Sphere wins 2026 Global Recognition Award
Sphere Partners

Sphere Quarterly · Issue 03 · Compliance

The audit binder is dead. The ledger is the binder.

Compliance teams write DPIAs in Word. Auditors review snapshots in Excel. Data flows continuously, and the gap between binder and reality is where every enforcement action lives.

Plain English

If you only read one box on this page.

Every company you deal with — your bank, your insurer, your favorite website — is using AI to make decisions about you. Right now, when you (or a regulator) ask "what does your AI know about me, and what did it decide?", almost none of them can answer truthfully or quickly.

The records exist, but they're scattered across a dozen systems, often editable, and frequently incomplete. This is why GDPR fines keep getting bigger, why useful AI features sit blocked in legal review for months, and why a simple data request from a customer takes thirty days and a team of lawyers to answer.

Sphere takes a different approach. Every time a company's system reads, writes, or decides anything about a person, it leaves a signed entry in a ledger — think of it as a tamper-proof flight recorder for AI. The ledger cannot be edited after the fact; any attempt to alter it breaks a visible cryptographic chain.

The result: data requests that took 30 days take 90 seconds. AI features that stalled in legal review for eight months ship in two weeks. Annual audits that consumed six weeks of engineering time become a thirty-minute saved query.

The situation
A bank customer asks: "What did your AI decide about my loan application, and why?"
Today
A 30-day legal letter that summarizes what the bank chooses to tell them.
With Sphere
A 90-second signed transcript showing the decision, data used, and model — with cryptographic proof nothing was edited.
The situation
A health insurer wants to launch an AI triage feature for claims.
Today
Eight months in legal/DPO review, often killed before launch.
With Sphere
Shipped in two weeks with the audit trail built in from day one.
The situation
A national regulator opens an investigation into AI decisions made about a citizen.
Today
Weeks of forensic reconstruction; outcome usually a fine.
With Sphere
The regulator gets read-only access to the ledger, scoped to their investigation. Resolved same day.

Chapter 01

Compliance is a property of the runtime, not a document about it.

In plain English

A tamper-proof diary of everything the AI ever did about every person. Anyone you allow can read it. Nobody — not even the company — can edit it after the fact.

The most important thing about a hash-chained audit log isn't the cryptography. It's the cultural inversion. An entry, once written, can never be quietly amended. A privacy team trying to massage a year-old DPIA cannot. An engineer trying to delete an embarrassing prompt cannot. Every operation against personal data leaves a signed fossil.

This is the property snapshot-based compliance lacks. A DPIA written in Word last year tells you what the privacy team believed the system did. The ledger tells you what actually happened, signed, with a timestamp accurate to the millisecond — and with a parent hash that proves no one rewrote history.

The second move — making the same ledger queryable by the data subject, the company's DPO, the external auditor, and (in zero-knowledge form) the public — is what turns it from internal hygiene into a public proof.

Live audit ledger
streaming
127decisions
today
100%signed
chain ok
8personal
data redactions
    chain root 0x— every action signed

    Chapter 02

    Every outbound payload, classified and redacted at the wire.

    In plain English

    A guard at the door who checks every piece of personal data before it leaves the building. If it shouldn't go to OpenAI, it doesn't. And the check itself is recorded.

    Every regulated AI deployment in 2026 has the same hidden weakness: PII reaches the model. A support agent types "my account is john@example.com" into a chat, the application forwards it to OpenAI, and now a US-based AI provider holds a piece of EU personal data — with no transfer impact assessment, no Schrems II analysis, no record of what was sent.

    The standard answer is "we'll add a PII scrubber." Probabilistic scrubbers — even GPT-grade ones — miss things. A scrubber that catches 99.5% of names leaks 5,000 names per million prompts. There is no version of compliance where 5,000 leaks per million is acceptable.

    Sphere's answer is structural, not statistical. The egress proxy does not guess whether a field is PII — it knows, because every field came in through a consent ledger that labeled it. The redaction is deterministic, complete, and signed at the wire.

    Outbound data check
    ready
    1. 1
      A customer message arrives
      Contains a name, contract number, email, and phone.
    2. 2
      We check each field
      The system already knows what kind of data each field holds.
    3. 3
      Personal data is stripped
      Email and phone are held back. Name and topic continue on.
    4. 4
      Both versions are signed
      What we knew and what we sent — both written to the ledger.
    5. 5
      Cleaned message reaches OpenAI
      Only the safe portion ever leaves your perimeter.
    Every check is recorded. Click "Watch one go through" to see it run.

    Chapter 03

    Thirty days statutory. Ninety seconds in practice.

    In plain English

    When someone asks "what do you know about me?", you answer in seconds — with cryptographic proof your answer is complete and unaltered. The law gives you 30 days. You don't need them anymore.

    The 30-day clock on a data subject access request was designed for a world where requests were rare and the data was on paper. In 2026 EU enterprises receive far more requests than ever, and a hedged 30-day letter quietly tells the supervisory authority where to focus next.

    A response in ninety seconds isn't just faster — it changes the nature of the answer. A 30-day letter is a summary. A live-ledger response is a manifest: what the system actually did, signed.

