Compliance
Your certification. Our infrastructure.
Kachyng does not hand you a SaaS product and wish you luck on your audit. We provision the environment your auditor needs — the right isolation tier, the right controls, the right evidence trail. You go to your auditor. You earn the certification.
The Compliance Problem We Solve
Enterprise deals stall at compliance. Your buyer wants SOC 2. Their CISO wants HIPAA. Their legal team wants GDPR. Normally, you spend 6–18 months and $200K+ building infrastructure that can pass those audits — before you write a line of product code.
Kachyng is the infrastructure layer that makes your product compliance-ready from the day you provision an environment. Select the frameworks your customers require. We deploy the architecture that satisfies them. Your team focuses on product. Your auditor finds what they need.
How It Works
Tell us which frameworks your enterprise buyers require — SOC 2, HIPAA, PCI DSS Level 1, FedRAMP, GDPR, or all of the above. We map the requirement to the infrastructure tier it demands.
Kachyng deploys the isolation level your auditor needs — dedicated namespace, dedicated cluster, or a fully dedicated AWS account. Controls are instantiated from day one. Evidence collection starts automatically.
Your environment has the right isolation, the right encryption boundaries, the right access controls, and a documented control record. Your auditor reviews the environment. Your company earns the certification.
Infrastructure Isolation Tiers
Every compliance framework has a minimum infrastructure isolation requirement. We map those requirements to four provisioning tiers. Customers select the tier that matches their audit target — we handle the rest.
Compliance Requirements by Customer Segment
The frameworks your enterprise buyers require determine the infrastructure tier they need. Compliance is not one-size-fits-all — it is a product decision.
| Customer Type | Frameworks Required | Tier | Why It's Non-Negotiable |
|---|---|---|---|
| SaaS company | SOC 2 | Tier 1–2 | First enterprise contract requires it |
| Healthcare payments | HIPAA + PCI DSS L1 | Tier 2 | Required for any PHI-adjacent payment flow |
| Regional bank or credit union | PCI DSS L1 + GLBA + SOC 2 | Tier 2–3 | Board-level compliance mandate |
| Large retailer | PCI DSS L1 + SOC 2 | Tier 2–3 | Card brand requirement above 6M transactions/yr |
| EU enterprise | GDPR + SOC 2 + ISO 27001 | Tier 3 | GDPR data residency is non-negotiable |
| Federal agency / contractor | FedRAMP Moderate | Tier 3–4 | ATO required before any federal procurement |
| Defense / intelligence | FedRAMP High | Tier 4 | Dedicated AWS account, no shared infrastructure, full audit chain |
A New Compliance Surface: Agentic Payments
AI agents making payments on behalf of humans is a compliance surface that existing frameworks have not fully addressed. Kachyng is the only platform that has built answers into the infrastructure — not bolted on after.
Every agent operates under a human-granted delegation scope — amount limits, merchant categories, and time windows set at authorization. Agents cannot expand their own authority.
Every agent transaction writes to a signed, append-only audit log. Scope, session context, and originating human grant are recorded before settlement. Exportable for compliance review.
Yes. Delegation scopes are revocable in real time. A revoked agent cannot initiate or settle payments regardless of pending transactions.
Scope boundaries define what an agent is authorized to buy at grant time. Out-of-scope transactions are blocked at the gateway — not flagged after the fact.
AI Governance Controls
AI agents making financial decisions on behalf of humans create a compliance surface that did not exist two years ago. Five regulations now govern it. Kachyng has built the controls into the infrastructure — not documented them in a wiki.
| Control | Regulation | Implementation |
|---|---|---|
| On-premises LLM execution | All LLM inference runs on Kachyng-managed infrastructure. No prompts, context, or customer data are sent to third-party AI providers. Data never leaves your compliance boundary. | |
| Tamper-evident audit trail (immudb) | Every LLM interaction — prompt, response, action taken — is written to an append-only, cryptographically verified audit log. Records cannot be altered or deleted after the fact. | |
| Tenant-scoped LLM sessions | Each tenant operates in an isolated session scope. Prompts, conversation history, and inference context from one tenant are structurally inaccessible to another. | |
| AI disclosure and acknowledgment | Users are informed they are interacting with AI before the conversation begins. Disclosure must be acknowledged before the system accepts input. Acknowledgment is logged. | |
| Human oversight gate for consequential decisions | When an AI agent proposes a payment, order, or contract action, execution is paused until a human reviews and explicitly authorizes it. The agent proposes. The human decides. | |
| PII masking before LLM input | Personal data is identified and masked before it reaches the language model. Three masking levels are available: full redaction, partial masking, and cryptographic hashing. |
Agent Payment Compliance
When AI agents initiate payments on behalf of humans, seven regulatory domains apply. No comprehensive regulation exists yet — Kachyng has built the compliance architecture ahead of mandates, mapping existing frameworks to agentic payment flows.
