDF includes plain-language explainer of cryptographic provenance. Conversational agents output kind: agent_action receipts identifying the model + prompt hash.
Evidence shipped: Approval Inbox protocol (Zone 103, April 30, 2026) requires human approval before high-confidence actions execute. F10 Predictive Action Engine ranks "next best action" but routes top-3 to human approval queue. All auto-execute rules have configurable confidence thresholds.
Build smoke tests run on every site before deploy. HTML validator + page invariants check (Zones 67, 39.52) catch generation errors. Ed25519 receipt signing prevents tampering of decision records. HMAC-SHA256 attestation on GDPR destruction events (Zone 132). Receipt chain hash-pointers (prev_receipt_cid) make insertion/deletion detectable.
Track B substrate (May 16, 2026) — Patchers B1–B5 complete:
agent_action receipt emitted to public receipt chainDistinguishing posture: Most providers fulfill GDPR Article 17 with manual database deletion. TRD provides cryptographic proof of destruction with single-action irreversibility and public verifiability.
C2PA Content Credentials in HTML <head> declare CreativeWork authored by TRD Network. Open Graph og:provenance tag publishes verification URL. JSON-LD schema.org CreativeWork with contentCredentials property.
TRD Compute is a routing service over third-party foundation models. TRD does not train its own foundation models. Article 53 obligations flow to the upstream providers; TRD's obligation is limited to identifying which model handled each request — which is satisfied by compute_inference receipts that record payload.model per inference.
Mapping each AI Management System control clause to TRD's shipped substrate:
| Control | Status | Evidence |
|---|---|---|
| 4.1 Understanding the organization | ✓ Documented | WHATSLINK_ROADMAP.md, knowledge.html |
| 4.2 Needs of interested parties | ✓ Documented | DEMO_SCRIPT.md, beta customer log |
| 4.3 Scope of the AIMS | ✓ Documented | This document, §1.1 |
| Control | Status | Evidence |
|---|---|---|
| 5.1 Leadership commitment | ✓ | DCS AI Technologies LLC operator role; v3 marathon execution log |
| 5.2 AI Policy | ⚠ Drafting | Formal AI Use Policy document pending |
| 5.3 Roles, responsibilities | ⚠ Drafting | Single-operator phase; RACI as team scales |
| Control | Status | Evidence |
|---|---|---|
| 7.1 Resources | ✓ | Railway, Supabase, Cloudflare, Vercel infrastructure documented |
| 7.4 Communication | ✓ | knowledge.html, DEMO_SCRIPT.md, ship log |
| 7.5 Documented information | ✓ | Comprehensive — every patcher = .cjs + .sh + commit + zone marker |
| Control | Status | Evidence |
|---|---|---|
| 8.1 Operational planning | ✓ | Marathon shift discipline; every change through patcher flow |
| 8.2 AI risk assessment | ⚠ Cadence pending | Substrate ready (receipt chain); needs periodic review cadence |
| 8.3 AI risk treatment | ✓ | Approval Inbox (Zone 103), confidence-gated auto-execute (Zone 121) |
All evidence below is publicly verifiable via the receipt chain at https://api.storage.trdn.io/api/storage/receipts/<session_id> and the published public key at https://trdn.io/keys/trd-receipt-key-2026.public.pem.
| Evidence | Production Surface | Shipped |
|---|---|---|
| Per-inference signed receipt | storage_receipts table | May 16, 2026 |
| Per-build signed receipt | kind=build_complete | May 16, 2026 |
| Per-action signed receipt | kind=agent_action | May 16, 2026 |
| Hash chain integrity | prev_receipt_cid | May 16, 2026 |
| Filecoin anchoring | Lighthouse pinning | (existing) |
| Carbon footprint per inference | carbon_kwh / co2_grams | May 16, 2026 |
| C2PA Content Credentials | Every site <head> | May 16, 2026 |
| Live carbon badge | Bottom-right widget | May 16, 2026 |
| Cert PDF Provenance page | GET /api/storage/cert/:session_id | May 16, 2026 |
| GDPR erasure substrate | tenant_keys + pii_vault | May 16, 2026 |
| Erasure certificate PDF | /api/storage/cert/erasure/:request_id | May 16, 2026 |
| Customer dashboard tab | Privacy & Data (Zone 134) | May 16, 2026 |
| Public verification key | trdn.io/keys/... | May 16, 2026 |
| Public receipt verifier | pilot.trdn.io/verify.html | May 16, 2026 |
| Approval Inbox audit trail | approval_* tables | April 30, 2026 |
| Gap | Effort | Target |
|---|---|---|
| Formal AI Use Policy document | 4h | This week |
| AI risk register (structured) | 1 day | This week |
| RACI matrix for AI governance | 4h | When team ≥ 2 |
Model Disclosure page at /compliance/models | 4h | This week |
| Quarterly internal audit cadence | Planning | Q3 2026 |
| Gap | Provider | Timeline |
|---|---|---|
| ISO/IEC 42001 stage-1 audit (gap assessment) | TÜV / BSI / DNV | 2–3 months |
| ISO/IEC 42001 stage-2 audit (certification) | Same body | 6–9 months total |
| EU AI Act Article 53 GPAI registration | EU AI Office | Q3 2026 |
| SOC 2 Type II (parallel track) | A-LIGN / Drata-assisted | 6–12 months |
As of May 16, 2026, TRD Network has shipped the technical substrate to evidence compliance with the EU AI Act (Limited Risk classification with GPAI relay obligations under Article 53) and ISO/IEC 42001 (with substantial completion of Clauses 4, 7, 8, 9, 10 and gap-closure on Clauses 5, 6 in progress).
The receipt + provenance substrate makes TRD one of a small number of AI providers globally that can demonstrate, with cryptographic proof, every inference and every action taken by its AI systems. This goes substantially beyond the regulatory floor.
Recommended next actions:
/compliance/models page documenting upstream foundation models