Compliance
Skytale is designed as compliance-ready infrastructure for AI agent communication. This page tracks our status across relevant regulations and frameworks.
Market context: As AI agents move into production, the regulatory landscape is catching up fast. The EU AI Act takes effect August 2026 with mandatory cybersecurity, logging, and robustness requirements for high-risk AI systems. SOC 2 auditors are beginning to ask about agent-to-agent communication security. Organizations deploying AI agents today face a choice: build compliance in now, or retrofit it later at significantly higher cost.
Compliance Matrix
Section titled “Compliance Matrix”| Regulation | Status | Target Date | Notes |
|---|---|---|---|
| EU AI Act | Preparing | August 2026 | Infrastructure provider classification |
| SOC 2 Type I | Planned | 2026 | Architecture supports SOC 2 controls |
| GDPR | Compliant by design | Active | E2E encryption, data minimization |
| ISO 27001 | Planned | 2027 | After SOC 2 completion |
EU AI Act (August 2026)
Section titled “EU AI Act (August 2026)”Role Classification
Section titled “Role Classification”Skytale is an infrastructure provider, not an AI system developer. Under the EU AI Act:
- We do not develop, train, or deploy AI models
- We provide encrypted communication channels that AI agents use
- Our role is comparable to a TLS provider or message broker
This classification means Skytale falls under general-purpose AI system provider obligations primarily related to transparency and technical documentation, rather than the high-risk AI system requirements.
Technical Measures
Section titled “Technical Measures”| Measure | Status | Implementation |
|---|---|---|
| Robustness | Implemented | MLS encryption (RFC 9420), input validation at all boundaries |
| Cybersecurity | Implemented | Security hardening, monitoring (Uptime Kuma), incident response plan |
| Traceability | Implemented | Structured logging with tracing, audit trail for channel operations |
| Transparency | In progress | Open-source SDK (Apache 2.0), public security documentation |
SOC 2 Type I
Section titled “SOC 2 Type I”SOC 2 Type I attests that security controls are properly designed at a point in time. Skytale’s architecture is designed to support all five trust service criteria.
Control Areas
Section titled “Control Areas”| Area | Status | Key Controls |
|---|---|---|
| Security | Built in | E2E encryption, access control, vulnerability management |
| Availability | Built in | Uptime monitoring, incident response, deployment procedures |
| Processing Integrity | Built in | MLS message ordering, delivery guarantees |
| Confidentiality | Built in | Zero-knowledge relay, MLS encryption, key zeroization, fixed-size message padding, cover traffic |
| Privacy | Built in | Data minimization, no plaintext logging, retention policies |
Architectural Readiness
Section titled “Architectural Readiness”Skytale’s architecture provides the technical foundation for SOC 2 controls:
- Change management — All changes go through PR review, CI, and staged deployment
- Logging and monitoring — Structured tracing, Uptime Kuma monitoring, incident response
- Access control — API key authentication, account-scoped resources
- Encryption — MLS E2E encryption, key zeroization, zero-knowledge relay
Skytale’s architecture is designed for GDPR compliance by default.
Privacy by Design
Section titled “Privacy by Design”| Principle | Implementation |
|---|---|
| Data minimization | Relay stores no message content. Only routing metadata is retained transiently. |
| Purpose limitation | Data is collected only for account management and billing. No analytics on message content. |
| Storage limitation | Message ciphertext is stored only until delivery. Account data retained per service terms. |
| Encryption | All messages are E2E encrypted (MLS). Local storage is encrypted (SQLCipher). |
Data Processing
Section titled “Data Processing”| Data Category | Processed By | Retention | Legal Basis |
|---|---|---|---|
| Account email/password | API server | Account lifetime | Contract |
| API keys (hashed) | API server | Until revoked | Contract |
| Usage metrics | API server | 90 days | Legitimate interest |
| Message ciphertext | Relay (transit only) | Until delivered | Contract |
| Message plaintext | SDK only (never leaves agent) | Session | N/A (never transmitted) |
Compliance Documents
Section titled “Compliance Documents”- Data Processing Agreement (DPA): Available on request for enterprise customers
- Sub-processor list: Skytale operates on dedicated infrastructure with no cloud sub-processors for data processing
Why Compliance Timing Matters
Section titled “Why Compliance Timing Matters”Encryption is not something you bolt on after launch. MLS key management, forward secrecy, group state, and traffic analysis resistance require architectural decisions that touch every layer of your agent communication stack. Organizations that wait until regulatory deadlines will face:
- Retroactive audit exposure — plaintext agent traffic already in logs and on wires cannot be un-sent
- Architectural rework — adding end-to-end encryption to an existing agent system means reworking message serialization, key distribution, and state management
- Compliance timeline pressure — EU AI Act enforcement begins August 2026. SOC 2 auditors are already asking about AI agent communication. The window to build compliance in (rather than bolt it on) is closing
Skytale is designed so that compliance is a side effect of using the SDK. If your agents communicate through Skytale channels, the encryption, logging, and data minimization requirements are already met.
Supply Chain Security
Section titled “Supply Chain Security”All release artifacts are signed using Sigstore cosign with keyless signing via GitHub Actions OIDC. Dependencies are audited using cargo-vet with imports from Mozilla and Google.
See Verifying Releases for signature verification instructions.
Contact
Section titled “Contact”For compliance inquiries: security@skytale.sh
For vulnerability reports, see our Security Policy.