For AI products with paying enterprise customers
The audit trail your enterprise customer's CISO is asking for.
Evidence your prospect's CISO files independently. End-user DSAR portal for GDPR Articles 15 and 17. Two-day API integration.
The deal that's stuck.
Your last enterprise prospect's security review came back with one line: "We need to see your AI audit trail." Your team doesn't have one. Building one in-house is a full engineering quarter on infrastructure that doesn't ship a customer-facing feature — meanwhile the deal goes cold.
The build-it-yourself version
What you'd have to build to satisfy that review.
- Tamper-evident hash chain over every prompt and response
- Key rotation, deletion certificates, regulator-acceptable canonicalization
- Signed evidence bundles for SOC 2, GDPR, HIPAA, NIST 800-53
- An offline verifier their CISO can actually run themselves
- 4–6 months for v1, 6–12 more on edge cases
If your users are in the EU, the August 2026 GDPR Article 17 deadline makes this worse — your prospect's security review will start asking about your DSAR pipeline too.
Three surfaces, one chain.
The same audit chain serves three audiences, each holding the proof in a form built for what they actually need to do with it. Your team works in an operator dashboard that shows the live chain state and the in-flight DSAR pipeline. Your enterprise prospects' security reviewers click through to a public verify page that confirms any signed certificate you've issued. Your end users go to a branded privacy portal that lets them exercise their rights under GDPR Articles 15, 17, and 20.
Your team's view
The operator dashboard.
Live chain state, anchor cadence, component health, and the in-flight DSAR pipeline with its 30-day SLA — in one dashboard your team and any auditor can read at a glance.
Your prospect's CISO's view
verify.aleutian.ai
Forward one URL when their security team asks for your audit trail. The page is verifiable in their own browser against your published public key — no Aleutian account, no PDF you had to assemble.
Your end users' view
The privacy portal.
End users sign in with a magic-link email and see a cryptographically-anchored record of every consent, export, and deletion certificate. Self-serve under GDPR Articles 15, 17, and 20.
Three audiences, one record. None of them have to trust us for it to hold up.
The receipt your data subject takes with them.
When your end user requests their data, the receipt they leave with is a signed list of every processing event you recorded about them — timestamps, signing keys, chain anchors. Nothing your team had to assemble by hand.
They take that list back to you and exercise their full Article 15 right of access: “here are the 4,217 events you logged about me — please decrypt the underlying payloads and send them per Article 15(3).” You hold the encryption key; you fulfill the decryption.
Aleutian operates only as the cryptographic anchor that proves the events happened, who recorded them, when, and under which consent. Your data subjects, your regulators, and your own team get a record that no single party — including Aleutian — can rewrite.
Who Aleutian is for.
You're a CTO or founder at an AI agent platform or AI-native product with paying enterprise customers.
Your product works. Your customers love it. What's breaking your week is the security review on the next enterprise deal — and you've heard the same question on the last three. Aleutian is the buy-versus-build answer to that specific problem.
You're our customer when…
- An enterprise prospect's security review has asked you for an AI audit trail and you don't have one
- Your team is staring at a quarter of engineering on infrastructure that doesn't ship a customer-facing feature
- You need something to forward to a CISO this week, not in six months
- You have at least one paying customer or signed LOI (we're not the right fit pre-revenue)
- Your AI product runs on one or more major model providers (Vertex AI, Anthropic, OpenAI, or any combination)
The regulatory landscape isn't getting easier. GDPR Article 17 lands in August 2026. State AI laws are stacking up behind it. Federal procurement is already asking about post-quantum. The founder who already has signed evidence in 2026 isn't the one explaining themselves to a regulator in 2027.
Different shape of company? Jump to who else we work with →
Two days of integration. Three steps.
Embed the SDK.
Your AI product calls the Aleutian API on every prompt, response, and consent action via our Go, Python, or JavaScript libraries. The integration takes around two days, including wiring up your existing identity layer.