    Respond to a subject request
    idle
    Law allows
    30days
    used: 0 hours
    Sphere takes
    0.00sec
    Idle
    1. 1
      A request arrives
      The data subject asks "what do you know about me?"
    2. 2
      The ledger is scanned
      A whitelisted query, scoped to this subject's records only.
    3. 3
      Entries surfaced
      12 entries across the last 14 days.
    4. 4
      Transcript is signed
      Hash-chained back to genesis. Tamper-proof.
    5. 5
      Sent to the requester
      With a Merkle root the auditor can verify.
    GDPR Art. 15 signed · hash-chained

    Chapter 04

    One ledger. Four readers. Four scopes of disclosure.

    In plain English

    Different people see different slices of the same record. The customer sees their decisions in plain language. The compliance officer sees patterns without names. The auditor sees the cryptographic chain without the data. Nobody sees what they shouldn't.

    The four-lens projection solves a tension that's been broken since the first data-protection laws. The data subject wants to see everything about them. The internal DPO wants Article 30 records without resolving identities. The external auditor wants to verify the chain, not the contents. The public wants integrity proof with zero leakage.

    Sphere collapses the four into one ledger with four read-time projections. The grant that lets each reader see what they see is itself a ledger entry — signed, time-bound, revocable.

    Same entry, four readers
    led_b7a91c0204
    One ledger four read-time projections

    Chapter 05

    The Article 22 complaint nobody hopes to answer.

    In plain English

    When a regulator forwards a complaint — "your AI made a decision about me and I want to know why" — you can show, not tell, exactly what happened. One click. Signed.

    Article 22 disclosures are the part of GDPR most companies hope they're never asked to perform. Records exist, scattered across feature flags, model registries, application logs, prompt traces, vendor portals. Assembling the answer costs days of senior engineering time, twice.

    A live ledger pre-stages the answer. The decision wasn't logged after the fact — it was constituted in the ledger at the moment it happened. Producing the disclosure isn't gathering evidence. It's reading it.

    Regulator complaint
    #HU-2026-0481
    !
    DPA Hungary forwarded a citizen complaint.
    Automated decision · 14 May 2026  ·  deadline 25 June
    No response yet. Press the button.

    Chapter 06

    Why this, why now: three regulators, one question.

    In plain English

    Three big new laws (EU AI Act, NIS2, DORA) all start really enforcing in 2026. They ask the same thing: "show us the records." Companies with a live ledger answer in minutes. Companies with binders get fined.

    Three regulatory deadlines collide in 2026. EU AI Act high-risk system obligations begin enforcement on 2 August 2026. NIS2 transposition is past due in every Member State; supervisory authorities are starting to fine. DORA financial-sector resilience requirements went live on 17 January 2025 and are now in their first full audit cycle.

    The companies that answer with binders will be fine — eventually — the way mainframe shops were fine, eventually. The companies that answer with a live ledger will be a different category of vendor: the one regulators recommend, the one customers' DPOs greenlight in thirty minutes, the one whose AI features ship instead of stalling in eight-month DPIA review.

    The opportunity is the same shape as on-prem to cloud, or waterfall to continuous deployment: replace a snapshot with a runtime.

    Cited GDPR Reg. (EU) 2016/679 — EUR-Lex; Arts. 5, 7, 9, 12, 15, 16, 17, 22, 25, 30 · EU AI Act Reg. (EU) 2024/1689 — EUR-Lex; Arts. 13, 26, 50; high-risk obligations from 2 Aug 2026 · Schrems II — CJEU Case C-311/18 (16 Jul 2020); Standard Contractual Clauses Commission Implementing Decision (EU) 2021/914, Module 2 (controller-to-processor) · NIS2 Dir. (EU) 2022/2555 — transposition deadline 17 Oct 2024 · DORA Reg. (EU) 2022/2554 — in force 17 Jan 2025 · Companion essay/manifesto.

    Chapter 07

    This piece is honest about the line.

    Several capabilities are running in Sphere's production codebase today. Others are concept-stage extensions of architecture that already exists. The line is drawn explicitly below so you can audit our claims the same way we'd audit yours.

    Where we are, where we’re going
    Eight controls running now. Six extensions in the next two quarters.
    What your DPO can verify today
    • Tamper-proof record of every AI decision, signed and chained.
    • Customer consent tracked per policy version, never overwritten.
    • Right to be forgotten in one click — cascades across every downstream system.
    • Customer data requests answered in seconds, not 30 days.
    • Bank-grade encryption on every stored secret, with key rotation enforced.
    • Multi-factor login, signed sessions, brute-force protection.
    • Customer profiles labeled by sensitivity before any AI sees them.
    • Customers can edit or remove what the AI remembers about them.
    What ships in the next two quarters
    • One gate strips personal data before it reaches OpenAI, every time.
    • External auditors get scoped read-only access — no data ever leaves your perimeter.
    • GDPR records of processing generated automatically, not maintained by hand.
    • Regulator complaints answered with a signed proof in ninety seconds.
    • Every cross-border transfer logged with its legal basis attached.
    • Annual SOC 2 audits become a continuous query, not a six-week scramble.