Article 12-compliant logging for high-risk AI.
Retain zero personal data.
zkRune is the cryptographic record-keeping layer for EU AI Act Article 12. Every decision your AI system makes becomes a tamper-evident Groth16 proof — verifiable by a regulator, containing no raw input data, at under 200 bytes.
EU law will require you to log personal data. EU law also forbids you from keeping it.
For Annex III point 1(a) AI systems, Article 12(4) mandates retention of the "input data for which the search has led to a match" for at least six months. GDPR Article 5(1)(c) mandates data minimisation. Both are binding. Both apply to the same system, at the same moment.
"Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."
"The input data for which the search has led to a match." Retained for at least six months.
Most vendors are choosing one of three bad options: log raw PII and eat the GDPR exposure, log partial hashes and hope regulators accept it, or log nothing and hope no one audits. None survive conformity assessment.
Every sub-requirement, satisfied cryptographically.
A direct mapping of the four statutory log fields to the primitives zkRune already produces in production.
| Art. 12(4) requirement | zkRune implementation |
|---|---|
| (a) Start & end date/time of each use | Block timestamp at proof submission on-chain. Immutable, UTC-normalized, independently verifiable. |
| (b) Reference database the input was checked against | The circuit's Merkle root commitment — cryptographically bound inside every proof. Changes to the reference database produce a new, visible root. |
| (c) Input data for which the search led to a match | Proof public inputs + unique nullifier + proof hash. The private witness — face embedding, document content, biometric template — is never transmitted and never stored. |
| (d) Natural persons involved in verification (Art. 14(5)) | Cryptographic signature of the human reviewer's wallet or identity key, bound into the log record. Produces a non-repudiable human-in-the-loop trail. |
Not a slide deck. A production system.
Mainnet verifier contracts — publicly inspectable today
High-risk AI systems under Annex III point 1(a).
Primary scope
- →Remote biometric identification systems (face, iris, voice)
- →Identity verification and KYC platforms in regulated industries
- →Age-assurance AI under DSA and national age-gating mandates
- →Border control, access control, critical-infrastructure identity checkpoints
- →Financial-sector customer-due-diligence AI
Buyer profile
zkRune is adopted once, referenced by all three.
Why existing tooling doesn't solve Article 12.
From signature to Article 12-ready in under 90 days.
Engagements starting April–May 2026 finish well inside the 2 August 2026 deadline.
A 30-minute technical session with your DPO and AI governance lead.
We will walk through your Annex III classification, run a live proof against a representative decision flow, and deliver a draft Article 12 mapping tailored to your system within 5 business days.