TRAI v3.2.0
Trust

Compliance you can
verify.

Every TRAI certificate is a cryptographically signed evidence bundle. Below: the regulations and standards we satisfy, the TRAI features that satisfy them, and what we're working toward.

Frameworks
7/9
compliant
OpenSSF
Silver
Gold Q4 2026
SOC 2 Type II
Tgt
Q1 2027

What this page is

A live compliance crosswalk mapping every regulation and standard TRAI addresses to the specific feature(s) that satisfy it. Like compliance.figma.com — but for cryptographic compliance of AI-generated content.

What this page is NOT

A compliance theater. If a control is missing or pending, we say so. Click any row to read the gap detail.

Where to verify

Every cert ID resolves to a JSON cryptographic receipt at /api/v1/verify/{cert_id}. The receipt is independently verifiable without contacting TRAI.

Honest state

The single fastest way to differentiate from inflated asset listings is to be the only one disclosing technical debt. Here's the real state of TRAI today.

Production-ready

  • · 21 Rust crates · cargo test passing
  • · 4 SDKs: Python, Python-light, TypeScript, Go
  • · 36 MCP tools (Claude Code, Cursor, Codex)
  • · Apache 2.0 + MIT dual license
  • · OpenSSF Silver (badge id 13436)
  • · RFC 9943 SCITT receipts (CCF 7.x)
  • · RFC 9901 SD-JWT envelopes
  • · FIPS 204 ML-DSA-65 post-quantum hybrid

Needs work before scale

  • · HSM signing configured but not load-tested at production volume
  • · PostgreSQL persistence Docker-only — needs RDS / Supabase for prod
  • · Bus factor 1 — single founder, no co-maintainer merged yet
  • · SOC 2 Type II target Q1 2027
  • · OpenSSF Gold target Q4 2026

Framework crosswalk

Each row links a specific regulation or standard to the TRAI feature(s) that satisfy it. Status reflects current compliance, not aspiration.

Regulation / Standard Status TRAI features Gap / Target
EU AI Act Art 50
EU AI Act Article 50
Reference ↗
✓ compliant
since 2026-04-01
  • COSE_Sign1 hybrid Ed25519 + ML-DSA-65 cryptographic provenance per AI output
  • C2PA-compatible assertion embedding (optional)
  • Kirchenbauer watermark for text outputs (defense in depth)
  • EU Trust List validation of QTSP issuers (Actalis Italia)
  • PLD-compliant disclosure + defect rebuttal (see /v1/pld/* endpoints)
No gaps
PLD
Product Liability Directive 2024/2853
Reference ↗
✓ compliant
since 2026-04-01
  • Immutable SCITT ledger (RFC 9943) of every cert issuance = audit trail for defect defense
  • BLAKE3 hash chain (P4.6 encapsulation) — tamper-evident history
  • Evidence bundle PDFs with full cryptographic chain (issuer + signature + timestamp + receipt)
  • Defect rebuttal endpoint /v1/pld/rebuttal
No gaps
DORA RTS
DORA Regulatory Technical Standards 2024/1774
Reference ↗
✓ compliant
since 2026-04-01
  • Hybrid Ed25519 + ML-DSA-65 = crypto-agile composite (IETF draft-ietf-lamps-pq-composite-sigs-15)
  • ML-DSA-65 keys in FIPS 140-3 Level 3 HSM (AWS KMS, GCP KMS) — encryption at rest
  • TLS 1.3 with hybrid PQ/T default (Cloudflare Pages + Render) — encryption in transit
  • Algorithm swap via composition without breaking compatibility
No gaps
NIS2 Art 21(2)(h)
NIS2 Article 21(2)(h) cryptography
Reference ↗
✓ compliant
since 2026-04-01
  • Documented cryptography policy: SHA-256 + BLAKE3 hashing, Ed25519 + ML-DSA-65 signing, AES-GCM for envelope encryption
  • Algorithm registry in /docs/SECURITY.md (post-refactor D6 canonical)
  • Crypto-agility roadmap in /docs/ARCHITECTURE.md
No gaps
ISO 42001
ISO/IEC 42001 — AI Management System
◐ partial
  • Annex A control mapping via crates/themis-compliance/src/iso_42001.rs
  • Statement of Applicability endpoint /v1/iso42001/soa
  • Automated control status dashboard in /console
Independent third-party audit scheduled Q2 2028.
Target: 2028-04-01
FIPS 204 + 140-3 L3
FIPS 204 (ML-DSA) + FIPS 140-3 Level 3 HSM
Reference ↗
✓ compliant
since 2026-04-01
  • ML-DSA-65 keys in AWS KMS eu-central-1 (FIPS 140-3 Level 3 validated HSM)
  • Composite signatures per draft-ietf-lamps-pq-composite-sigs-15 (PKIX) + draft-ietf-jose-pq-composite-sigs-01 (COSE)
  • Ed25519 fallback for legacy interop
No gaps
RFC 9943 SCITT
RFC 9943 — SCITT (Supply Chain Integrity, Transparency, and Trust)
Reference ↗
✓ compliant
since 2026-07-04
  • /receipt/cose endpoint on CCF 7.x ledger
  • COSE_Sign1 receipt envelope (RFC 9052) with Merkle proof
  • COSE-only ledger signing mode (CCF 7.0.0 feature)
  • Auditable inclusion in transparency log
No gaps
RFC 9901 SD-JWT
RFC 9901 — SD-JWT (Selective Disclosure JWT)
Reference ↗
✓ compliant
since 2026-07-04
  • SD-JWT VC envelopes for cert claims
  • Selective disclosure of issuer, signature algorithm, timestamp without revealing payload
  • EUDI Wallet integration (ARF v1.4 compatible)
No gaps
OpenSSF Silver
OpenSSF Best Practices Badge
Reference ↗
◐ partial
  • All Silver criteria met (license, contribution, docs, security, testing)
  • Branch protection: 10 required CI checks (cargo-deny, cargo-audit, clippy, rustfmt, 3×OS rust test, ruff, pytest, pip-audit, Analyze)
  • F1-F15 acceptance gate green (refactor F1-F15 PASS 2026-07-04)
  • SLSA L3 build provenance in progress
Gold criteria incremental: dangerous-workflow + token_permissions + signed releases.
Target: 2026-12-31

Cryptographic verification path

Every TRAI cert is verifiable offline by anyone holding the issuer's public key. No contact with TRAI required.

  1. Step 1
    Extract COSE_Sign1
    Pull the base64-encoded COSE_Sign1 envelope from the cert JSON receipt.
  2. Step 2
    Verify composite signature
    Verify Ed25519 + ML-DSA-65 against issuer's public key per draft-ietf-lamps-pq-composite-sigs-15.
  3. Step 3
    Verify RFC 3161 timestamp
    Verify TSA signature against Actalis Italia (eIDAS QTSP) root certificate.
  4. Step 4
    Verify SCITT inclusion
    Verify Merkle inclusion proof against CCF 7.x ledger root. RFC 9943 compliant.

SOC 2 Type II — target Q1 2027. Placeholder, not a fake badge. ISO 42001 certification target Q2 2028. This trust center is open about what it does and does not satisfy. Last updated 2026-07-05.