v0.1 · MIT-licensed · self-hosted · free for SMBs

89 days to EU AI Act enforcement.

August 2, 2026 — high-risk AI obligations under the EU AI Act become enforceable. Penalties up to €15M or 3% of global revenue, whichever is higher. AttestProto is the open-source per-decision attestation toolkit that satisfies Article 12 (logging) + 13 (transparency) + 14 (oversight) + 17 (QMS) + 19 (retention) — and adds GDPR Article 22 + ISO 42001 + Colorado AI Act for free.

★ Get the toolkit on GitHub Book a 20-min screen-share →

Who this is for

You're a Head of Compliance, CTO, or DPO at a 50-500-person EU SMB operating an AI system in one of the Annex III high-risk categories: employment, lending, education, essential services, law enforcement, migration, justice, biometrics, or critical infrastructure.

Big 4 quoted you €100-300k for "EU AI Act compliance review." Your counsel quoted another €40-80k. You don't have €400k for paperwork. You need a working solution that produces audit-ready evidence per decision, self-hosted, with no data leaving your infrastructure.

This is that solution. It's free.

What Article 12 actually requires

Article 12 mandates that high-risk AI systems "shall technically allow for the automatic recording of events ('logs') over the lifetime of the system." The logs must enable:

Identifying situations that may result in a risk or substantial modification (12(2)(a))
Facilitating post-market monitoring (12(2)(b))
Monitoring the operation of high-risk AI systems (12(2)(c))

Article 19 requires those logs to be retained for at least six months. So the practical six-month clock is already ticking — the organisations best positioned for August 2 are the ones who started logging in February.

AttestProto generates Article 12 logs as cryptographically-signed attestations, persists them in a tamper-evident ledger (SQLite or Postgres), and includes a Bitcoin OP_RETURN anchor option for the strongest possible "verifiable in 2030 even if vendor disappears" guarantee.

What the toolkit auto-maps

EU AI Act Art. 12 (record-keeping)

Every attestation IS an Article 12 log entry. Cryptographically signed, schema-validated, persistable.

Art. 13 (transparency to deployers)

Auto-flag missing 'instructions for use' attribution per high-risk system.

Art. 14 (human oversight)

Track human-oversight evidence per decision; flag when missing.

Art. 17 (quality management system)

Documented QMS evidence captured automatically across attestations.

Art. 19 (retention ≥ 6 months)

Ledger retains logs indefinitely by default; configurable retention with audit-trail.

Art. 26 (deployer obligations)

Separate deployer-side attestation surface for input data appropriateness + monitoring.

GDPR Article 22

Automated-decision-making + right to human intervention — auto-flagged when consent / contract / human-review tags are missing.

ISO 42001:2023

Clauses 7.4 (communication) + 8.3 (operational risk treatment) auto-tagged.

Colorado AI Act

SB 24-205 high-risk duty + consumer disclosure for any US sales touching Colorado consumers.

30-second example — what your DPA sees

$ attestproto compliance hiring-decision-2026-05-04.json --json
[
  {
    "framework": "eu-ai-act",
    "citation": "Art. 12 (record-keeping)",
    "severity": "info",
    "detail": "High-risk AI system; attestation provides Art. 12 automatic record-keeping artefact."
  },
  {
    "framework": "eu-ai-act",
    "citation": "Art. 14 (human oversight)",
    "severity": "medium",
    "detail": "High-risk system without human-oversight tag; Art. 14 requires effective oversight measures by natural persons."
  },
  {
    "framework": "gdpr",
    "citation": "Article 22(1) (automated individual decision-making)",
    "severity": "medium",
    "detail": "Solely-automated decision producing legal effects; Article 22(1) prohibits unless consent, contract, or law authorises."
  },
  {
    "framework": "iso-42001",
    "citation": "Clause 7.4 (Communication)",
    "severity": "info",
    "detail": "Attestation supports clause 7.4 documented information."
  }
]

Why self-hosted matters here

GDPR makes a SaaS attestation vendor a data processor. That's a data processing agreement, an additional risk register entry, and possibly a cross-border data transfer mechanism (SCCs / adequacy decision) if the vendor is based outside the EEA.

AttestProto is self-hosted by default. The ledger runs on your infrastructure. No data leaves. No DPA needed for the tool itself. No transfer mechanism. No vendor-risk question for procurement.

Run on Docker (docker compose up), Kubernetes, a single Mac mini, or a €10/month Hetzner VPS. The ledger is < 100 MB of code + your Postgres or SQLite database.

Pricing for SMBs

Self-hosted: free forever, MIT license
Cloud Free: 100 000 attestations / month, no credit card
Cloud Pro: €0.0005 per attestation above 100 000, SLA 99.9%
Audit-Triggered Enterprise: €0/month, €500 per regulator-grade evidence package

Compare with the €100k+ Big 4 review you were quoted. Or the €5-10k/month custom-logging engineering you've been writing in-house.

Get the toolkit

★ Star + clone on GitHub Read the EU AI Act rules 20-min screen-share →

AttestProto is built by Lex Oleksiienko (Calgary, AB). Open source, MIT. Not legal advice. The compliance rules engine implements the publicly- available text of Regulation (EU) 2024/1689; consult your DPO and counsel before relying on it for regulator-facing deliverables.