Legal

Compliance Overview

Evidence-backed compliance status. We publish our actual posture, not aspirational claims.

Last updated: April 25, 2026

This page reflects ORA’s actual compliance posture as of April 25, 2026 — backed by code controls, not aspirational statements. Per FTC substantiation guidance (March 2026), we only mark a framework “Compliant” when the controls are implemented and verifiable. Status will be updated as each control is completed.

Compliance Status by Framework

FrameworkJurisdictionStatusEvidence / Measures
PIPEDACanadaImplementation in progressPrivacy policy published. Server-side auth, data retention enforcement, and access/export/delete workflows under active development.
CASL (Canada's Anti-Spam Legislation)CanadaCompliantExpress consent for all communications. Unsubscribe mechanisms operational.
GDPREU/EEAPartial — Canada adequacy appliesDPA available, data subject rights documented. Server-side enforcement of retention and deletion workflows pending. Canada has EU adequacy decision.
FTC AI enforcement postureUnited StatesPartialAI disclosures implemented in UI (lobby, chat badges). API-level headers deployed. Claims require ongoing substantiation as production evidence accumulates.
EU AI Act — Article 50 TransparencyEuropean UnionPartial — deadline August 2, 2026UI disclosure and API headers implemented. Machine-readable labeling and export-level provenance metadata in progress.
Colorado SB 24-205Colorado, USAIn progress — deadline June 30, 2026Risk assessment page published. Consequential-decision gate, impact assessment object, and consumer correction/appeal workflows under development. NIST AI RMF alignment documented.
Texas TRAIGATexas, USAPartial — active since January 2026Prohibited uses enforced via Acceptable Use Policy. NIST AI RMF alignment in progress for affirmative defense.
California AI Transparency Act (SB 942)California, USAPreparing — effective August 2026AI-generated content disclosure in UI. Machine-readable watermarking roadmap under development.
NIST AI RMF 1.0Voluntary (US safe harbor)Mapping in progressGovern/Map/Measure/Manage narrative published. Executable controls and evidence register under active development.
SOC 2 Type IITrust frameworkRoadmap — target 2027Security policy, access controls, and audit logging implemented. Formal SOC 2 audit engagement planned.

What Is Implemented in Production

  • EU AI Act Article 50 disclosure — Users are shown an AI system disclosure before entering ORA (Lobby.tsx). Every AI message carries an “AI-Generated” badge (ChatMessage.tsx). All AI API responses include X-AI-Generated disclosure headers.
  • Governance audit log — Every agent action is logged with SHA-256 chained audit trail at /pulz/audit with CSV export for compliance documentation.
  • Consumer rights APIPOST /api/pulz/consumer-rights accepts access, correction, deletion, and appeal requests with 30-day SLA tracking.
  • Agent policy enforcement — Tool calls are validated against workspace allowlists and denied path fragments before execution.
  • Privacy commitment disclosure — Data training prohibition, MCP memory control, and session retention disclosed in ORA settings panel.
  • Security headers — CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy deployed on both ORA site and PulZ app.

What Is Pending

  • Server-side authentication replacing the current client-side acknowledgment gate (Supabase / Google OAuth — Phase C)
  • localStorage personal data TTL enforcement (revenue module)
  • Consequential-decision runtime gate wired into chat/agent API routes
  • Machine-readable content provenance metadata on exports
  • Formal annual impact assessment review process
  • SOC 2 Type II audit engagement

Enterprise Compliance Documentation