EU AI Act Art 12+26DORA Art 12+28HIPAA § 164.31221 CFR Part 11FINMA 08/2024SOC 2 Type II readiness in progress
INFRASTRUCTURE · RUST · FIPS 140-3

Ship GenAI past InfoSec in days,
not months.

Single Rust binary in your VPC. FIPS 140-3 crypto. Tamper-evident audit. Pre-configured for DORA, HIPAA, and EU AI Act.

Most enterprise GenAI pilots stall in InfoSec review. Not because the models are wrong. Because the compliance layer does not exist yet in your stack.

Daylite ships that layer. A single self-hosted Rust binary that redacts PII, sandboxes agent execution, and logs every tool call to a cryptographically verifiable hash chain. Your CISO signs off in one architecture call.

Integration is one line. Change your base_url to http://daylite.vpc:8080/v1. Zero egress. Air-gap ready.

Talk to usRead the architecture
Daylite sits beneath your stack as the compliance and audit layer
Agent framework
LangGraph, AutoGen, kagent
Mesh or gateway
Solo.io, Tetrate, Istio (optional)
Tools and LLMs
Your systems
PII redaction + WASM sandbox
32MB cap, epoch timeout
Hash-chain audit
SHA-256 + HMAC-SHA-256
Evidence pack
Annex VIII / auditor-ready
Deploy: VPC / on-premDeploy: Air-gapped OTDeploy: K8s / bare metalZero egress

Gartner projects that at least 30% of GenAI projects will be abandoned after proof of concept by the end of 2025. The cited reasons include inadequate risk controls and escalating compliance costs, not model performance.[1]

The European Commission Impact Assessment on the AI Act reports €29K internal plus €23K external audit, every year, per high-risk AI system.[2]

The compliance layer your stack is missing.

Three things every enterprise GenAI deployment needs before InfoSec will sign off. Daylite ships all three as a single binary you can drop into your VPC today.

Unblock
Unblock stalled pilots.
Your agent gets past InfoSec because data never leaves your perimeter. PII is redacted at the proxy edge. Agent execution runs inside a WASM sandbox with a 32MB cap and epoch timeout.

FIPS 140-3 validated crypto via AWS-LC (CMVP Certificate #4816)

Deployed in your VPC, on-prem, or air-gapped
Zero egress by default
PII redaction before any LLM call
WASM sandbox (wasmtime, 32MB, epoch timeout)
Consolidate
One governance layer for every shadow AI project.
Every agent across business units enforced through the same 6-step pipeline. Your CAIO gets a single audit console, not a dashboard per vendor.

Auth, rate limit, PII scan, classification, route, tamper-evident audit

SDK for LangGraph, AutoGen, kagent, or custom
Envoy WASM filter for existing service meshes
SIEM forwarding to Splunk, Dragos, Nozomi
Per-step UUIDv7 identity attribution
Automate
Pre-configured for your regulator.
YAML policy packs for DORA Article 12 and 28, HIPAA § 164.312, 21 CFR Part 11, EU AI Act Annex VIII, and FINMA 08/2024. Drop in, enforce immediately.

Evidence export in the format each auditor expects

DORA Art 12 tamper-evident logging
HIPAA BAA-ready PHI redaction pipeline
21 CFR Part 11 electronic records profile
EU AI Act Annex VIII automated export

Who actually needs this

Daylite targets regulated enterprises where standard SQL audit logs fail regulatory admissibility tests. These are the verticals with hard-dated forcing functions.

Financial Services
DORA Art 12+28

DORA Article 12 requires tamper-evident logs of every AI decision, with Article 28 extending third-party ICT risk controls to your LLM vendors. Daylite ships both out of the box.

Asset managers, private banks, specialty insurers

Healthcare and Pharma
HIPAA / 21 CFR Part 11

PHI is redacted at your perimeter before anything reaches OpenAI or Anthropic. HIPAA BAA-ready. 21 CFR Part 11 electronic records profile pre-loaded.

Hospital systems, clinical AI, GxP-validated pharma workflows

Insurance
EU AI Act Art 26

High-risk AI systems under EU AI Act Article 26 face real audit costs starting August 2, 2026. Daylite automates Article 12 record-keeping and Annex VIII export.

