Every feature, mapped to the law that requires it.
Chaberista is AI oversight software built around a single premise: if you cannot produce evidence of who used which model, on what data, under what approval — you do not have a compliance program, you have a hope. This page documents how each feature creates that evidence, and the legal regime it is designed to satisfy.
Informational only. Not legal advice. Use these mappings with your own counsel.
Feature guide & legal justification
15 modules
Activity Overview & Event Stream
Time-series capture of every AI prompt, file upload, and tool action across Claude, ChatGPT, Perplexity, Copilot, and Gemini — with user, source, IP, and redacted query text.
Why it's core to oversight
Without a permanent record you cannot prove what was sent to a third-party model. 'We don't know' is not a defense in regulator inquiries, e-discovery, or insurance claims.
GDPR Art. 30 — Records of processing activities (controller obligation).
CCPA §1798.130 — 12-month lookback on data disclosures and recipients.
HIPAA §164.312(b) — Audit controls on systems containing ePHI.
EU AI Act Art. 12 — Automatic logging of high-risk AI system usage.
SOC 2 CC7.2 / ISO 27001 A.12.4 — Event logging and monitoring.
Encrypted Logs & PII Redaction
Query bodies are encrypted at rest with per-workspace keys; emails, SSNs, card numbers, and other identifiers are redacted in the searchable index before storage.
Why it's core to oversight
Storing raw prompts that contain client PII reproduces the original disclosure risk. Encrypting and redacting turns the audit trail itself into compliant evidence rather than a second exposure surface.
Who relies on it
Anyone subject to GDPR, HIPAA, GLBA, PCI-DSS, or attorney-client privilege.
Legal & framework basis
GDPR Art. 32 — Encryption and pseudonymization as a security measure.
HIPAA §164.312(a)(2)(iv) & (e)(2)(ii) — Encryption of ePHI at rest and in transit.
PCI-DSS 3.5 — Protect stored cardholder data.
ABA Model Rule 1.6(c) — Reasonable efforts to prevent inadvertent disclosure of client info.
NY DFS 23 NYCRR 500.15 — Encryption of nonpublic information.
Data-Flow Mapping & Tier Classification
Map each data asset (client matter files, payroll, source code, PHI) to a sensitivity tier (T1 Public → T5 PII / Privileged) and to the AI destinations it is allowed to reach.
Why it's core to oversight
Regulators and DPAs ask 'what data went where, under what legal basis.' A maintained data-flow inventory is the only fast answer. It also drives every other guardrail.
GDPR Art. 30 — Records of processing (categories of data, recipients, transfers).
GDPR Art. 35 — DPIA for high-risk processing (LLM use on personal data).
EU AI Act Art. 9 & 10 — Risk and data-governance documentation.
ISO 42001 §7.4 — AI system data resources and lineage.
CPRA §1798.185 — Risk assessments before processing personal info.
Approval Chains & Tiered Sign-Off
Configurable workflows: T1–T2 = single admin review, T3–T4 = security + owner, T5 (PII/PHI) = privacy + owner sign-off. Every decision is logged with reviewer, timestamp, and notes.
Why it's core to oversight
'Written approval' clauses in DPAs, BAAs, and engagement letters require a verifiable chain of custody, not Slack messages. This is the artifact your auditor and your insurance carrier want.
Who relies on it
Law firm partners approving AI on client matters, privacy officers, anyone bound by a Business Associate Agreement.
Legal & framework basis
HIPAA §164.308(a)(4) — Information access management and authorization.
ABA Formal Op. 512 (2024) — Lawyer's duty to obtain informed client consent before using GenAI on confidential info.
EU AI Act Art. 14 — Human oversight of high-risk AI systems.
SOX §404 — Segregation of duties on material processes.
ISO 27001 A.5.15 — Access control and approval.
Acceptable-Use Policies (AUP) with Attestation
Author and version your AI AUP in-product; require every user to attest before access. Attestations are signed, timestamped, and exportable.
Why it's core to oversight
An unattested policy is unenforceable in HR proceedings and offers no defense in a privacy complaint. Attestation converts policy into individual accountability.
Who relies on it
HR, legal, compliance, anyone defending against an employee misconduct or whistleblower claim.
Legal & framework basis
EU AI Act Art. 4 — AI literacy obligation for deployers.
GDPR Art. 32(4) — Ensure persons acting under authority process data only on instructions.
NIST AI RMF GOVERN 4.1 — Organizational policies and accountability.
SOC 2 CC1.4 — Commitment to competence (training & acknowledgment).
Incident Detection & SLA Tracking
Pre-wired rules for tier violations, unapproved destinations, sensitive-data leaks, and AUP breaches — each with severity, SLA, and assignment. Webhooks to Slack, Teams, PagerDuty, or your SIEM.
Why it's core to oversight
Most data-protection laws require breach notification within tight windows (GDPR: 72 hours). You cannot meet the clock if detection is manual.
GDPR Art. 33 — 72-hour breach notification to supervisory authority.
HIPAA Breach Notification Rule §164.400–414.
U.S. State breach laws (e.g., CCPA §1798.82, NY SHIELD Act).
