{ "$schema": "https://astranl.com/schemas/regulatory-compliance-v1.json", "version": "1.0.0", "published_at": "2026-05-21T20:30:00+00:00", "organization": { "name": "AstraNL", "legal_id": "KvK 88449335", "vat": "NL004604224B69", "jurisdiction": "Netherlands", "size": "micro-enterprise (ZZP)" }, "eu_ai_act": { "regulation": "EU 2024/1689", "classification": "limited-risk", "rationale": "Coordination protocol between humans, providers, and AI agents. Does not perform any Annex II safety-component role or Annex III high-risk use (no biometric ID, no critical infrastructure operation, no employment screening, no credit/insurance scoring, no law enforcement, no migration/asylum, no education access, no administration of justice).", "transparency_obligations": { "article_50_1": "users informed they interact with AI (notice on /providers/ and /klantenondersteuning/)", "ai_generated_content_labelling": "task analysis outputs labelled as AI-generated" }, "high_risk_components": [], "high_risk_uses": [], "banned_practices_present": false, "deepfake_or_synthetic_media": false, "national_implementation": { "law": "Uitvoeringswet AI-verordening", "status": "draft published 2026-04-20, consultation through 2026-06-01" }, "sandbox_application": { "status": "planned 2026 Q3", "target_regulator": "RDI", "documentation": "https://astranl.com/research/regulatory-landscape-nl-2026.md" }, "phase_in_dates": { "banned_practices_apply": "2025-02-02", "general_purpose_ai_apply": "2025-08-02", "high_risk_apply": "2026-08-02", "member_state_rollout_complete": "2027-08-02" } }, "gdpr_uavg": { "regulation": "EU 2016/679 + NL UAVG", "data_controller": "AstraNL", "lawful_basis": ["contract performance (escrow, payment, matching)", "legitimate interest (reputation, anti-fraud)", "explicit consent (marketing, federation re-share)"], "purpose_limitation": { "llm_training_use": false, "third_party_resale": false, "profile_aggregation_across_sources": false }, "data_retention": { "task_records": "24 months after completion", "financial_records": "7 years (Dutch tax law)", "lessons_and_telemetry": "rolling 12 months", "automatic_purge": true }, "data_minimisation": true, "right_to_erasure": { "endpoint": "DELETE /api/agents/{agent_id}", "sla": "24h purge plan" }, "third_party_processors": [ {"name": "Anthropic", "role": "task analysis LLM (Haiku 4.5)", "data_retention": "zero retention contract", "location": "EU/US"}, {"name": "Stripe", "role": "payment processing", "location": "EU+US"}, {"name": "Brevo", "role": "transactional email", "location": "EU"}, {"name": "DigitalOcean", "role": "infrastructure hosting (AMS3)", "location": "NL"} ], "dpia_completed": true }, "nis2_cybersecurity": { "regulation": "EU 2022/2555 + Nederlandse Cyberbeveiligingswet", "direct_applicability": false, "reason": "AstraNL is below the 50-employee / €10M turnover threshold", "supply_chain_applicability": true, "pre_emptive_controls": [ "action ledger with hash-chain (action_ledger.db)", "secrets restricted to chmod 600 in /opt/astranl/secure/", "13 active security defences (CONSTITUTION Article 40)", "rate-limit zones in nginx", "prompt-injection defence (immune_system.py)", "HMAC-signed admin actions", "daily site_watchdog (53 invariants every 15 minutes)" ] }, "product_liability_directive": { "regulation": "EU 2024/2853 (updated PLD)", "effective_date": "2026-12-09", "applicability_to_astranl": "facilitator role only", "liability_allocation": "provider holds liability for execution defects via direct customer contract; AstraNL is broker not principal", "payment_flow": "Stripe Connect direct provider → customer with 1% AstraNL fee", "insurance": { "current_status": "transitioning broker (ZEKUR rejected expanded scope April 2026)", "task_value_limit": "€500 without active liability cover", "replacement_search": "Hiscox / Markel / Aon active 2026 Q2" } }, "algoritmeregister": { "registry": "https://algoritmes.overheid.nl", "entry_status": "draft", "target_publication": "2026 Q3", "algorithm_name": "AstraNL Coordination Protocol Provider Matching", "algorithm_type": "hybrid rule-based plus LLM-assisted", "decision_impact": "limited — customer always confirms manually", "bias_mitigation": "matching uses skill, category, availability, reputation only; protected attributes not collected", "human_oversight": "customer reviews and accepts; AstraNL operator reviews disputes" }, "machinery_regulation": { "regulation": "EU 2023/1230", "applicability_to_astranl": "indirect via Layer 2 robot vendors (Monumental, CyBe)", "astranl_role": "coordination protocol; physical robots are independent CE-marked products supplied by vendors", "vendor_compliance_required": true }, "vifo_act": { "name": "Wet veiligheidstoets investeringen, fusies en overnames", "applicability_to_astranl": "low — AstraNL is not in a sensitive technology sector under VIFO", "monitor": "applicable if AstraNL accepts foreign capital in future" }, "public_documents": { "economic_context": "https://astranl.com/research/economic-context-nl-2026.md", "regulatory_landscape": "https://astranl.com/research/regulatory-landscape-nl-2026.md", "ai_plugin": "https://astranl.com/.well-known/ai-plugin.json", "agent_gateway": "https://astranl.com/.well-known/agent-gateway.json", "protocol": "https://astranl.com/.well-known/protocol.json", "economic_signals": "https://astranl.com/.well-known/economic-signals.json" }, "contact": { "general": "https://astranl.com/contact", "data_protection": "https://astranl.com/contact?topic=gdpr", "regulatory_review": "https://astranl.com/contact?topic=regulator" }, "last_review": "2026-05-21", "next_review_due": "2026-08-21", "review_cadence": "quarterly + on any regulator guidance update" }