UC-01
GDPR Art. 28 sub-processor verification
Replace quarterly DDQ spreadsheets with continuous, signed attestations from each sub-processor. Auto-alert when the chain changes.
Open protocol · Version 0.1 · Apache-2.0
Know Your Entity. For AI, data and software supply chains.
KYE Protocol™ is an open identity, attestation and trust standard for AI vendors, data processors and software suppliers. Verifiable controls. Machine-readable evidence. Real-time supply-chain risk.
Stop chasing SIG/CAIQ spreadsheets. Stop hoping vendors update their DPAs. Subscribe to a vendor's posture.
Sister specification to the Compliance-to-Architecture Framework™. Published by ReguNav™.
Vendor due diligence is broken.
Procurement sends a 200-question SIG. Security sends a CAIQ. Privacy sends a GDPR Art. 28 questionnaire. Six weeks later, the vendor returns three PDFs that nobody re-reads when their posture changes.
By the time a sub-processor changes, an SLA lapses, or a model is fine-tuned on new data, your DDQ artefacts are stale — and you're the last to know.
Today's vendor-risk lifecycle
- 1.Send 200-question DDQ
- 2.Wait 6 weeks for response
- 3.Re-format answers into your control library
- 4.Sign vendor
- 5.Forget about them
- 6.Audit reveals the vendor changed sub-processors 4 months ago
KYE Protocol turns this into a subscription, not a snapshot.
Six steps. One protocol.
- →
- →
- →
- →
- →
Step 1 of 6 · Identify
Establish the entity's verifiable identifier (DID, domain, organisation number, registry id).
Six entity classes. One identifier.
KYE Protocol gives every entity in your AI, data and software supply chain a single verifiable identifier — and a continuously-updated attestation graph hanging off it.
🤖
AI Vendor
Foundation-model providers, LLM API vendors, AI tool integrators
🗄️
Data Processor
Cloud, SaaS, analytics, marketing platforms processing personal data
📦
Software Supplier
OSS dependencies, code libraries, SBOM components
🛰️
ICT Third-Party
DORA-scope ICT providers serving EU financial entities
🔗
Sub-processor
GDPR Art. 28(4) downstream processors
🏛️
Notified Body
EU AI Act Art. 28-29 conformity assessors
Six use cases. Day-one impact.
Real workflows that compress today's weeks-long DDQ cycles into automated subscriptions.
UC-02
EU AI Act Art. 25 deployer due diligence
Before deploying a high-risk AI system from a third-party provider, fetch their Annex IV documentation, FRIA, conformity assessment in one machine-readable bundle.
UC-03
DORA Art. 28 ICT third-party register
Financial entities maintain the regulator-mandated register automatically — KYE attestations populate the fields the supervisor checks.
UC-04
Vendor questionnaire elimination
Customers stop sending SIG / CAIQ. They subscribe to the vendor's KYE feed; new responses arrive when the vendor's posture changes.
UC-05
AI Bill of Materials (AIBOM)
Every AI system carries a signed manifest of its foundation model, training data, fine-tunes, tokenizer, guardrails — discoverable + verifiable at deploy time.
UC-06
Trust score in procurement
Procurement systems block POs to vendors below a trust-score threshold. Procurement's job becomes policy authoring, not document chasing.
18 attestation types. Machine-readable. Cryptographically signed.
Every attestation type maps to W3C Verifiable Credentials. Hover any chip to see the issuer + verifier roles.
SOC 2 Type IIISO 27001ISO 42001GDPR Art. 28 DPAGDPR Art. 32 securityEU AI Act Annex IV docsArt. 27 FRIAArt. 53 GPAI summaryDORA Art. 28 register entryPCI DSS AOCHIPAA BAASub-processor listPenetration test summaryBias-test resultsRed-team reportIncident historyInsurance coverageSBOM / AIBOM
What's in v0.1.
Open spec — Apache-2.0. Patent-grant scope is limited to spec implementations; the commercial KYE registry + verifier engine ships in ReguNav™.
Identifier scheme
DID + DNS + organisation-number resolution. Backwards-compatible with did:web, did:plc, and existing GLEIF + ENS lookups.
Attestation envelope
W3C Verifiable Credentials JSON-LD with EIP-1271 / Ed25519 signatures. Replayable + revocable.
Schema registry
JSON-Schema for every attestation type — SOC 2, ISO 27001, GDPR Art. 28, EU AI Act Annex IV, FRIA, AIBOM, and 12 more.
Trust score
Open scoring formula combining completeness, freshness, attestation strength, and incident decay. Forks free to override.
Subscription protocol
WebSub-compatible feed of attestation changes. Customers subscribe; vendors push when posture changes.
Discovery
Public KYE registry at the entity's identifier surface — auditors + customers + regulators all read from the same source.
Adopt it. Issue it. Verify against it.
Apache-2.0. Open repository. Implementations welcome.
KYE Protocol™, v0.1 (2026). Regunav Inc. https://kyeprotocol.com