AIUC-certified vendors, Armilla coverholders, Munich Re aiSure

Regulated AI Deployers
EU AI Act / Swiss Banking Act

Any high-risk AI system under EU AI Act Annex III needs Article 12 logging by August 2, 2026. Swiss Banking Act Article 47 criminalizes client data exposure to CLOUD Act jurisdictions.

EU and Swiss mid-market, utility operators, regulated AI vendors

Build it yourself, or plug it in.

The compliance layer is not an optional nice-to-have. Your only decision is whether to staff it internally or transfer that liability to a vendor whose entire product is this one layer.

Build
If you build this in-house, your team owns:
·100,000+ lines of compliance engineering
·6 months to feature parity
·Rust, crypto, and regulatory expertise required on your team
·Your own SOC 2 vendor evidence burden
Plug in
If you plug in Daylite, we own:
One Rust binary
90 minutes to first verified audit log
FIPS 140-3 via AWS-LC (CMVP Certificate #4816)
SOC 2 Type II readiness under way; audit evidence as it materializes

Liability for FIPS recertification, regulator audits, and zero-day crypto patches shifts to Daylite.

EU AI Act compliance alone costs €29K internal plus €23K external audit per high-risk system, annually.

You make the choice every quarter you keep pushing the compliance layer down the backlog.

Integration is one line.

OpenAI-compatible proxy. Works with any framework that talks to /v1/chat/completions. LangChain, LangGraph, AutoGen, CrewAI, raw SDK. Change your base_url, nothing else.

client.pyPython · OpenAI SDK
from openai import OpenAI

client = OpenAI(
  # base_url="https://api.openai.com/v1"  (before)
  base_url="http://daylite.vpc:8080/v1",  # after
  api_key="sk-...",
)

Architecture

Memory-safe Rust binary. Built on FIPS-validated cryptography. Zero lateral movement. Runs where your infrastructure runs, not in our cloud.

WASM-sandboxed execution
Every tool handler runs in an isolated wasmtime sandbox. 32MB memory cap, epoch-based timeout. A compromised agent cannot reach the host, network, or other tenants.
FIPS-validated cryptography
Built on AWS-LC (NIST CMVP Certificate #4816). Daylite inherits library-level validation, which satisfies SOC 2, HIPAA, FINMA, and commercial enterprise procurement. FedRAMP High requires product-level CMVP, which is on the post-Series A roadmap.
SHA-256 hash-chain audit
Every event links to the previous via SHA-256 with HMAC signatures. Merkle tree aggregation every 10 seconds. /v1/audit/verify endpoint enables offline validation by any auditor.
Per-step agent identity
UUIDv7 attribution on every tool call, state change, and policy decision. Enables exact regulator reconstruction under FINMA 08/2024 explainability and DORA Article 12 forensic investigation.
Integrates with existing stack
SDK for LangGraph, AutoGen, kagent, CrewAI, or custom agents. WASM filter for Envoy deployments (Solo.io, Tetrate, Istio). Syslog forwarder for Dragos, Nozomi, and Splunk.
Air-gap ready
Single Rust binary, no internet required. Transfer via approved media. Deploys inside SCIFs, utility OT networks, and validated pharma environments. CycloneDX SBOM generated in CI.

60-day Paid Technology Evaluation, not a free trial

Regulated enterprises do not buy infrastructure from free trials. They buy from structured evaluations with defined success criteria that convert to annual license at closeout.

Week 1-2
Deploy in your environment
Daylite binary installed in your VPC, bare-metal server, or air-gapped network. SSO, encryption-at-rest keys (BYOK), and network boundaries configured.
Week 3-4
Regulatory profile activation
Load the profile matching your framework: DORA Article 12, HIPAA § 164.312, 21 CFR Part 11, EU AI Act Annex VIII, or FINMA 08/2024. Auditor reviews evidence format.
Week 5-8
Agent integration and live audit
Connect your agent framework via SDK, proxy mode, or WASM filter. Hash-chain audit generates in real-time. Tamper detection validated with simulated test.
Week 9-12
Evidence pack and conversion
First regulator-ready evidence pack exported. Auditor sign-off. Engagement converts to annual license at agreed tier.

