EU AI Act & GDPR: how Stedral is built
Stedral is built and operated by Digitalix Hub OÜ, a company registered in Tallinn, Estonia (EU). That means the GDPR and EU AI Act apply to us directly — not as a voluntary badge, but as the legal baseline we operate under. This page describes the architectural decisions we've made to align with those principles: human oversight, controllability, transparency, and data rights.
Why this matters for EU AI Act
The EU AI Act establishes obligations around transparency, human oversight, accuracy, and accountability for AI systems deployed in the EU. The general-purpose AI (GPAI) obligations are expected to apply from August 2026 (exact enforcement dates are set by the regulation and may be subject to interpretation — verify current dates at artificialintelligenceact.eu). Stedral deploys AI agents that act on behalf of businesses, so the oversight and transparency principles are directly relevant to how we build.
Below are the architectural features we've built — each mapped to the EU AI Act or GDPR principle it addresses. Every feature described here exists in the codebase today.
Human-in-the-loop approval inbox
Before any agent-proposed write action executes — updating a deal stage, queuing an email, modifying a record — the system creates a pending Approval that sits in your inbox. Nothing changes until you explicitly approve or reject it. Routine read-only work runs autonomously; high-stakes actions always wait for a human decision.
How it's built
Implemented via the Approval model (tenant-scoped, companyId-gated). Agent write tools call proposeWrite(), which creates a pending Approval and returns immediately. The executing path runs only when the owner approves via /dashboard/approvals — itself tenant-scoped and idempotent. A confabulation guard (looksLikeFiction) blocks agents from queueing manufactured-urgency proposals.
Per-agent pause and disable controls
Every agent has a pause/resume control and a heartbeatEnabled flag. Pausing sets status to 'paused' and stops all autonomous heartbeat runs — the agent takes no further actions until resumed. The heartbeat scheduler skips any agent whose status is not 'active' or whose heartbeatEnabled flag is false. This is a hard gate at the runtime layer, not a UI preference.
How it's built
pauseAgent() and resumeAgent() in agent_service.ts update status at the database layer. The heartbeat cron (cron/heartbeat.ts) filters on status=active AND heartbeatEnabled=true — both must be true for a run to occur. Demo companies are seeded with heartbeatEnabled=false and never flipped; demo agents never run.
Agent activity and audit logs
Every agent run, escalation, cost event, and autonomous action is written to a timestamped AgentActivity log (type, summary, metadata including token cost). These are queryable by you through the activity feed in your dashboard. Separately, a platform-level AuditLog records sensitive owner actions (data exports, auth events, admin changes) with actor identity, IP, route, and timestamp.
How it's built
AgentActivity rows are written by the agent runtime on every autonomous run. The audit_log.ts service (writeAuditLog) writes to the AuditLog table with actor uid/email/role, IP, forwarded-for, user-agent, route, and method. Data export events are themselves audit-logged. All logs are retained and tenant-scoped.
Scoped tool permissions — agents can't do more than their role allows
Customer-facing agents operate from a fixed, bounded tool list (CUSTOMER_TOOLS). Read tools are read-only by design — they query your company's own data. Write tools are proposal-only: they call proposeWrite() and create a pending Approval; no outward action fires. Engineering agents run with an explicit allowed-tool list and a disallowed list that blocks network calls, env reads, and shell escapes.
How it's built
CUSTOMER_TOOLS in customer_agent_tools.ts defines the exact tool surface passed to the model. The companyId argument is trusted from the runner — never taken from model output — so a model cannot redirect a query to another tenant. Engineering agents pass --allowedTools and --disallowedTools flags at spawn time (engineering_agent.ts).
Confabulation guard on agent write paths
Agents sometimes generate responses that sound urgent but are not grounded in real data — invented deadlines, manufactured crises, or fictional customer situations. Stedral gates every persistent agent write (approvals, task creation, memory writes, escalations) with a fiction detection check. If a proposed write looks fabricated, it is rejected before reaching the database.
How it's built
lib/fiction_guard.ts (looksLikeFiction) uses regex patterns calibrated to an Estonian OÜ's real operating context — US-tax deadlines, 'owner unresponsive' escalations, and similar non-applicable urgencies are flagged. lib/grounding.ts (isConfabulation) adds a cheap LLM pass for subtler cases. Both gates run before any persistent write in the approval and memory paths.
Full data export — your data, portable
You can export all your company data at any time as a structured .zip archive: agents, tasks, company memory, facts, events, agent conversation logs, approvals, intel, automations (config only, no secrets), and integrations (provider list, no tokens). The export is triggered on demand and does not require support involvement.
