Provena Passport
Issued through AffectLog
LIMITED
Meridian RAG Assistant
Internal knowledge retrieval · Enterprise
Monitoring activeExp 15 Nov 202614 receipts
84%
Evidenceraw_data: offraw_prompts: off
ALP-2026-MER-R3K9Your buyer is asking which data your AI accesses.
Evidence Passports
Give every AI system
a Passport buyers can review.
One structured profile — purpose, data access, model stack, privacy, security, signals, restrictions, monitoring, and expiry — per AI supplier, API, RAG system, and agent.
12 evidence sectionsComplete once, reuse across buyersExpiry and renewal built inNot legal certification
Approval follows evidence. Not spreadsheets.
Every AI system that accesses sensitive data needs a structured evidence profile. Buyers need to request it. Vendors need to share it. Reviewers need to act on it.
Two perspectives
Passports work for buyers and vendors.
Buyer view
Should this AI supplier be approved?
Evidence Passport gives procurement the structured evidence needed to make and record a defensible access decision.
What personal data does this AI process?
Data categories, Art. 6 and Art. 9 legal basis, data residency, and training use flag — all in one structured profile.
Is evidence complete enough for DPO sign-off?
Evidence completeness tracking at section level. DPO sees exactly which sections are complete and which gaps block clearance.
When does this approval expire?
Expiry date on every Passport. Tide Monitor sweeps hourly and alerts before lapse — so approvals do not silently renew without updated evidence.
Vendor view
“We answer the same questionnaire for every buyer.”
Complete a Passport once. Share it with every buyer who asks. No re-filling security questionnaires.
“Our deals stall at the DPO review stage.”
Passports are structured for DPO review from the start. Data categories, legal basis, DPIA status, and DPA signature are required fields.
“We want a public trust signal for our website.”
Display the 'AI Passported' badge. Buyers click through to your public Passport preview before they even contact sales.
“We cannot expose proprietary model details.”
You control what goes in the Passport. The structure captures what buyers need — purpose, data, safeguards — not model IP.
Passport structure
12 evidence sections. One structured profile.
Evidence completeness is tracked at section level — not just a percentage. Gaps are visible. Buyers can see exactly what is missing before requesting DPO or CISO review.
Identity & purpose
Data categories processed
Model & provider stack
Privacy evidence & GDPR basis
Security posture
Technical signals & diagnostics
Subprocessors & hosting region
Monitoring status
Access conditions & restrictions
Expiry date & renewal
Signal Receipts from diagnostics
Agent boundaries (if applicable)
Evidence completeness — section-level, not just a score
Complete sections
Identity, data categories, model stack — all evidence provided and reviewed.
Partial sections
Privacy evidence — DPIA status missing. Gaps visible to DPO before review.
Missing sections
Signal Receipts — not yet run. Access decision cannot be fully cleared.
Signal Receipts
Diagnostic evidence — without exporting raw data.
Signal Receipts are signed diagnostic outputs. They record a metric result — privacy scan, fairness score, RAG quality, security posture — without exporting the underlying data. Raw export flags are off by default.
Privacy / PII detection
Sensitive Data Detection — receipt only
Fairness assessment
Group Disparity Analysis — receipt only
RAG groundedness
Grounding and Response Quality Evaluation — receipt only
Security posture scan
Dependency audit — receipt only
DPO Review
CISO Review
Procurement
Data categoriesPersonal data · No Art. 9
DPIA completedRequired for high-risk AI
DPA signedEU standard clauses
Raw export flagraw_data: off
SubprocessorsList not provided
2 gaps block clearanceReview Required
What a Passport is NOT
Not a legal compliance certificate
Not a notified-body conformity assessment
Not regulatory approval under the EU AI Act
Not a replacement for DPO or legal review
Not a guarantee of ethical AI
The shift
AI vendor evidence — before and after Passports.
Without Evidence Passports
- One-off questionnaires per buyer, per deal
- Evidence in emails, PDFs, and shared drives
- Incomparable formats across vendors
- No inventory of which AI accesses which data
- Renewal tracked in spreadsheets
- DPO sign-off on vague vendor claims
With Evidence Passports
- Vendor completes once — reused for every buyer
- Structured, signed, comparable evidence profile
- Standard format buyers and reviewers recognise
- Data categories per system, explicit and reviewable
- Tide Monitor tracks expiry — alerts before lapse
- DPO reviews structured evidence against their checklist
Common questions
Evidence Passports — addressed.
“We already have SOC 2 and ISO 27001.”
SOC 2 covers your internal controls. A Passport tells buyers what specific data your AI processes, whether it trains on their data, what the model API is, and what the access conditions are. These are different questions.
“This sounds like more paperwork.”
The Passport replaces the paperwork. One structured profile replaces dozens of one-off questionnaires for multiple buyers. It takes 1–2 hours to complete and saves weeks of repeated evidence requests.
“We are not in a regulated sector.”
Your buyers may be. Enterprise, public sector, EdTech, and HRTech buyers now require structured AI evidence regardless of your sector.
Get started
Issue your first Evidence Passport.
One Passport. Every buyer.
Start with a Provena Scan to map what already exists, then issue Passports for every AI system that accesses your data.
AffectLog provides technical evidence to support AI access, supplier-risk, security, privacy, and governance review. Not legal advice, certification, or regulatory approval.