A hospital trust, a bank, and a supervisory authority are all asking for the same evidence — in three different formats.

For AI providers

Issue the passport once.
Present it at every border.

A Ripple is the evidence passport your AI system carries: purpose, data categories, legal basis, bias examination, oversight design, accuracy under shift, and sealed diagnostics. Issued once. Accepted across every review.

Issued once, presented everywhereRipple-issued — verifiable credentialEvidence record. Not certification.

Ripple completion — supplier evidence

67% complete
Identity, provider role & model version100%
Intended purpose & Art. 6 route100%
Art. 11 + Annex IV technical documentation100%
Art. 10 data governance & bias examination60%
Art. 15 accuracy, robustness, cybersecurity40%
Art. 12 logs & Art. 14 oversight design0%
A regulated buyer is blocked on this Ripple — without it they cannot complete their DORA register of information entry, or name a substitutability plan for your model.
Ripple — evidence passportCleared with Limits

Meridian Acuity Triage v3.1

Emergency patient triage · Annex III 5(d) · GDPR Art. 9

Evidence82%
Expiry30 Sep 2026
Raw data exportoff
ALP-2026-MER-X7Q2

The evidence request is no longer a formality. It is the gate.

Deployers in health, financial services, and minor-facing services now carry personal obligations under the EU AI Act and GDPR that they cannot discharge on your assurance. They need a record they can hold up. A Ripple is that record — and it is yours to issue before they ask.

What the reviewer asks

Eight questions that decide whether your system is cleared.

The DPO asks about basis and special-category data. The CISO asks about tools, credentials, and egress. The procurement lead asks what expires and when. Your passport answers all three from one record — before the review stalls.

Asked at every review

Which special-category data does the system process — GDPR Art. 9?
Is our data used to train or fine-tune your model?
Where does inference run, and on what transfer basis does data leave?
How was bias examined — AI Act Art. 10? Show the result, not the policy.
How is human oversight designed — AI Act Art. 14? Who can override, and on what basis?
Has accuracy held since validation — Art. 15 — or has the population shifted?
Are the system's events automatically logged — Art. 12?
If you swap the model behind the endpoint, how would we know?

What the passport records

Ten sections. Each tied to the article the reviewer must satisfy.

Identity, provider, and intended purpose
Data categories — Art. 9, Art. 8, financial profiling
Model and provider stack, with swap detection
Legal basis — GDPR Art. 6, 9, 22 · DPIA under Art. 35
Data governance and bias examination — AI Act Art. 10
Human oversight design — AI Act Art. 14
Accuracy and robustness under shift — AI Act Art. 15
Event logging and traceability — AI Act Art. 12
Subprocessors, hosting region, transfer basis
Sealed Evidence Records, expiry, and visas in force

How it works for providers

Issue once. Seal the evidence. Present it at every border.

01

Issue the passport

Complete the Ripple: purpose, data categories, legal basis, oversight design, and the model stack behind the endpoint.

02

Seal the diagnostics

Run bias examination, accuracy-under-shift, and exposure checks inside your own perimeter. Only the signed Evidence Record leaves.

03

Present it

A Wake carries the stamped evidence to the reviewer — DPO, CISO, procurement, or a competent authority — already assembled.

04

Carry the credential

"Carries a Ripple" — Ripple-issued, verifiable, and expiring. A reviewer checks the passport itself, not a logo.

How the standard travels

The passport is a credential the reviewer can check.

The deployer asks

"Send us the Ripple for this system."

The provider issues

One passport. Sealed evidence. Real expiry date.

The system carries it

"Carries a Ripple" — Ripple-issued and verifiable.

The next reviewer accepts it

The same record clears the next border.

Ripple-issued — the provider credential

Display it where your buyers look. It resolves to the passport itself: sections, sealed Evidence Records, expiry date, and the Droplets in force. Verification requires no contact with your sales team.

Evidence record. Not certification, conformity assessment, or regulatory approval.

Carries a Ripple

Ripple-issued · expires 30 Sep 2026

Addressed

Provider objections — answered.

We already complete security questionnaires.

A questionnaire is rebuilt for every reviewer and comparable to nothing. A Ripple is issued once and presented at every review — to a hospital trust, a bank's third-party risk function, a supervisory authority, a notified body. The evidence is the same; the effort stops recurring.

Our system is low risk. It does not need a passport.

Risk is inherited from the deployment, not declared by the provider. The same assistant is low risk in an internal wiki and Annex III high-risk the moment a clinician, a credit officer, or a minor is on the other side of it. A system that carries a Ripple can be cleared for those contexts. One that does not, cannot.

We will not disclose proprietary model details.

A passport records what is proven about a system, never how it is built. Diagnostics execute inside your perimeter and export a signed Evidence Record — the finding only. Weights, prompts, corpora, and training data never leave.

We are not in a regulated sector.

Your deployers are. Health AI carries GDPR Art. 9 and, where it is a device, MDR. Financial AI carries Art. 22 and DORA's third-party requirements. Any system a minor can reach carries GDPR Art. 8 and DSA Art. 28. The obligation arrives with the context your system is sold into.

Step 2 — the passport

Issue the passport your system carries.
Before the next review stalls.

One Ripple answers the health trust, the bank, and the supervisory authority from the same record — with the diagnostics sealed and the expiry date on its face.

AffectLog provides technical and operational evidence to support AI access decisions. Not legal advice, certification, notified-body conformity assessment, or regulatory approval.