EngineeringCompliance by construction

How we build AI institutions can audit.

Every framework. One engineering practice. Every product and engagement is built to these standards from the first commit — not retrofitted in the last sprint before audit.

Jump to
§ 01GDPR§ 02EU AI Act§ 03ISO 27001§ 04ISO 42001§ 05UAE Data Protection Law
§ 01EU + EEA + extraterritorial

GDPR

General Data Protection Regulation

The baseline for processing personal data in the EU, and increasingly the global reference for data protection.

What regulators ask for

  • A lawful basis for every processing activity
  • Data minimization and purpose limitation
  • Data-subject rights — access, rectification, erasure, portability
  • Data Protection Impact Assessments for high-risk processing
  • Subprocessor transparency and accountability
  • Data-residency and international-transfer controls
  • Breach notification within 72 hours

How we engineer for it

  • DPIA workflows and risk-register templates shipped with every product
  • Right-to-erasure as a first-class API, not an after-market bolt-on
  • Row-level classification that flags personal data across the pipeline
  • Subprocessor registry versioned inside the product
  • EU or UAE data residency selected at deploy time, not at runtime
  • Structured audit trail on every processing action
  • Breach-response runbook with 72-hour notification automation
Artifacts we deliver
Data Processing Agreement templateVersioned subprocessor listData residency mapDPIA reportBreach-response runbook
§ 02EU + any system affecting EU residents

EU AI Act

Regulation (EU) 2024/1689

The first comprehensive AI regulation — risk-tiered, with binding obligations on high-risk systems. Most institutional AI workloads fall into high-risk.

What regulators ask for

  • Risk classification against Annex III
  • Conformity assessment for high-risk systems
  • Technical documentation matching Annex IV
  • Record-keeping and logging for traceability
  • Human oversight by design, not after the fact
  • Accuracy, robustness, and cybersecurity thresholds
  • Post-market monitoring across the system lifecycle

How we engineer for it

  • Risk classification produced before a system ships, not after
  • Technical documentation generated from the codebase — always current
  • Structured logging with lineage for every inference
  • Human-in-the-loop patterns baked into every agent and workflow
  • Evaluation pipelines that track accuracy and drift in production
  • Incident-response plan per deployment, per region
Artifacts we deliver
AI system classification reportAnnex IV technical documentationEvaluation pipeline with ongoing monitoringHuman-oversight integration patternsPost-market monitoring plan
§ 03Global

ISO 27001

Information Security Management Systems

The international standard for managing information security. The baseline that government and enterprise procurement teams ask for first.

What regulators ask for

  • A defined Information Security Management System (ISMS)
  • Risk assessment and risk-treatment plan
  • Annex A controls implemented across 14 domains
  • Internal audits and management reviews
  • Continuous improvement of the ISMS

How we engineer for it

  • ISMS scope designed per deployment, not templated
  • Annex A controls mapped in infrastructure-as-code policies
  • Continuous control monitoring with automated evidence collection
  • Separation of duties enforced through RBAC patterns
  • Encryption at rest and in transit by default, never as an option
  • SOC-grade telemetry embedded in the runtime
Artifacts we deliver
ISMS implementation blueprintAnnex A control matrixEvidence-collection automationReadiness-for-audit checklist
§ 04Global

ISO 42001

Artificial Intelligence Management Systems

The first AI-specific management standard (2023). Defines how an organisation governs AI across its lifecycle. Early movers set the bar for every institution that follows.

What regulators ask for

  • A defined AI management system (AIMS) policy
  • Risk and impact assessments for AI systems
  • Lifecycle management across design, deploy, and retire
  • Supplier and partner governance
  • Data-quality and bias management
  • Performance monitoring and continuous evaluation

How we engineer for it

  • AIMS designed per engagement, with governance forums documented
  • AI risk registers and impact assessments at project kickoff
  • Lifecycle gates baked into the product delivery process
  • Data-quality controls and bias evaluation in the eval pipeline
  • Drift and unintended-outcome monitoring, continuous
  • Board-level AI governance reporting, quarterly
Artifacts we deliver
AIMS blueprint scoped to the institutionAI risk register and impact assessmentsLifecycle gate toolkitBoard-level AI governance report template
§ 05UAE federal

UAE Data Protection Law

Federal Decree-Law No. 45 of 2021

The UAE's federal data protection regime. Overlaps with GDPR in spirit but carries its own cross-border transfer rules and UAE Data Office registration requirements.

What regulators ask for

  • A lawful basis and clear consent where required
  • Data-subject rights close to GDPR parity
  • Cross-border transfer under Appropriate Level of Protection
  • Data-breach notification to the UAE Data Office
  • Appointment of a Data Protection Officer where required

How we engineer for it

  • UAE-resident data handling patterns
  • Cross-border transfer control with explicit EU ↔ UAE mapping
  • DPO appointment guidance and template scope
  • Consent management with Arabic-language support
  • Integration pathways for UAE Data Office registration
Artifacts we deliver
UAE DPL readiness assessmentCross-border transfer mappingDPO appointment guidanceUAE-resident deployment topology

Need this engineered for your institution?

30 minutes · NDA available · We reply within one business day.

Start a discovery call hello@nordicinnovation.ai