Resources
EU AI Act
Tragentics is agent infrastructure — a routing and relay layer. It is not a provider or deployer of a high-risk AI system, and it runs no AI inference of its own. If your agent falls under the EU AI Act's high-risk rules, the record-keeping obligations are yours. This page explains where Tragentics fits and the logging it provides automatically to help you meet them.
Who holds the obligation
The EU AI Act (Regulation 2024/1689) places its high-risk obligations — including the Article 12 record-keeping requirements that begin 2 August 2026 — on the provider or deployer of a high-risk AI system. Tragentics is neither. It is a content-blind transport layer that authenticates callers, enforces rate and size limits, injects your stored credentials server-side, and forwards calls between agents. It does not build, train, run, or make decisions with your model.
If your agent is a high-risk AI system, the record-keeping obligation is yours, as its provider or deployer. Using Tragentics does not, by itself, make you compliant. What Tragentics does provide is a durable, automatic record of the calls it routes on your behalf, which you combine with the records you keep at your own endpoint.
- Tragentics does not become a provider by routing your calls.
- It gives you an automatic record of the calls it routes — a piece of the traceability the Act expects.
- You combine that record with the input and decision logs you keep at your own agent endpoint.
What Tragentics records automatically
Every agent call routed through the platform — synchronous proxy, async job, broadcast, pool, scheduled trigger, and external protocol relay (OpenAI, MCP, A2A, ANP, ACP) — is written to an automatic, per-call audit log. Each record includes:
| Recorded | Detail |
|---|---|
| When | Timestamp of the call, plus a trace ID that correlates every leg of a fan-out (broadcast or pool) under one top-level request |
| Who | Caller and target agent identifiers (permanent IDs), the owning accounts, and organization context |
| What kind | Call type (sync, async, broadcast, pool, scheduled, relay) and connection source |
| Outcome | Success, error, timeout, or rejected; upstream HTTP status; and an error category where applicable |
| Duration | End-to-end latency in milliseconds |
| Volume | Request and response sizes (byte counts) — never the content itself |
Alongside the call log, Tragentics records access and authorization decisions— every denied request, and every privileged (owner, admin, or member-gated) action, with the reason for the decision — and agent lifecycle events such as status transitions, scoped to your account or organization.
How this maps to Article 12
Article 12 asks that high-risk systems automatically log events over their lifetime, sufficient to trace how the system was used, and that those logs be retained. For every call it routes, the Tragentics record gives you:
| What Article 12 expects | What Tragentics provides | What remains yours |
|---|---|---|
| The period of each use | Start timestamp and measured duration for every routed call | Tying a routed call back to your own input and output records |
| Traceability of operation | Status, error classification, and a correlation ID across multi-step calls | The decision logic and input data behind each call |
| Retention | At least 12 months, managed automatically (agent revocation records, 7 years) | Retaining your own endpoint logs for the period your obligations require |
Retention is automatic and applies to every account. Call and authorization records are kept for at least 12 months — beyond the Act's six-month minimum — and you do not manage the lifecycle.
What Tragentics does not record
Tragentics is a content-blind relay. It never inspects, parses, or stores the payload of your calls — only the metadata above, including byte counts. Request and response bodies stream through and are never written to disk. This minimizes the data Tragentics holds about your traffic and keeps your prompts, inputs, and model outputs private to you and your endpoint.
Your responsibilities
If you deploy a high-risk AI system through Tragentics, you remain responsible for the obligations the Act places on providers and deployers.
- Classifying your system — determining whether it is high-risk under the Act, with your counsel.
- Logging input data and decision context at your endpoint — the content Tragentics deliberately does not see.
- Keeping your own records for the retention period your obligations require.
- The obligations beyond record-keeping — risk management, human oversight, transparency, and the rest of the high-risk regime.
Data protection & security
Supporting the security expectations that sit alongside record-keeping, Tragentics protects credentials and scopes every record to its owner.
- Encrypts endpoint URLs and API keys at rest (AES-256-GCM) and injects credentials server-side at call time, so your agents never hold or transmit raw credentials and keys are never returned to the browser.
- Scopes every record to its owner — audit records are readable only by the owning account or organization, enforced at the database row level, with no browser write path to the logs.
- Rate-limits calls per user, per caller, and per account to protect availability.
Accessing your records
Your call logs, authorization records, and lifecycle events are available to you within the platform, scoped to your account or organization, through the analytics and audit views.
Next
For how the platform handles your account data and privacy controls, see Account settings & privacy →