SEC Cybersecurity Disclosure Rule (Item 1.05 of Form 8-K).
DORA Art. 17–19 — ICT-related incident reporting (financial entities, EU).
Spend Monitoring & Budget Alerts
Per-user, per-model, per-team token and dollar tracking with anomaly detection and budget thresholds. Catches a runaway agent or compromised key in hours, not at month-end.
Why it's core to oversight
Uncontrolled AI spend is both a financial and a security signal — token spikes are the leading indicator of credential misuse and prompt-injection abuse.
Who relies on it
Finance, FinOps, CISO, board reporting.
Legal & framework basis
SOX §404 — Internal controls over material expenditures.
ISO 27001 A.8.6 — Capacity management.
Cyber-insurance underwriting requires evidence of usage monitoring.
Ask Logs (Guardrail-Bound AI Q&A)
Natural-language search of your audit data — strictly bound to approved summary tables and redacted feeds, with cited sources. Cannot invent answers or read raw PII.
Why it's core to oversight
Auditors and partners ask questions in English ('which paralegals uploaded client files to ChatGPT last quarter?'). The guardrail prevents the assistant itself from becoming a leak channel.
Who relies on it
GCs, audit, board, any non-technical reviewer.
Legal & framework basis
EU AI Act Art. 13 — Transparency and provision of information to users.
NIST AI RMF MEASURE 2.7 — Output explainability and traceability.
Compliance Frameworks & Control Status
Pre-loaded frameworks (SOC 2, ISO 27001/42001, NIST AI RMF, EU AI Act, HIPAA, GDPR) with per-control status (met / partial / gap) and evidence links.
Why it's core to oversight
Cuts SOC 2 / ISO audit prep from weeks to days and produces the artifact your customers' security review teams demand.
Who relies on it
Compliance, security, sales engineering responding to RFP security questionnaires.
Legal & framework basis
Direct mapping to SOC 2 Trust Services Criteria.
ISO 27001:2022 Annex A and ISO 42001:2023 controls.
NIST AI RMF GOVERN, MAP, MEASURE, MANAGE functions.
Public Trust Center
A published, branded page (/trust/your-slug) listing your sub-processors, frameworks, AUP, and AI destinations — with DPA download.
Why it's core to oversight
Replaces ad-hoc questionnaire responses. Enterprise buyers and auditors check trust centers before they email you.
Who relies on it
Sales, security, legal, marketing.
Legal & framework basis
GDPR Art. 28(2) — Sub-processor transparency.
Soft requirement under most enterprise procurement security reviews.
Source Connectors (Claude, Perplexity, +)
Direct API ingestion from Claude Enterprise, Perplexity, and (via webhook) any LLM gateway. No agents on user devices required.
Why it's core to oversight
Coverage at the source means shadow AI use is caught even when employees bypass corporate SSO.
Who relies on it
IT, security architects.
Legal & framework basis
EU AI Act Art. 12 — Logging across the lifecycle of high-risk systems.
ISO 42001 §8.2 — AI system operation and monitoring.
MCP Connector Inventory & Tool Governance
Auto-discovers every Model Context Protocol server Claude is connected to, classifies each exposed tool (read / write / destructive / irreversible), enforces human-in-the-loop on risky calls, and records every classification or status change in an audit trail.
Why it's core to oversight
MCP turns an LLM into a remote-execution surface — a single misclassified 'delete_account' tool can wipe production data without anyone in the loop. Inventorying the servers and gating destructive tools is the only way to keep agentic AI inside your control plane.
Who relies on it
Security architects, platform engineers, GRC, anyone signing off on agentic AI rollouts.
Legal & framework basis
EU AI Act Art. 14 — Human oversight of high-risk AI systems (mandatory HITL on destructive tool calls).
EU AI Act Art. 12 — Logging across the lifecycle of high-risk systems (per-tool call audit).
ISO 42001 §8.2 / §8.3 — AI system operation, monitoring, and impact assessment.
NIST AI RMF — MAP 4.1 / MEASURE 2.7 — Inventory of AI components and third-party dependencies.
SOC 2 CC6.1 / CC7.2 — Access control over privileged operations and event logging.
Roles, SSO-Ready Access & Member Audit Trail
Owner / admin / member / super-admin roles with workspace isolation. Every member add, removal, and seat change is logged with actor and timestamp.
Why it's core to oversight
RBAC + audit is the table-stakes control for any system holding regulated data.
Who relies on it
Identity, security, HR offboarding.
Legal & framework basis
ISO 27001 A.5.18 — Access rights review.
HIPAA §164.308(a)(3) — Workforce security and termination procedures.
Subscriptions, seat counts, and plan status are reconciled with Stripe via signed webhooks; over-allocation is auto-corrected and logged. Card numbers are tokenized at Stripe and never stored by us; we keep only Stripe customer/subscription IDs for invoicing.
Why it's core to oversight
License compliance is increasingly part of vendor contracts and renewal audits — verifiable seat usage prevents disputes, and keeping PAN data out of our perimeter shrinks PCI scope to Stripe's certified environment.
Chaberista is oversight software, not legal certification. Statutes and regulations change — confirm current requirements with qualified counsel in each jurisdiction in which you operate.