The Runtime Trust & Compliance Operating Layer for AI
Kertus sits in front of your AI. It reasons over regulation, enforces policy in real time, explains every decision with sources, and hands you audit-grade evidence — in days, not months.
Building AI is Easy. Operating AI as a Business Is Hard.
Companies can build AI quickly but struggle with the operational complexity of running AI as a commercial product.
The painful reality of commercializing AI
Each of these requires weeks of engineering work—time better spent on your core AI product.
The deeper problem no one is solving
What competitors say
What enterprises actually need
Enterprises need explainability, not just enforcement. A blocked request without a source-cited reason is useless in an audit. That gap is what Kertus closes.
The Runtime Trust & Compliance Operating Layer for AI
Kertus sits between your applications and your AI providers. Keep your infrastructure — we add a reasoning compliance brain, runtime enforcement, metering, billing, and evidence.
How it works
Works with any provider
Plus any OpenAI-compatible API endpoint.
Keep your infrastructure. We add a compliance brain, runtime enforcement, and the evidence to prove it.
Core Capabilities
Everything you need to commercialize, govern, and prove your AI APIs — from runtime enforcement to audit-grade evidence.
Usage Metering
Track requests, tokens, images, minutes, or custom units.
AI Billing
Subscription, pay-per-use, hybrid pricing models.
Runtime Trust
Policy enforcement before requests reach providers.
GDPR / DSGVO
Runtime data protection checks and compliance.
EU AI Act Ready
Human oversight, transparency, and runtime controls.
DORA / NIS2 Ready
ICT risk management and incident reporting controls for financial and critical infrastructure.
Tenant Isolation
Customer-level quotas, access, and billing separation.
Auditability
Immutable runtime decisions and billing evidence.
Bring Your Own Infrastructure
Keep your provider and cloud. We integrate seamlessly.
Compliance Brain
Private per-tenant Compliance Knowledge RAG over EU AI Act, GDPR, DORA, and NIS2 — cited decisions, not guesses.
Explainable Decisions
Every allow, mask, route, or deny returns the reason, the legal basis, the policy reference, and the source citation.
Compliance Studio
Upload your internal policies, DPAs, and works-council agreements. Kertus auto-indexes them into your private compliance tenant.
Audit Evidence Chain
Tamper-evident records of every decision: legal basis applied, policy cited, confidence score, and alternative offered. Regulator-ready.
Zero Provider Knowledge
FULL, OPAQUE, or BLACK_BOX mode. Kertus delivers compliance, metering, billing, and audit with zero knowledge of your AI architecture.
HMAC Request Signing
Cryptographic proof that every request to your backend was authenticated, compliant, and quota-checked by Kertus. Your team secret stays secret.
The Compliance Brain
Every allow, mask, route, or deny is reasoned — not guessed. Our private per-tenant Compliance Knowledge RAG reasons over EU AI Act, GDPR, DORA, NIS2, and your own policies, then explains every decision with sources.
WITHOUT KERTUS
Decision: DENY
// That's it. No reason. No source.
// Good luck explaining this to legal.WITH KERTUS
Decision: DENY
Risk: High-risk AI system
EU AI Act Annex III — Employment
Required controls:
✓ Human oversight mandated (Art. 14)
✓ Transparency notice required (Art. 13)
✓ Bias monitoring required (Art. 9)
✓ Logging and auditability (Art. 12)
Confidence: HIGH
Sources:
· EU AI Act Art. 6 + Annex III §4
· GDPR Art. 22 — automated decisions
· BfDI Guidance 2024 §3.2
· Tenant policy: AI-GOV-007 §1.4This is what enterprise legal teams, works councils, and regulators actually want. Kertus produces it automatically, on every request, stored as tamper-evident evidence.
Regulatory Corpus
EU AI Act, GDPR/DSGVO, DORA, NIS2, EDPB opinions, ISO 42001, BfDI guidance, and sector rules — maintained, versioned, and retrieval-ready.
Private Per-Tenant RAG
Upload your DPAs, works-council agreements, internal AI policies, and vendor allowlists. Auto-indexed into your isolated compliance tenant.
Proprietary Compliance Ontology
A structured map of use cases → risk categories → obligations → required controls → evidence. The moat competitors cannot quickly copy.
Your AI Architecture Is Your Business
Kertus delivers compliance enforcement, metering, billing, and audit-grade evidence with zero knowledge of your underlying AI implementation. Keep your secret sauce.
Full Visibility
You use OpenAI, Anthropic, or Gemini directly. Store your provider key in Kertus and get token-level metering, cost tracking, and EU sovereign routing.
