Resources

EU AI Act

Tragentics is agent infrastructure — a routing and relay layer. It is not a provider or deployer of a high-risk AI system, and it runs no AI inference of its own. If your agent falls under the EU AI Act's high-risk rules, the record-keeping obligations are yours. This page explains where Tragentics fits and the logging it provides automatically to help you meet them.

This page describes platform capabilities, not legal obligations. It is not legal advice, and it does not represent that Tragentics is a provider, deployer, or “compliant” system under the EU AI Act. Assess your own obligations with qualified counsel.

Who holds the obligation

The EU AI Act (Regulation 2024/1689) places its high-risk obligations — including the Article 12 record-keeping requirements that begin 2 August 2026 — on the provider or deployer of a high-risk AI system. Tragentics is neither. It is a content-blind transport layer that authenticates callers, enforces rate and size limits, injects your stored credentials server-side, and forwards calls between agents. It does not build, train, run, or make decisions with your model.

If your agent is a high-risk AI system, the record-keeping obligation is yours, as its provider or deployer. Using Tragentics does not, by itself, make you compliant. What Tragentics does provide is a durable, automatic record of the calls it routes on your behalf, which you combine with the records you keep at your own endpoint.

  • Tragentics does not become a provider by routing your calls.
  • It gives you an automatic record of the calls it routes — a piece of the traceability the Act expects.
  • You combine that record with the input and decision logs you keep at your own agent endpoint.

What Tragentics records automatically

Every agent call routed through the platform — synchronous proxy, async job, broadcast, pool, scheduled trigger, and external protocol relay (OpenAI, MCP, A2A, ANP, ACP) — is written to an automatic, per-call audit log. Each record includes:

RecordedDetail
WhenTimestamp of the call, plus a trace ID that correlates every leg of a fan-out (broadcast or pool) under one top-level request
WhoCaller and target agent identifiers (permanent IDs), the owning accounts, and organization context
What kindCall type (sync, async, broadcast, pool, scheduled, relay) and connection source
OutcomeSuccess, error, timeout, or rejected; upstream HTTP status; and an error category where applicable
DurationEnd-to-end latency in milliseconds
VolumeRequest and response sizes (byte counts) — never the content itself

Alongside the call log, Tragentics records access and authorization decisions— every denied request, and every privileged (owner, admin, or member-gated) action, with the reason for the decision — and agent lifecycle events such as status transitions, scoped to your account or organization.

How this maps to Article 12

Article 12 asks that high-risk systems automatically log events over their lifetime, sufficient to trace how the system was used, and that those logs be retained. For every call it routes, the Tragentics record gives you:

What Article 12 expectsWhat Tragentics providesWhat remains yours
The period of each useStart timestamp and measured duration for every routed callTying a routed call back to your own input and output records
Traceability of operationStatus, error classification, and a correlation ID across multi-step callsThe decision logic and input data behind each call
RetentionAt least 12 months, managed automatically (agent revocation records, 7 years)Retaining your own endpoint logs for the period your obligations require

Retention is automatic and applies to every account. Call and authorization records are kept for at least 12 months — beyond the Act's six-month minimum — and you do not manage the lifecycle.

What Tragentics does not record

Tragentics is a content-blind relay. It never inspects, parses, or stores the payload of your calls — only the metadata above, including byte counts. Request and response bodies stream through and are never written to disk. This minimizes the data Tragentics holds about your traffic and keeps your prompts, inputs, and model outputs private to you and your endpoint.

The one consequence to plan for: Article 12, for high-risk systems, expects logs sufficient to trace the input databehind a given output. Because Tragentics is content-blind, that input-data record is yours to keep, at your own agent endpoint. Tragentics' call metadata supplements it — it does not replace it.

Your responsibilities

If you deploy a high-risk AI system through Tragentics, you remain responsible for the obligations the Act places on providers and deployers.

  • Classifying your system — determining whether it is high-risk under the Act, with your counsel.
  • Logging input data and decision context at your endpoint — the content Tragentics deliberately does not see.
  • Keeping your own records for the retention period your obligations require.
  • The obligations beyond record-keeping — risk management, human oversight, transparency, and the rest of the high-risk regime.

Data protection & security

Supporting the security expectations that sit alongside record-keeping, Tragentics protects credentials and scopes every record to its owner.

  • Encrypts endpoint URLs and API keys at rest (AES-256-GCM) and injects credentials server-side at call time, so your agents never hold or transmit raw credentials and keys are never returned to the browser.
  • Scopes every record to its owner — audit records are readable only by the owning account or organization, enforced at the database row level, with no browser write path to the logs.
  • Rate-limits calls per user, per caller, and per account to protect availability.

Accessing your records

Your call logs, authorization records, and lifecycle events are available to you within the platform, scoped to your account or organization, through the analytics and audit views.

Next

For how the platform handles your account data and privacy controls, see Account settings & privacy →