Evaluation from $25K. Annual licenses $60K to $800K.

60-day Paid Technology Evaluation ($25K-$50K) with defined deliverables and full conversion credit toward annual license. Annual tiers scale by deployment footprint from single site to global multi-tenant. Multi-year contracts receive a 15% discount.

Entry
$60K / year
Single site, up to 500 agents, one regulatory profile, business-hours support.
Growth
$140K / year
Multi-site, up to 5,000 agents, all regulatory profiles, 24/5 support and SLA.
Enterprise
$400K+ / year
Unlimited deployment, custom profiles, 24/7 support, dedicated engineer, named auditor partnerships.
Talk to us
SOC 2 TYPE II
Readiness in progress
We publish audit evidence as it materializes. No false claims.
FIPS 140-3
AWS-LC CMVP Certificate #4816
Library-level validation. Zero ring-crypto dependency in the build.
TESTS
269 passing in CI
245 Rust + 24 Playwright. Property-based coverage on security boundaries.

Questions your security and compliance team will ask

How is this different from a service mesh like Solo.io or Tetrate?

They route agent traffic and do rate limiting. Daylite generates cryptographic evidence of what those agents did and sits beneath them. Solo.io logs to standard observability stores which are mutable and rejected under Federal Rule of Evidence 901. Daylite creates tamper-evident hash-chain evidence that survives regulator and court scrutiny. We are not a competitor. Daylite deploys as a WASM filter inside their mesh or standalone in environments where no mesh exists.

We already have Vanta, Drata, or OneTrust. Why add another tool?

Those platforms manage compliance workflows and policy documentation. They do not generate runtime cryptographic evidence of agent actions. When a FINMA or DORA examiner asks you to reconstruct exactly what an autonomous agent did on a specific date, Vanta cannot answer. Daylite produces that evidence pack with signed, append-only cryptographic integrity. The two tools complement, they do not overlap.

What does 'built on FIPS-validated cryptography' actually mean?

Daylite uses AWS-LC, which holds NIST CMVP Certificate #4816. Daylite itself is not product-certified under FIPS 140-3. This distinction matters. Commercial enterprise procurement (banks, insurers, law firms, regulated pharma) accepts library-level validation. FedRAMP High and certain DoD contracts require product-level CMVP validation, which is on the post-Series A roadmap. For commercial customers under SOC 2, HIPAA, FINMA, DORA, or EU AI Act, library-level validation is fully sufficient.

How does this work during an actual regulator audit?

When a FINMA, BaFin, or internal auditor arrives on site, your team runs one command: /v1/audit/export/regulatory. It produces a cryptographically signed evidence pack (JSON plus ZIP) aligned with the specific framework (DORA Article 12, HIPAA § 164.312, 21 CFR Part 11, EU AI Act Annex VIII, FINMA 08/2024). The auditor verifies the hash chain offline with our verify tool, confirms no tampering, and signs off. No proprietary format, no vendor lock-in for evidence format.

How does this scale with thousands of agents?

Daylite runs as a central control plane (1 to 3 HA instances, not per-agent). Agents emit events via SDK, proxy mode, or WASM filter to the control plane. Our production target handles 100K events per second of hash-chain append with sub-millisecond latency. Not a sidecar pattern. Customers with 5,000 agents deploy three control plane instances, not 5,000 sidecars.

Can Microsoft Agent 365 or Azure API Management do this?

Microsoft ships generic AI governance across their cloud. Two structural problems. First, their audit stores reside in Azure, exposing Swiss and EU client data to US CLOUD Act and FISA 702 subpoenas, a criminal violation of Swiss Banking Act Article 47. Second, they do not deploy inside air-gapped regulated environments where sovereignty is required. Daylite is the self-hosted alternative for deployments where Microsoft cannot legally or architecturally fit.

Talk to us

60 minutes with the founder. Technical deep-dive on your regulatory requirements, deployment environment, and integration path. A working session, not a sales pitch.

Or reach out directly at hello@daylite.ai