Kestra Labs helps your organization meet EU AI Act and ISO 42001 requirements out of the box. Every AI-to-SaaS request is governed, logged, and auditable.
The EU AI Act takes full effect August 2, 2026. It requires organizations deploying AI systems to maintain audit trails, enforce human oversight, and ensure transparency. Kestra Labs addresses these obligations at the infrastructure level.
| EU AI Act Requirement | How Kestra Labs Helps | Status |
|---|---|---|
| Art. 12 & 19 — Automatic Logging AI systems must generate logs retained for at least 6 months | Every MCP and PAT request is logged with user identity, role, connector, action, decision (ALLOW/DENY), and latency. Retention: 180 days (SOHO), 1 year (Team), 7 years (Enterprise). | ✓ |
| Art. 14 — Human Oversight Humans must be able to intervene and override AI decisions | Per-organization kill switch instantly blocks all AI access. RBAC policies let admins grant or revoke connector permissions in real time. Per-connector disable for targeted intervention. | ✓ |
| Art. 13 & 26 — Transparency Deployers must understand what the AI system is doing and inform affected individuals | Full audit trail visible in the dashboard with filtering by user, connector, action, and decision. CSV export for compliance teams and regulators. Every decision is traceable to a specific policy rule. | ✓ |
| Art. 4 — AI Literacy Staff operating AI systems must have sufficient understanding | Interactive documentation portal with quick start guides, connector setup walkthroughs, and policy configuration tutorials. Onboarding wizard walks new users through setup step by step. | ✓ |
| Art. 10 — Data Governance Appropriate data governance and management practices | KMS encryption for all stored credentials. Credentials decrypted only in ephemeral memory during request execution. PII redaction engine strips sensitive data before it reaches the AI assistant. Credentials never logged. | ✓ |
ISO 42001 is the world's first AI management system standard, with 38 controls across 9 governance domains. Kestra Labs maps directly to the controls that matter most for AI-to-SaaS governance.
| ISO 42001 Control | How Kestra Labs Helps | Coverage |
|---|---|---|
| A.6 — AI System Lifecycle Manage AI systems through development, deployment, operation, and monitoring | Connector health monitoring runs hourly with automated alerts for offline services. Full audit trail tracks every AI interaction from first request onward. Connector status history provides operational visibility. | ✓ |
| A.7 — Data for AI Systems Data quality, provenance, and governance measures | All SaaS credentials encrypted with KMS (SOHO: platform-managed keys, Bank: customer-managed keys). PII redaction strips sensitive fields before data reaches AI. Credentials zeroed from memory after each request. | ✓ |
| A.8 — Information for Interested Parties Provide users and stakeholders with essential information about AI systems | Admin dashboard with real-time visibility into all AI activity. Documentation portal covering setup, policies, and API reference. Audit log export (CSV) for compliance reporting to stakeholders and regulators. | ✓ |
| A.9 — Use of AI Systems Document intended use, monitor actual use, and detect misuse | RBAC policies define intended use per role and connector (READ, WRITE, DELETE, ADMIN). Audit trail captures actual use. Usage metering detects overages. Kill switch provides immediate intervention for misuse scenarios. | ✓ |
| A.10 — Third-Party Relationships Govern third-party AI tools and data flows | MCP Fortress is purpose-built for this: it governs every AI-to-SaaS interaction through a central gateway. 255+ connector templates with standardized security controls. No direct SaaS access without passing through the policy engine. | ✓ |
Every AI request through Kestra Labs generates an immutable audit record. Export anytime for compliance reviews, ISO audits, or regulatory inquiries.
User identity, role, connector, action, ALLOW/DENY decision, latency, source IP, and timestamp recorded for every request.
Export your audit trail as CSV from the dashboard. Filter by date range, user, connector, or decision before exporting.
Audit records are append-only. They cannot be modified or deleted by users, admins, or API calls during the retention period.
| Tier | Audit Log Retention | EU AI Act Compliant | Credential Storage |
|---|---|---|---|
| SOHO | 180 days | ✓ Meets 6-month minimum | Platform-managed encryption |
| TEAM | 1 year | ✓ Exceeds requirement | Customer-managed KMS keys |
| ENTERPRISE | 7 years | ✓ Full regulatory coverage | Enterprise / session-based |
Kestra Labs is built on security-first infrastructure that aligns with established compliance standards.
Controls for security, availability, and confidentiality. Audit trail and access controls provide evidence for SOC 2 reviews.
Information security management aligned with ISO 27001 controls for encryption, access management, and incident response.
Data minimization, right to erasure, data export, and PII redaction built into the platform. DPA available on request.
BAA available for healthcare organizations. Encrypted credential storage and audit logging meet HIPAA safeguard requirements.
Start with a free trial. Every plan includes full audit logging, RBAC, and EU AI Act-compliant retention from day one.