Technical deep dive

Article 12 logging — how it works

A transparent explanation of every step from LLM call to compliance report. No black boxes.

The fundamental design constraint

Our SDK does not intercept or forward requests. Your app calls OpenAI directly, as always. The SDK only reads what was sent and received from memory, after the fact, and sends a copy to our servers asynchronously.

Request flow

Customer app ──────────────────► OpenAI

│

└──► Sovergate (async copy, fire and forget)

PII scrubbing — local, before transmission

PII detection and scrubbing runs inside your infrastructure, in the same process as your application, before any data is sent to our servers. We never see the original prompt.

Email addresses

user@example.com → [EMAIL_REDACTED_1]

Full names

John Smith → [NAME_REDACTED_1]

Phone numbers

+49 89 1234567 → [PHONE_REDACTED_1]

IBAN numbers

DE89 3704 0044 → [IBAN_REDACTED_1]

National ID numbers

ID-12345678 → [ID_REDACTED_1]

IP addresses

192.168.1.1 → [IP_REDACTED_1]

What we log per request

Every log entry contains the fields required to satisfy Article 12 and enable regulator investigation.

✓Timestamp (UTC)

✓AI system identifier

✓Model version used

✓Scrubbed prompt (PII removed)

✓Scrubbed response

✓Prompt tokens

✓Completion tokens

✓Total cost (USD)

✓Latency (ms)

✓Finish reason

✓PII detections count

✓PII categories detected

✓Chained hash (tamper evidence)

✓Data residency confirmation

Hash chaining — tamper evidence

Every log entry includes a cryptographic hash of the previous entry. If anyone modifies any log entry, the chain breaks. Regulators can verify the entire chain is unmodified.

# chained_hash formula

chainedHash = sha256(

previousEntry.chainedHash +

currentEntry.content

)

The Go report generator verifies the full chain before generating every PDF. Reports include "Chain integrity: VERIFIED".

Non-blocking guarantees

✓Logging always runs in a background thread — your main thread is never blocked

✓2 second timeout on all HTTP calls to our servers

✓All errors are silently caught — SDK failures are invisible to your application

✓If our servers are unreachable, logs queue locally and send on recovery

✓The original LLM response is always returned before logging starts

The SDK is open source. Inspect it yourself.

Python SDK →JavaScript SDK →

The December 2027 enforcement deadline
is closer than it looks.

Initializing the Sovergate SDK takes less than 10 minutes. Securing explicit governance sign-off from your corporate internal audit team takes weeks. Deploy the staging proxy today, export your first verification ledger, and clear compliance blockers early.

Deploy Free Trial Proxy Request System Demo

100% German Bare-Metal Infrastructure (Hetzner)•Article 12 Ledger Verified•Standard DPA Architecture