HIPAA-grade PHI detection and tokenization. 21 CFR Part 11 WORM audit trail. FDA SaMD-aware routing. BAA-ready posture before your first query runs.
Minimum compliance is how you get OCR investigations and FDA warning letters. We exceed the minimums — by design, not accident.
Administrative, physical, and technical safeguards enforced at the agent layer. PHI never traverses the model in raw form — tokenized before request, re-hydrated in audit-only context.
45 CFR §§ 164.302–164.318Electronic records and signatures with SEC 17a-4-style WORM immutability. Every query, every response, every gate decision is timestamped, hashed, and tamper-evident from minute one.
21 CFR Part 11.10, 11.50Software as a Medical Device detection built into the routing layer. Intents that cross into clinical decision support are flagged, logged, and routed to the medical-auditor agent pool before response.
IMDRF SaMD N10, FDA AI/ML Action PlanPHI access is logged at the individual identifier level. Breach notification timelines (60-day rule) are supported by audit log granularity — every PHI touch traceable to request, agent, and timestamp.
HITECH Act § 13402, 45 CFR § 164.400For EU customers: agent routing respects the EU Medical Device Regulation (2017/745) classification framework. High-risk AI Act classifications handled through the same regulatory exceedance posture.
EU MDR 2017/745, EU AI Act Art. 113Business Associate Agreement executed before your first production query. Data processing boundaries, subprocessor chains, and breach notification obligations documented and signed — not assumed.
45 CFR § 164.504(e)A simulated chart-review intent tries to extract protected health information. Watch the MARCH gate intercept it — with a full Transparency Card showing the audit trail.
Compliance theater is building to the minimum and hoping no one looks closely. Here's where we exceed it — specifically.
Not a post-hoc review. Not a periodic scan. Every query traverses all three gates in sequence — or it doesn't get a response.
Dedicated medical-auditor agent pool provisioned on day 1. PHI tokenization, MARCH gate, 21 CFR Part 11 WORM audit, and BAA all active before your first production request.
Three routing paradigms. One built for regulated industries.
| Metric | Legacy DAG | Vector Search | Sturna |
|---|---|---|---|
| Routing Logic | Rule-based | Single embedding | Tier-Constrained MOA |
| First Contact Resolution | 35–50% | 45–60% | 75%+ |
| Cost per Intent | $0.1200 | $0.0800 | $0.0108 |
| Guardian Framework | — | — | 4-role, 5-trigger |
| zk-SNARK Proof | — | — | ✓ Live |
| Source Count | Internal only | Paid APIs only | 38 free sources |
| Audit-Ready Output | Log file only | Log file only | ✓ HMAC-SHA256 |
| Regulatory Frame | No | No | SEC 17a-4 · HIPAA · EU AI Act |