| Area | Regulation | How Kachyng Handles It |
|---|---|---|
| Cardholder data protection | AI agents never touch raw card numbers. All payment credentials are tokenized via network token services (Visa VTS, Mastercard MDES). The agent runtime is descoped from PCI DSS Requirement 3. Agents operate as system accounts under Requirements 7.2.5.1 and 8.6 — unique credentials, least privilege, full audit logging. | |
| Transaction authorization | Agent-initiated payments are classified as Merchant-Initiated Transactions under the Credential-on-File framework. The cardholder provides explicit, granular consent at enrollment — per-merchant, per-amount-range, per-category. Transactions carry COF indicators per Visa and Mastercard rules. High-value or first-time-merchant transactions trigger decoupled 3D Secure authentication on the cardholder’s device. | |
| Automated contract formation | The Uniform Electronic Transactions Act Section 14 explicitly validates contracts formed by the interaction of electronic agents, even if no individual reviewed the agent’s actions at the time of the transaction. Kachyng’s consent architecture is built on this foundation: the user defines authority boundaries, the agent operates within them, and every action is logged. | |
| Authority boundaries and liability | Agent payments are treated as preauthorized transfers under Reg E § 1005.10(d). Users can stop individual payments. If an agent exceeds its delegated authority, the transaction is classified as unauthorized under Reg E § 1005.2(m) and Kachyng absorbs the liability — not the consumer. This is a structural guarantee, not a policy. | |
| Money transmission | Kachyng operates as a payment facilitator — not a money transmitter. AI agents instruct licensed payment processors to execute transactions directly between cardholder and merchant. Kachyng never takes possession, custody, or control of user funds at any point in the transaction lifecycle. | |
| EU payment initiation (SCA) | Strong Customer Authentication cannot be delegated to an AI agent. Kachyng uses decoupled SCA — the agent initiates the payment, the cardholder approves on their device via biometric or PIN. After initial authentication, recurring transactions with the same merchant use MIT exemptions per PSD2 rules. | |
| Fraud classification and disputes | Agent-within-authority disputes follow standard chargeback rules (cardholder vs. merchant). Agent-exceeds-authority disputes are treated as unauthorized transactions — Kachyng absorbs liability. Full decision audit logs (what the agent considered, what it chose, why) serve as compelling evidence under Visa Claims Resolution 3.0. |
The legal foundation already exists.
UETA § 14 (Uniform Electronic Transactions Act, Section 14) states: “A contract may be formed by the interaction of electronic agents of the parties, even if no individual was aware of or reviewed the electronic agents' actions or the resulting terms and agreements.” This statute — adopted in 47 states — directly validates AI-initiated commerce. Kachyng's consent architecture, authority boundaries, and audit trail are built on this foundation.
Note to your General Counsel
If you are evaluating Kachyng for an enterprise deployment, your legal team will ask these questions. We have answered them here so your buyer can forward this page directly. Every answer reflects controls that are implemented and testable — not roadmap items.
No. LLM inference runs on Kachyng-managed compute. No data is transmitted to OpenAI, Anthropic, Google, or any third-party AI provider. This applies to all tiers.
Yes. Every LLM interaction that leads to a consequential action (payment, order, contract) is recorded in immudb, an append-only database with cryptographic verification. Records are immutable. Each entry includes: timestamp, tenant, user, prompt hash, response hash, action taken, and outcome.
No. The platform enforces a human oversight gate on all consequential decisions. When an AI agent proposes a financial action, execution is paused until a human reviews and explicitly authorizes it. This is a structural control, not a policy setting.
LLM sessions are scoped to the tenant at the infrastructure level. Session keys include tenant identifiers. There is no shared context window, session cache, or conversation state between tenants. This is tested and verified in CI.
Yes. Colorado SB 24-205 (effective February 1, 2026) requires disclosure. Kachyng surfaces a disclosure notice at session start. The user must acknowledge it before the system accepts input. Acknowledgment is persisted and auditable.
PII is identified and masked before reaching the language model. Three masking levels are available: full redaction ([REDACTED]), partial masking (first/last character preserved), and SHA-256 hashing. The LLM operates on masked data. Original PII is not stored in AI logs.
No. All payment credentials are tokenized via network token services (Visa VTS, Mastercard MDES) before the agent sees them. The agent operates exclusively with tokens. The agent runtime is descoped from PCI DSS Requirement 3. A targeted risk analysis under PCI DSS 4.0 Requirement 12.3.1 documents this architecture.
Kachyng. If an agent initiates a payment outside the user’s defined authority boundaries (amount, merchant category, frequency), the transaction is classified as unauthorized under Reg E § 1005.2(m). The consumer’s liability is capped per Reg E § 1005.6. Kachyng absorbs the difference. This is a structural guarantee enforced in code — the agent’s API call is rejected at the platform level if it exceeds scope.
No. Kachyng operates as a payment facilitator. AI agents instruct licensed payment processors to execute transactions directly between cardholder and merchant. Kachyng never takes possession, custody, or control of user funds. This is consistent with FinCEN’s 2014 administrative ruling (FIN-2014-R012) on payment processors that do not hold funds.
UETA § 14 (Uniform Electronic Transactions Act, Section 14): “A contract may be formed by the interaction of electronic agents of the parties, even if no individual was aware of or reviewed the electronic agents’ actions or the resulting terms and agreements.” This is the statutory foundation. The user’s configuration of authority boundaries constitutes a manifestation of actual authority under Restatement (Third) of Agency § 2.01.
SCA cannot be delegated to an AI agent. Kachyng uses decoupled SCA under PSD2 Article 97: the agent initiates the payment, then the cardholder receives a push notification and authenticates on their own device (biometric or PIN). The agent does not perform authentication. After initial SCA, recurring transactions with the same merchant use Merchant-Initiated Transaction exemptions.
We are building toward our own certifications.
Kachyng is currently in the process of pursuing SOC 2 Type II, PCI DSS Level 1, HIPAA, and ISO 27001 certifications for its own platform. The infrastructure, controls, and evidence framework are in place. Certification timelines follow audit scheduling.
In the interim, we share full architecture documentation, control matrices, and third-party security assessments with enterprise customers under NDA. If your procurement team has a compliance questionnaire, send it to us — we will complete it directly.
To request a private security review, access architecture documentation, or discuss compliance requirements for a specific deployment: security@kachyng.com