Opaque Provider
You have your own AI backend and won't expose which model you use. Kertus proxies to your backend. Meter on your own unit — per diagnosis, per page, per query.
Black Box
You expose nothing. Hospital. Government. Financial institution. Kertus sits in front of your system. Full compliance enforcement. Zero provider disclosure required.
(Provider identity: never stored or required)
What you always get — regardless of visibility mode
Three modes. One API. Same endpoint.
# Direct OpenAI integration
POST /v1/proxy/legal-analysis
Authorization: Bearer kai_live_abc
{
"model": "claude-sonnet-4-5",
"messages": [...]
}
# Response headers:
X-Veridion-Decision: ALLOW
X-Veridion-Provider: anthropic
X-Veridion-Cost: 0.12
X-Veridion-Unit-Source: PROVIDER_RESPONSE# Proprietary AI backend
POST /v1/proxy/document-analysis
Authorization: Bearer kai_live_xyz
X-Customer-Token: customer-secret
{
"documentId": "doc_8821",
"type": "contract-review"
}
# Response headers:
X-Veridion-Decision: ALLOW
X-Veridion-Cost: 0.25
X-Veridion-Unit-Source: UPSTREAM_HEADER
# (provider: never known to Kertus)# Hospital AI — zero disclosure
POST /v1/proxy/clinical-support
Authorization: Bearer kai_live_hospital
X-Veridion-Use-Case: medical-diagnosis
X-Veridion-Data-Classification: PERSONAL
# Response (ALLOW):
X-Veridion-Decision: ALLOW
X-Veridion-Cost: 0.50
X-Veridion-Unit-Source: REQUEST_COUNT
# Same endpoint, SPECIAL_CATEGORY → DENY:
X-Veridion-Decision: DENY
X-Veridion-Cost: 0.00Black Box: cost appears on ALLOW decisions (€0.50/request), zero on DENY — because denied requests are never forwarded and never billed. Compliance enforcement without provider knowledge.
From AI Prototype to Commercial Product
Five steps to launch your AI API with enterprise-grade monetization and trust.
Register AI Service
Define your AI service endpoints and configuration in the Kertus dashboard.
Configure Pricing, Quotas & Policies
Set up subscription tiers, usage-based pricing, and customer quotas. Upload internal policy documents to activate your private compliance tenant.
Connect Provider Endpoint
Point Kertus to your existing AI infrastructure—OpenAI, Anthropic, or self-hosted.
Route Requests Through Kertus
Update your customer applications to route through the Kertus proxy.
Get Enforcement, Evidence & Billing Instantly
Every request is classified, reasoned over, enforced, metered, and logged with a cited decision — automatically.
POST /proxy/v1/document-ai
Authorization: Bearer customer-key
Content-Type: application/jsonSimple integration—just change the endpoint URL.
// Compliance decision header returned on every request
X-Veridion-Decision: DENY
X-Veridion-Reason: GDPR Art. 9 — special-category data
X-Veridion-Policy: AI-POL-004 §2.1
X-Veridion-Risk: Cross-border transfer — provider not approved
X-Veridion-Alternative: Route to mistral-eu with PII masking
X-Veridion-Confidence: HIGH
X-Veridion-Sources: euaiact://art-6, tenant://dpa#4.3This is what closes enterprise deals. Not "blocked" — but why, with sources, and what to do instead.
Privacy by Default
Kertus does not store prompts or AI responses by default.
We only store the metadata needed for billing and compliance:
Your customer data flows through—it never stays with us.
Not Another AI Gateway — A Compliance Brain That Requires Nothing From You
Kertus combines capabilities that would otherwise require multiple tools—or months of custom development.
| Feature | Generic API Gateway | AI Observability | Compliance Dashboard | Kertus |
|---|---|---|---|---|
| Routing | ||||
| Runtime Trust | ||||
| Usage Metering | ||||
| AI Billing | ||||
| Customer Quotas | ||||
| GDPR Runtime | ||||
| EU AI Act Runtime | ||||
| DORA / NIS2 Runtime | ||||
| Explainable cited decision | ||||
| Per-tenant compliance RAG | ||||
| Compliance Studio (self-serve) | ||||
| Works without provider disclosure | ||||
| Black Box mode (zero AI visibility) | ||||
| HMAC request signing for backends | ||||
| Auditability | ||||
| Logs & Analytics |
Who It's For
Built for teams where AI compliance is not optional — from regulated enterprises to startups commercializing AI.
Regulated & Public Sector
Deploy AI in healthcare, government, finance, and HR where legal sign-off is mandatory. Every decision is explainable, cited, and defensible in an audit.
