Compliance attestation
EU AI Act Article 26 compliance
WAVE is Article 26 compliant as of 2026-04-28. The regulation takes effect 2026-08-02. We shipped 96 days ahead of the deadline.
Effective date: 2026-04-28 · Last reviewed: 2026-04-28
5-year retention
Every agent decision retained 5 years from the moment it was recorded. Articles 26 §4 baseline plus active-system buffer.
Immutable logs
Audit rows cannot be modified after insertion. Postgres row-level security enforces INSERT and SELECT only — no UPDATE or DELETE policies on the audit table.
Per-agent export
Org admins export any agent's full decision history as JSON or JSONL via signed API. Article 26 §5 transparency.
What we implemented
- 1.argus_signals table: cross-vendor agent decision log. Every machine payment authorization, every Privy wallet event, every Bridge transfer, every Stripe charge fans into this table within 60 seconds. No mutation policy.
- 2.retention_until column: set to
NOW() + INTERVAL '5 years'on every row. Daily cron deletes expired rows in 10,000-row batches via a SECURITY DEFINER function callable only by the service role. - 3.RLS immutability:
argus_signals_service_role_insertandargus_signals_service_role_selectare the only service-role policies. No UPDATE or DELETE policy exists. Tamper-evidence by Postgres construction. - 4.Audit export endpoint:
GET /api/v1/argus/audit/agent/[agent_id]returns full decision history scoped to the caller's organization, with optional date range, limit, and JSON or JSONL formats. Response includes anX-Article-26-Compliant: trueheader. - 5.Cross-vendor observability: Argus also captures anomalies (spend cap, rate limit, replay, geo, vendor degradation) and Tier 3 daily inference. Customers can attest the full agent-decision provenance, not just our own.
Article 26 mapping
| Article | Requirement | WAVE implementation |
|---|---|---|
| §1(a) | Logs of decisions | argus_signals row per machine-payment decision |
| §1(b) | Period of operation | occurred_at + ingested_at per row |
| §1(c) | Reference data | payload.jti, payload.agent_id, payload.service_id |
| §2 | Provenance | payload.vendor + W3C trace_id |
| §3 | Integrity | INSERT-only RLS, no UPDATE or DELETE policy |
| §4 | Retention | 5 years via retention_until |
| §5 | Accessibility | /api/v1/argus/audit/agent/[id] + /admin/argus |
What this means for customers
If you operate AI agents that authorize payments to or via WAVE, you can rely on our infrastructure to satisfy Article 26 record retention, integrity, and accessibility for those decisions.
You are still responsible for your own agent's decision-making logic, your own consent capture, and any non-WAVE-mediated decisions your agents make. Article 26 covers the system; we cover the trail of every action your agent takes inside our system.
For procurement: cite ADR-0128 in your DPA. For audit: request an export via your org admin. For incident response: anomalies are surfaced in /admin/argus.
Annual external audit
WAVE retains external counsel for an annual Article 26 audit. The first audit covers the period 2026-04-28 to 2027-04-28 and will be available to enterprise customers under NDA. Findings inform the next ADR revision.
Counsel: TBD (Q1 2026 RFP) · Coverage: ADR-0128 + every amendment through audit period
Export your audit trail
Org admins call the audit endpoint with an agent_id and a date range. Response is JSON or JSONL.
curl -H "Authorization: Bearer $WAVE_API_KEY" \
"https://wave.online/api/v1/argus/audit/agent/agent-123\
?from=2026-04-01T00:00:00Z\
&to=2026-04-28T23:59:59Z\
&format=jsonl" \
-o agent-123-decisions.jsonlReferences
- EU AI Act Regulation 2024/1689 — Article 26: record-keeping obligations for high-risk AI systems
- ADR-0128 (WAVE internal): EU AI Act Article 26 compliance moat
- Migration 20260428040000_argus_5yr_retention.sql: retention + immutability + cleanup function
- ADR-0125: WAVE Argus cross-vendor observability platform
- ADR-0127: ArgusGuardrailService fail-closed semantics