Memory you can show your regulator: AI Twin

When we put “memory you can show your regulator” on the page for privacy-led professionals, we knew it would do one of two things. Either it would land as the sharpest possible commitment we have made to the people who buy carefully. Or it would read as a tagline reaching for something it cannot deliver.

So we want to defend the line.

What “showing your regulator” actually means

When a regulator asks a professional about their use of AI, they are not asking whether the tool is impressive. They are asking specific questions.

What data did the tool process. When did it process it. Who else has had access to it. How long is it kept. Where is it stored. Was the client informed. Has the client given consent. Can the client withdraw their data. Can the client see what is held.

These are not abstract concerns. They are the questions any audit will ask. The questions your professional body will ask. The questions your insurer will ask. The questions a court might one day ask.

Most consumer AI tools cannot answer most of these questions. Some cannot answer any of them.

That is the gap AI Twin is built to close.

What we mean when we say “show”

Every memory entity in AI Twin records six things by default.

What it is. The typed category. Person, Document, Fact, Event, Conversation, Brief.

When it entered memory. A timestamp on the row, with the original capture time preserved separately if different. A forwarded email that landed in your Magic Inbox a week after you received it carries both the send date and the capture date.

Where it came from. The provenance field. Did it come from the Universal Input, the Magic Inbox, a Smart Form, a voice memo, an attachment.

Who can see it. The sensitivity tier (LOW, MEDIUM, HIGH, CRITICAL) enforced at the database level by row-level security.

What has been done to it. The audit trail. INSERT, UPDATE, soft DELETE. Each action with a timestamp and the action that triggered it.

Whether it has been used. The retrieval log. Every time the entity is surfaced in response to a query, that retrieval is logged.

A regulator asking “what does the tool know about my client” should be able to be given a clean answer derived from these fields. Not a hand-wave. Not a screenshot of a chat log. An actual structured record with provenance.

That is what we mean by “show”.

What we are not claiming

We are not claiming AI Twin is “certified” against any specific compliance standard. We are not certified to ISO 27001. We are not certified to SOC 2. We have not been independently audited.

We are claiming AI Twin is built to UK GDPR and EU AI Act Article 50 standards from the ground up. That is a design claim, not a certification claim. The difference matters.

The design claim is that the technical foundations, audit trail, row-level security, EU data residency, soft delete with permanent anonymisation after 30 days, no model training on customer data, are in place before the first user signs up, not bolted on afterwards.

The certification claim, which we are not making, would require an independent third party to verify all of that. We will pursue those certifications and we will say so publicly when they are achieved. We will not claim them before.

The reason this matters: AI compliance is a noisy space. “Compliant” is a word being thrown around by tools that genuinely cannot answer the questions a regulator would ask. We refuse to add to that noise. If you ask us “is AI Twin GDPR compliant,” our answer is: “AI Twin is designed and operated to comply with UK GDPR, and AI Twin Ltd is registered with the ICO. We have not yet been independently audited against UK GDPR, and we will say so when we have been.”

That is the calibrated answer. We think it is the only honest one.

What a regulator-friendly memory layer actually looks like

A few things we think are non-negotiable for any professional buying AI memory.

The buyer can see exactly what is held. Not a sample. Not a summary. The full list, queryable.

The buyer can see exactly when it was captured, from where, and via which surface.

The buyer can delete anything, and delete means delete. Not soft-hide. Not cached-forever. Permanent removal across production within a specified window, with backups rolling off on a published schedule.

The buyer can export anything, in a portable format that is not designed to lock them in. The export is good enough that the buyer could take their memory to a competitor tomorrow. If they wanted to.

The buyer can tier the data. Some things are LOW (a hobby preference). Some things are HIGH (a client conversation). Some things are CRITICAL (a confidential strategy). Access rules differ by tier and are enforced at the database level, not at the application level.

The buyer never has to wonder whether the model is being trained on their data. The answer is no. Not by us, not by our LLM providers, not by anyone, without explicit per-feature opt-in.

These five things are not nice-to-haves. They are what makes a memory layer defensible.

The line we are holding

“Memory you can show your regulator” is a promise that AI Twin treats the regulatory question as the primary design question, not the marketing afterthought.

It does not mean we have certified compliance. We have not.

It means that if you are a solicitor, an accountant, a GP, a therapist, or anyone else who is going to be asked one day to justify your use of AI to a regulator, we are building AI Twin so that justification is possible.

That is what we are holding ourselves to. We will be measured against it as we ship.

If we ever cannot show our own regulator, we will tell you.