We sign and chain every event.
Each entry is hashed with SHA-512 and signed with ML-DSA-65 (FIPS 204, post-quantum) using a per-tenant Cloud KMS key. The default operating mode is zero-knowledge — content forwards to your AI provider and is never stored on our side. Encrypted-storage and SDK-only modes are available for stronger guarantees.
Your customers and their regulators verify it themselves.
Open-source verifier SDKs let any third party — your enterprise prospect's CISO, an auditor, or a regulator — verify your chain offline against our published public keys at verify.aleutian.ai, with no dependency on Aleutian.
For the full visibility-modes breakdown (zero-knowledge default, encrypted-and-chained, consented PII scan, SDK-only), see the compliance page →
What Aleutian isn't.
We're not a privacy platform. We don't replace OneTrust, Transcend, or DataGrail — your privacy team keeps their workflow, dashboard, and training; their existing tooling calls our API for the cryptographic layer underneath.
We're not an AI observability tool. Helicone, Portkey, and LangSmith tell you what your AI did so you can debug it. We tell a regulator, court, or auditor what your AI did so it holds up as evidence.
We're not commodity logging. The right comparison for our pricing is your AI inference bill (typically 1–3%), not your Datadog bill.
Why this matters in 2026.
The Article 17 deadline.
Expanded GDPR right-to-erasure takes effect August 2026. AI products that capture user prompts and responses are squarely in scope, and most don't have a DSAR pipeline. The window to be ready is closing.
The post-quantum transition.
NIST published FIPS 204 in August 2024, and the CNSA 2.0 timeline targets 2030–2035 for full migration across federal systems. Over the next eighteen months, enterprise procurement reviews will increasingly ask AI vendors about their post-quantum cryptography roadmap, and Aleutian's signing layer already operates on ML-DSA-65 today rather than as a planned future upgrade.
The audit-chain expectation.
Enterprise security reviews now routinely ask for a tamper-evident record of AI usage. The vendors who can hand back a signed chain win deals; the ones who hand back screenshots of dashboards don't.
Different shape of company?
You're a DPO at an AI-native company with EU users. GDPR Article 17 hits August 2026. The DSAR pipeline and signed deletion certificate sit underneath OneTrust / Transcend / your in-house tooling. Read the GDPR map →
You're a state agency, university system, or large K-12 district. Aleutian deploys on Google Cloud with per-tenant Service Account isolation auditable in your own Cloud Audit Logs. StateRAMP scoping under way; we're in active conversations with the Google Public Sector partner program. Read the public-sector map →
You're a federal agency or DoD contractor. Post-quantum from day one (FIPS 204 / ML-DSA-65), FedRAMP authorization on the roadmap with Google sponsorship in discussion, SBIR-eligible. Read the NIST + federal map →
You're an AI infrastructure provider thinking about embedded compliance. Talk to us — design partners only at this stage. Book a call →
The shape of the review, end to end
From security-review email to closed review, on the same Tuesday morning.
A compact view of the sequence that the verify-page section showed in detail — the three moments that together replace what used to be six weeks of back-and-forth between your engineering team, your sales counterpart, and your prospect's security reviewer.
Asks for an AI audit trail in their security review.
The line that has held up your last three enterprise deals.
Reply with one URL.
The certificate page for your tenant on verify.aleutian.ai.
Verifies the signature on their own infrastructure.
✓ Filed as evidence — review closed
The same three actors, the same three actions, the same morning. The artifact your prospect's CISO ends up with is verifiable against a public key on their own infrastructure rather than something they have to take on faith, which is the only distinction that actually determines whether the deal moves toward signature or sits in their queue for another six weeks.
Take a 20-minute call.
We'll walk through what your enterprise prospect's security team is asking for, what an integration looks like, and whether Aleutian is the right answer. If the timing isn't right or the fit isn't there, we'll say so.