heygrc
For ai startups

You ship the models the first AI regulation was written for.

For AI-native startups facing the EU AI Act's engineering duties (logging, data governance) alongside the SOC 2 and GDPR asks every customer already makes.

AI startups get regulated from two directions at once. Customers ask for the familiar things, SOC 2 and GDPR answers, before they send data to your models. And if your system lands in the EU AI Act's high-risk scope, the Act adds duties that are engineering artifacts, not policies: record-keeping over the system's lifetime, governance over the data that trained it. Both kinds of duty change in pull requests, often in the fast-moving pipeline code an AI team refactors weekly.

The Act's duties live in your pipeline

What the AI Act asks of a high-risk system reads like a code review checklist: keep automatic logs of the system's events (Art. 12), govern the data that goes into training (Art. 10). Those properties erode the same way test coverage does, one convenient deletion at a time. heygrc is built to read each change against the frameworks you selected and cite the article or control it touches, so the trace you will need for a conformity assessment does not quietly disappear in a cleanup PR.

It does not classify your system's risk tier or run your conformity assessment, and whether the Act applies to you is your own assessment. It catches the diffs that erode the record either way, which the SOC 2 and GDPR lenses want too.

What it catches for you

Changes that read as ordinary code.

A few of the control-relevant changes heygrc is built to flag for this case, each cited to the clause it touches.

  • Inference logging is removed from a decision system

    EU AI Act Art. 12
  • A training pipeline adds a data source with no governance record

    EU AI Act Art. 10
  • A user-deletion job skips the vector store

    GDPR Art. 17
Go deeper

The frameworks that matter most here.

Guide: Compliance checks for AI-generated code

heygrc flags control-relevant changes and cites the clause so the issue can be handled in the pull request. It does not certify you, run your audit, or replace your own judgment.