AI Startups
Commercialize AI APIs quickly. Focus on your core AI product while Kertus handles billing, metering, and compliance.
Vertical AI SaaS
Enterprise trust without building infrastructure. Ship to enterprise customers with EU AI Act and GDPR compliance built in — and the evidence to prove it.
Internal Enterprise AI Platforms
Chargeback, quotas, and governance for internal AI services. Every department's AI usage is metered, governed, and audit-ready.
Built to Scale With You
Start with the core platform on day one. Unlock compliance depth as your needs grow. Build once, customise via product — never via bespoke engineering.
Core Platform
AI proxy, provider routing, metering, billing, quotas, baseline EU AI Act + GDPR enforcement, and audit logging. Self-serve. No implementation required.
Compliance Packs
Pre-built modules for Healthcare, Public Sector, HR & Recruiting, Finance, and EU Sovereign. Preconfigured policies, regulations, and risk-scoring templates.
Compliance Studio
Upload your internal policies, DPAs, and legal docs. Auto-indexed into a private per-tenant RAG. Configuration, not custom code. Your rules, your tenant.
Enterprise Services
For the largest accounts: guided onboarding, policy migration, legal workshops, and custom connectors. A bounded engagement — not the core business.
Tiers 1–3 are 100% SaaS — build once, sell many, customise via product. No forks, no bespoke engineering per client.
The Missing Operating Layer of the AI Economy
AI will not scale on prototypes and spreadsheets.
The future requires a compliance brain that reasons, enforces, and proves — not a static rule engine that says "denied" with no explanation.
Kertus is that brain. Runtime reasoning. Source-cited decisions. Audit-grade evidence. Built for the companies who cannot afford to get AI governance wrong.
Commercialize Your AI Product Faster
Join our early access program and be among the first to launch with enterprise-grade monetization and trust.
How Kertus Works in the Real World
A realistic example of how companies integrate Kertus AI in minutes — without changing their product experience.
From AI Prototype to Commercial Product in Minutes
MedFlow Analytics
AI-powered clinical decision support platform
"We built the AI, but getting legal and the works council to approve it took longer than building it."
Integrated Kertus in under 5 minutes
Before
fetch("https://api.medflow.ai/clinical-decision")After
fetch("https://proxy.kertus.ai/v1/clinical-decision-support")One endpoint change. Everything else stays the same.
Your Users Never Notice the Difference
Before Kertus
"Analyze Patient Risk"
Risk score
0.72
After Kertus
"Analyze Patient Risk"
Risk score
0.72
The customer experience stays exactly the same. Kertus works invisibly behind the scenes.
What Kertus Does Automatically
Request flow
Automated by Kertus
Commercial controls + enterprise trust — automatically.
What a Real Request Looks Like
POST /v1/clinical-decision-support
Authorization: Bearer customer-key
{
"patientId": "anon-12345",
"analysisType": "risk-assessment",
"dataScope": "vitals-only"
}Kertus authenticates the customer, evaluates runtime trust policies, applies privacy controls, checks quotas, meters usage, and forwards the request automatically.
Successful Request
// Headers
X-Veridion-Usage: 238/500
X-Veridion-Cost: 0.20
X-Veridion-Request-Id: req_92384
X-Veridion-Policy: PASSED
X-Veridion-Privacy: VERIFIED
X-Veridion-Compliance: ACTIVE
// Body
{
"riskScore": 0.72,
"confidence": 0.91
}The customer receives the exact same AI response — plus enterprise-grade usage visibility.
When Kertus Protects Your Business
429 Too Many Requests
{
"error": "QUOTA_EXCEEDED",
"message": "Monthly request quota exceeded."
}No provider call happens. No unnecessary AI cost is incurred.
403 Forbidden
{
"error": "SUBSCRIPTION_INACTIVE"
}Kertus blocks unauthorized usage before provider costs occur.
X-Veridion-Decision: DENY
X-Veridion-Reason: GDPR Art. 9 — special-category data
X-Veridion-Policy: AI-POL-004 §2.1
X-Veridion-Risk: Cross-border transfer not approved
X-Veridion-Alternative: Route to mistral-eu + PII masking
X-Veridion-Sources: euaiact://art-6, tenant://dpa#4.3Not just blocked — explained, cited, and an alternative provided. This is what a regulator and works council actually want to see.
"We went from 'legal won't approve this' to 'here is the audit evidence, here are the sources, here is the compliant alternative' — without rebuilding anything."
That is the compliance brain.
Frequently Asked Questions
Common questions about Kertus AI and how it works.