A hospital trust, a bank, and a supervisory authority are all asking for the same evidence — in three different formats.
For AI providers
Issue the passport once.
Present it at every border.
A Ripple is the evidence passport your AI system carries: purpose, data categories, legal basis, bias examination, oversight design, accuracy under shift, and sealed diagnostics. Issued once. Accepted across every review.
Ripple completion — supplier evidence
67% completeMeridian Acuity Triage v3.1
Emergency patient triage · Annex III 5(d) · GDPR Art. 9
The evidence request is no longer a formality. It is the gate.
Deployers in health, financial services, and minor-facing services now carry personal obligations under the EU AI Act and GDPR that they cannot discharge on your assurance. They need a record they can hold up. A Ripple is that record — and it is yours to issue before they ask.
What the reviewer asks
Eight questions that decide whether your system is cleared.
The DPO asks about basis and special-category data. The CISO asks about tools, credentials, and egress. The procurement lead asks what expires and when. Your passport answers all three from one record — before the review stalls.
Asked at every review
What the passport records
Ten sections. Each tied to the article the reviewer must satisfy.
How it works for providers
Issue once. Seal the evidence. Present it at every border.
Issue the passport
Complete the Ripple: purpose, data categories, legal basis, oversight design, and the model stack behind the endpoint.
Seal the diagnostics
Run bias examination, accuracy-under-shift, and exposure checks inside your own perimeter. Only the signed Evidence Record leaves.
Present it
A Wake carries the stamped evidence to the reviewer — DPO, CISO, procurement, or a competent authority — already assembled.
Carry the credential
"Carries a Ripple" — Ripple-issued, verifiable, and expiring. A reviewer checks the passport itself, not a logo.
How the standard travels
The passport is a credential the reviewer can check.
The deployer asks
"Send us the Ripple for this system."
The provider issues
One passport. Sealed evidence. Real expiry date.
The system carries it
"Carries a Ripple" — Ripple-issued and verifiable.
The next reviewer accepts it
The same record clears the next border.
Ripple-issued — the provider credential
Display it where your buyers look. It resolves to the passport itself: sections, sealed Evidence Records, expiry date, and the Droplets in force. Verification requires no contact with your sales team.
Evidence record. Not certification, conformity assessment, or regulatory approval.
Carries a Ripple
Ripple-issued · expires 30 Sep 2026
Addressed
Provider objections — answered.
“We already complete security questionnaires.”
A questionnaire is rebuilt for every reviewer and comparable to nothing. A Ripple is issued once and presented at every review — to a hospital trust, a bank's third-party risk function, a supervisory authority, a notified body. The evidence is the same; the effort stops recurring.
“Our system is low risk. It does not need a passport.”
Risk is inherited from the deployment, not declared by the provider. The same assistant is low risk in an internal wiki and Annex III high-risk the moment a clinician, a credit officer, or a minor is on the other side of it. A system that carries a Ripple can be cleared for those contexts. One that does not, cannot.
“We will not disclose proprietary model details.”
A passport records what is proven about a system, never how it is built. Diagnostics execute inside your perimeter and export a signed Evidence Record — the finding only. Weights, prompts, corpora, and training data never leave.
“We are not in a regulated sector.”
Your deployers are. Health AI carries GDPR Art. 9 and, where it is a device, MDR. Financial AI carries Art. 22 and DORA's third-party requirements. Any system a minor can reach carries GDPR Art. 8 and DSA Art. 28. The obligation arrives with the context your system is sold into.
Step 2 — the passport
Issue the passport your system carries.
Before the next review stalls.
One Ripple answers the health trust, the bank, and the supervisory authority from the same record — with the diagnostics sealed and the expiry date on its face.
AffectLog provides technical and operational evidence to support AI access decisions. Not legal advice, certification, notified-body conformity assessment, or regulatory approval.