How it's built
generateExportBundle() in export_bundle.ts builds the archive via archiver. The export event itself is written to the AuditLog. Integration tokens and secrets are explicitly excluded from the export — only metadata is included.
GDPR right-to-erasure tracking
GDPR erasure requests are tracked in a GdprRequest table. A cron job checks every six hours for requests approaching or past the 30-day legal deadline and surfaces warnings to the operations log. Erasure itself is a manual, identity-verified process — automated timer-deletion without identity verification is not implemented, because that would itself be non-compliant.
How it's built
cron/gdpr_sla.ts runs every 6 hours. At 21 days it emits a structured warning log. At 30 days it escalates to an error log. These events feed into BetterStack off-box logging where they can drive an alert. The process is documented to require manual human handling after identity verification.
EU entity and hosting
Stedral is built and operated by Digitalix Hub OÜ, a company registered in Tallinn, Estonia (EU). The production server runs in the EU (Hetzner). Data is encrypted at rest. Because Digitalix Hub is established in the EU, the GDPR and EU AI Act apply directly — not as voluntary compliance but as the legal baseline.
How it's built
Single-tenant VPS on Hetzner (EU infrastructure). Integration secrets are AES-GCM encrypted at rest (server/services/secrets.ts). The DPA (Data Processing Agreement) is available at /dpa. Subprocessors are listed at /subprocessors.
What we do not claim
- We do not claim Stedral is “EU AI Act certified” or “compliant” as a legal declaration. No such certification body currently exists for our category.
- We do not claim GDPR “compliance” as a legal certification. We are an EU-established controller subject to GDPR and we operate accordingly — but legal compliance is an ongoing practice, not a badge.
- We do not promise that using Stedral makes your organisation compliant with the EU AI Act or GDPR. Your obligations as a user of AI tools depend on your own use case, sector, and legal situation.
- This page is not legal advice. Read it as an honest technical description, not a compliance guarantee.
Frequently asked questions
Is Stedral 'EU AI Act compliant' or certified?
No — and we won't claim that. There is currently no EU AI Act conformity certification body for general-purpose AI systems of our kind. What we can say honestly is that we've built the platform around the principles the regulation requires: human oversight, controllability, transparency, and audit trails. This page describes our architecture. It is not a legal certification and not legal advice. If your organisation requires a formal conformity assessment, you should consult a qualified legal advisor.
What EU AI Act provisions are most relevant to Stedral?
Stedral deploys AI agents that act on behalf of businesses — making it relevant to the EU AI Act's transparency obligations, human oversight requirements, and accountability provisions. The most material date for the general obligations is August 2025 (prohibitions in force) and August 2026 (GPAI obligations, obligations on high-risk systems). Stedral's architecture — approval inbox, pause controls, audit logs, scoped tool permissions — aligns with the oversight and transparency principles that underpin those requirements. This framing is factual and hedged; it is not a legal compliance declaration.
Where is my data stored, and who can access it?
Your data is stored on EU infrastructure (Hetzner). Every query against your company data is tenant-scoped to your companyId — a different customer's agents cannot access your records. Integration secrets (OAuth tokens) are encrypted at rest using AES-GCM. Digitalix Hub OÜ staff access is limited. You can export all your data at any time and request erasure under GDPR.
What happens if I pause or disable an agent?
Pausing an agent sets its status to 'paused' and immediately stops all autonomous heartbeat runs. The agent will not execute any further actions — it won't run tasks, propose approvals, or generate outputs — until you explicitly resume it. This is enforced at the runtime layer: the heartbeat scheduler will not run any agent unless both status=active and heartbeatEnabled=true.
Do agents ever take actions without my knowledge?
Read-only agent actions (checking your pipeline, reviewing open tickets, summarising data) run autonomously as part of normal heartbeat cycles. Write actions — anything that modifies a record, stages an email, or changes data — must be proposed through the Approval inbox and require your explicit decision before executing. High-stakes actions never fire silently.
How can I request my data be erased?
Send a GDPR erasure request to support@digitalixhub.com with your account email. Under Art. 17 GDPR, we are required to process it within 30 days of identity verification. Our GDPR SLA cron monitors all open requests and escalates if the deadline approaches without resolution. We do not automate erasure without identity verification.
See Stedral in action
Create a free account and explore the approval inbox, agent controls, and activity logs yourself. No card required.
Digitalix Hub OÜ · Tallinn, Estonia · EU-hosted · GDPR applies