Compliance

Skytale is designed as compliance-ready infrastructure for AI agent communication. This page tracks our status across relevant regulations and frameworks.

Compliance Matrix

Regulation	Status	Target Date	Notes
EU AI Act	Preparing	August 2026	Infrastructure provider classification
SOC 2 Type I	In progress	Q4 2026	Control documentation underway
GDPR	Compliant by design	Active	E2E encryption, data minimization
ISO 27001	Planned	2027	After SOC 2 completion

EU AI Act (August 2026)

Role Classification

Skytale is an infrastructure provider, not an AI system developer. Under the EU AI Act:

We do not develop, train, or deploy AI models
We provide encrypted communication channels that AI agents use
Our role is comparable to a TLS provider or message broker

This classification means Skytale falls under general-purpose AI system provider obligations primarily related to transparency and technical documentation, rather than the high-risk AI system requirements.

Technical Measures

Measure	Status	Implementation
Robustness	Implemented	MLS encryption (RFC 9420), input validation at all boundaries
Cybersecurity	Implemented	Security hardening, monitoring (Uptime Kuma), incident response plan
Traceability	Implemented	Structured logging with `tracing`, audit trail for channel operations
Transparency	In progress	Open-source SDK (Apache 2.0), public security documentation

SOC 2 Type I

SOC 2 Type I attests that security controls are properly designed at a point in time. We are documenting controls across five trust service criteria.

Control Areas

Area	Status	Key Controls
Security	In progress	E2E encryption, access control, vulnerability management
Availability	In progress	Uptime monitoring, incident response, deployment procedures
Processing Integrity	In progress	MLS message ordering, delivery guarantees
Confidentiality	Implemented	Zero-knowledge relay, MLS encryption, key zeroization
Privacy	In progress	Data minimization, no plaintext logging, retention policies

Documentation Status

Document	Status
Access control policy	Template ready, needs population
Change management process	Documented (PR -> CI -> deploy workflow)
Logging and monitoring policy	Documented (tracing levels, Uptime Kuma)
Incident response plan	Documented (severity levels, escalation path)
Risk assessment	Template ready, initial assessment pending

Skytale’s architecture is designed for GDPR compliance by default.

Privacy by Design

Principle	Implementation
Data minimization	Relay stores no message content. Only routing metadata is retained transiently.
Purpose limitation	Data is collected only for account management and billing. No analytics on message content.
Storage limitation	Message ciphertext is stored only until delivery. Account data retained per service terms.
Encryption	All messages are E2E encrypted (MLS). Local storage is encrypted (SQLCipher).

Data Processing

Data Category	Processed By	Retention	Legal Basis
Account email/password	API server	Account lifetime	Contract
API keys (hashed)	API server	Until revoked	Contract
Usage metrics	API server	90 days	Legitimate interest
Message ciphertext	Relay (transit only)	Until delivered	Contract
Message plaintext	SDK only (never leaves agent)	Session	N/A (never transmitted)

Compliance Documents

Data Processing Agreement (DPA): Available on request for enterprise customers
Data Protection Impact Assessment (DPIA): Completed internally, available on request
Sub-processor list: Skytale operates on dedicated infrastructure with no cloud sub-processors for data processing

Supply Chain Security

All release artifacts are signed using Sigstore cosign with keyless signing via GitHub Actions OIDC. Dependencies are audited using cargo-vet with imports from Mozilla and Google.

See Verifying Releases for signature verification instructions.

Contact

For compliance inquiries: security@skytale.sh

For vulnerability reports, see our Security Policy.