Skip to content
Module #1 · Live · part of the Dobby platform

Pass bank procurement with the evidence reviewers ask for.

Fintech AI Evidence scans every run of your AI workloads against SOC 2 Type II — live today — with EU AI Act and DORA control packs built and in final outside-counsel review; surfaces gaps before the reviewer does; and exports the audit-ready package a bank's risk team signs off on. Out-of-band, enforced non-custodial.

DORA has been in force since January 17, 2025, and vendor procurement reviews ask for AI evidence today. The EU AI Act high-risk deadline is moving to December 2027 under the Digital Omnibus.

Active frameworks
EU AI Act
Art 12 · 14 · 28 · Annex III
Dec 2, 2027
DORA
Art 5 · 7 · 9 · 28 ICT third-party
In force
SOC 2 Type II
CC2.1 · CC6.1 · CC6.6 · CC7.2
Procurement
3 frameworks · 1 evidence pack · enforced non-custodial
Who it's for

Two sides of the same vendor review.

AI vendors selling into banks. Risk teams reviewing AI vendors. Either side, the question is the same: where is the evidence?

Seller side

AI vendors selling into banks and fintechs

Procurement asks: where is the EU AI Act evidence? The DORA ICT-third-party register? The SOC 2 controls mapping? Today your engineering team scrambles a deck. Dobby gives you the actual artifact — same shape, every framework, every reviewer.

Reviewer side

Risk teams reviewing AI vendors

Twenty AI vendors are in your pipeline. Each one shows up with a different deck, a different controls map, a different story. Dobby gives every vendor the same shape — control matrix, gap report, manifest — so you compare apples to apples.

Either way, the artifact is the same.

Framework coverage

Three frameworks, one evidence pack.

The same scan exports the same shape for all three. Frameworks activate per tenant; controls fail or pass per run.

EU AI Act

Annex III — High-risk AI

Art 12 record-keeping. Art 14 human oversight. Art 28 ICT third-party. High-risk enforcement is moving to December 2027 (Digital Omnibus) for credit scoring, underwriting, biometric.
~12 controls·pack in legal review
DORA

Digital Operational Resilience

Art 5 governance · Art 7 ICT risk · Art 9 protection · Art 28 third-party. In force since January 17, 2025. Every fintech's AI-vendor procurement now flows down DORA obligations.
~10 controls·pack in legal review
SOC 2 Type II

Vendor procurement table stakes

CC2.1 communication · CC6.1 logical access · CC6.6 system boundaries · CC7.2 detection. The first artifact a bank's procurement table asks for.
10 controls·scanning live

All three are activated per tenant — switch on what you need, scan against only the active set. SOC 2 scanning is live today; the EU AI Act and DORA packs activate on outside-counsel sign-off.

How it works

Four steps, non-custodial throughout.

For this module non-custodial is enforced — your raw payloads land in a customer-owned dataset, never Dobby's store. Dobby reads telemetry out-of-band, scans against active frameworks, and exports evidence; it never sits in the request path.

Step 01

Connect

pip install dobby-collector Stream run telemetry from CrewAI, LangChain, OpenAI, Google ADK, AWS Bedrock, or a custom SDK.
Step 02

Activate frameworks

Toggle frameworks per tenant — SOC 2 live today, EU AI Act and DORA on legal sign-off. Each framework is a control set — Dobby scans only against the active ones.
Step 03

Scan + find gaps

Every run checked by deterministic rules + AI evaluation, across the 4-layer policy hierarchy. Four-state verdict: compliant · violated · needs-review · unverifiable.
Step 04

Export evidence

One command — `dobby export` or the UI — produces the package procurement asks for: HTML or ZIP, with SHA-256 manifest for tamper-evident integrity.
Evidence pack contents

The exact shape a reviewer signs off on.

Six components per export. Same structure, every framework, every scan. The package a bank's risk team actually asks for — not a deck.

Executive summary

One-page overview — frameworks scanned, overall verdict, top three gaps. Written for the reviewer, not the engineer.

Control matrix

Every control mapped to every run that exercised it. Verdict per control, evidence per verdict.

Gap report

Every gap ranked by severity — what is missing, why it matters, the fix. Procurement-ready language.

Findings

Each individual finding — timestamp, run ID, framework, control, verdict, AI reasoning. Auditable.

Framework coverage

Verifiable % per framework — how much of the framework your runs actually exercised. Honest about gaps.

SHA-256 manifest

Tamper-evident hash chain over every component. The auditor re-hashes to confirm nothing changed.

Export format: HTML · JSON · ZIP (all six components + signature).

Pass your next bank procurement review.

Start with Fintech AI Evidence. Connect a workload, activate the frameworks, export the evidence pack. The same shape every reviewer asks for — out-of-band, enforced non-custodial, audit-ready.

Book a demoRead the docs

Free to try · No credit card · Out-of-band · Enforced non-custodial

Fintech AI Evidence — EU AI Act · DORA · SOC 2 | Dobby AI