Compliance

How AgentReceipt helps you meet regulatory requirements for AI agent logging and data retention.

EU AI Act

Article 19 of the EU AI Act requires providers of high-risk AI systems to retain automatically generated logs for a minimum of six months. The logs must be sufficient to reconstruct what the system did and why. Enforcement begins in August 2026.

AgentReceipt stores events in an append-only database with configurable retention periods. The Pro plan retains data for 90 days and the Business plan for 1 year. For high-risk systems that need 6 months or more, the Business plan meets this requirement out of the box. The hash chain provides verifiable proof that logs have not been altered since they were recorded.

If your AI system falls under the high-risk category, AgentReceipt gives you structured, timestamped, hash-verified logs of every action your agent took. These logs are queryable, human-readable, and available for export.

SOC 2 and HIPAA

SOC 2

Audit trails are a core control in SOC 2 compliance. If your organization undergoes SOC 2 audits and you use AI agents that take actions on behalf of users or customers, you need structured, queryable logs of what those agents did. AgentReceipt provides exactly that: a timestamped record of every action, with hash chain verification to prove the logs have not been modified.

HIPAA

HIPAA requires covered entities to retain audit logs for six years when handling protected health information (PHI). If your AI agent processes patient records, medical data, or any PHI, use the retentionOverride field to set a 2,190-day retention period on those events. Tag them with dataCategory: "health" and containsPII: true so your compliance team can filter and review them.

For organizations that need retention beyond what the standard plans offer, contact us about an Enterprise plan with custom retention periods.

GDPR and data deletion

There is a tension between immutability and the right to erasure under GDPR Article 17. AgentReceipt handles this by separating what is immutable from what can be deleted.

What is immutable

Event metadata (timestamps, event type, duration, event name) and the hash chain are immutable. They cannot be deleted or modified. This is what makes the audit trail trustworthy. Removing a single event would break the hash chain and invalidate the entire receipt.

What can be deleted

Raw LLM payloads (the actual input and output content of each event) are stored separately in Cloudflare R2. These payloads can be deleted on request without breaking the hash chain, because the hash is computed from the event metadata, not the raw payload content.

To request payload deletion, contact support with the session ID. We will delete the raw payloads from R2 while preserving the event metadata and hash chain. The receipt will still show the event timeline, but expanding an event will show that the payload has been deleted.