EU AI Act enforcement is live · Data resident in Frankfurt · Free for 6 months

The EU AI Act Is Live.
Do You Know Which AI Your Employees Use?

Discover the shadow AI already running in your organisation, continuously red-team it, and export auditor-ready EU AI Act, NIS2 and DORA evidence — with your data resident in Frankfurt, free for 6 months, installed in 10 minutes.

10 min
From signup to first inventory
180 days
Free, no credit card
Frankfurt
EU data residency, live
554+
AI services detected
Why Now

Enforcement Has Begun. The First Question Auditors Ask: "Which AI Are You Using?"

The EU AI Act entered into force in 2024 and is being phased in. Prohibited-practice rules and AI-literacy duties already apply, and full applicability lands in August 2026. You don't need a countdown to act — you need an inventory.

📅
Enforcement is live, deadlines are firming
Key obligations apply now; broader applicability arrives August 2026. Some high-risk timelines may move via the proposed Digital Omnibus — so the smart play is to get ahead of it, not to gamble on a single date.
👤
80% of employees use unapproved AI
Shadow AI is the immediate, regulator-cited problem: staff already paste work into tools nobody approved. You cannot govern — or evidence — what you cannot see. Source: UpGuard, The State of Shadow AI Report 2025 (1,500 workers across 7 countries) — more than 80% use unapproved AI tools at work.
🔓
38% share confidential data
A large share of employees admit to sharing confidential or customer data with AI tools. That is a GDPR and trade-secret exposure happening today, ahead of any AI-Act deadline. Source: National Cybersecurity Alliance & CybSafe, Oh, Behave! Cybersecurity Attitudes & Behaviors Report 2024 (7,000+ respondents) — 38% shared sensitive work data with AI tools without their employer’s knowledge.
📋
Inventory + evidence is the first deliverable
Before risk classification or conformity work, you need a defensible, continuously updated inventory of the AI in use — and the evidence trail to show a regulator how you keep it current.
What's Different

Discovery and Continuous Red-Team and Compliance Evidence — In One Platform, EU-Resident

Most tools do one part of the job. ThreatVec combines four — and runs on EU-resident infrastructure with a free self-serve tier. We lead with the combination; we won't make false claims about anyone else.

🔍
Shadow-AI discovery
Chrome extension + host scan + desktop agent surface every AI service in use — 554+ named tools across 24 categories — with no network changes.
🎯
Continuous autonomous red-team
An always-on 7-stage loop (intel → generate → verify → execute → patch → re-verify → learn) tests your AI against adversarial techniques and tracks coverage.
📜
Compliance evidence
Live per-control scorecards and auditor-ready, PII/secret-redacted evidence packs for the frameworks your auditors actually use.
🇪🇺
Live EU residency
Per-tenant regional routing keeps EU customer data at rest in Frankfurt. Chosen at signup, fail-closed, isolation tested in CI.
Capability ThreatVec Governance / discovery tools e.g. Holistic AI, Zenity, Credo AI AI red-team tools e.g. Giskard (EU-native), Lakera, Mindgard
Shadow-AI discovery (endpoint + host)✓ Built in~ Governance/registry focus✗ Not the focus
Continuous autonomous red-team✓ Always-on 7-stage loop~ Some add testing (e.g. Holistic AI)✓ Core strength
Per-framework compliance evidence export✓ Scorecards + evidence packs✓ Core strength~ Testing reports
Live EU data residency (at rest)✓ Frankfurt, per-tenant— Varies by vendor~ Some EU-native (e.g. Giskard)
Free self-serve tier✓ 180-day hosted, no card— Often sales-led~ Some free OSS (e.g. Giskard)

Vendors are grouped by their primary advertised focus, and some cross over — Holistic AI adds red-team testing; Giskard is a strong EU-sovereign red-team vendor with a free open-source tier. Where public material doesn't confirm a capability, we mark it "— varies" rather than guess. Our edge isn't any single row — it's the full combination: endpoint shadow-AI discovery + continuous autonomous red-team + per-framework evidence + live managed EU residency + a free hosted self-serve tier, in one product. No vendor here does all five.

EU Data Residency

Your Data Stays in Frankfurt

Choose the EU region at signup and your tenant's data at rest is routed to infrastructure in Frankfurt, Germany. Routing is per-tenant and fail-closed — if the EU region cannot be confirmed, the request does not silently fall back to another region.

🇩🇪
At rest in Frankfurt
EU-region customer data is stored in a regional PostgreSQL database hosted in Frankfurt, Germany (Hostinger), with TLS in transit and the database firewalled to our application host.
🔀
Per-tenant regional routing
Each tenant is pinned to its chosen region. The routing is fail-closed: if the EU datastore is unreachable, the operation fails rather than reaching for a non-EU store.
🧪
Isolation tested in CI
A two-region test suite runs in continuous integration to defend the boundary — it asserts EU-tenant data does not leak into the US datastore on every change.
Chosen at signup, verifiable live
You pick your region during signup. The live region status is published at our regions endpoint, and the full picture is on our trust page.

Processing vs. storage — an honest note. EU-region customer data is stored at rest in Frankfurt. Some processing still runs through US sub-processors under EU Standard Contractual Clauses and the EU-US Data Privacy Framework — LLM analysis (Anthropic, DeepSeek), authentication (Clerk) and transactional email (Resend). Customer-submitted content is never routed to DeepSeek. The full sub-processor list is in our privacy policy, and the same disclosure is shown as consent at signup.

View the Trust page → See live region status
Compliance Evidence

Live Scorecards and Auditor-Ready Evidence Packs

ThreatVec maps your AI security controls to the frameworks EU teams answer to, with live per-control scorecards and one-click, PII- and secret-redacted evidence-pack export.

  • EU AI Act — control scorecards covering risk management (Art. 9), data governance (Art. 10), record-keeping / logging (Art. 12) and accuracy & robustness (Art. 15)
  • NIS2 — security-measure and incident-evidence mapping
  • DORA — ICT risk and digital operational-resilience evidence
  • ISO/IEC 23894 — AI risk-management guidance
  • NIST AI Risk Management Framework — govern / map / measure / manage
  • OWASP LLM Top 10 — all ten controls assessed and exportable
An honest note on scope. Continuous shadow-AI discovery is a direct input to the EU AI Act AI-inventory and post-market-monitoring obligations. It is one input alongside your own governance — not a standalone attestation of conformity. ThreatVec produces evidence; your organisation remains responsible for its AI-Act obligations.
# Pull a live EU AI Act control scorecard
curl https://app.threatvec.com/api/v1/compliance/eu-ai-act/scorecard \
  -H "X-Org-Key: tvk_..."

# Returns:
{
  "framework": "EU AI Act",
  "articles": ["9", "10", "12", "15"],
  "data_region": "eu",
  "generated_at": "2026-06-01T..."
}

# Export a redacted, auditor-ready evidence pack
curl .../api/v1/compliance/evidence-pack?redact=pii,secrets \
  -H "X-Org-Key: tvk_..."
Deployment

From Zero Visibility to an AI Inventory in Under 10 Minutes

No infrastructure changes on day one. Free for 180 days, no credit card, EU-resident, self-install.

01
Sign up — choose EU
Pick the EU region at signup. Your tenant's data at rest is pinned to Frankfurt from the first request. No sales call, no credit card.
02
Install the Chrome extension
Live on the Chrome Web Store. Immediately see which AI services employees use — ChatGPT, Claude, Gemini, Copilot — and whether PII is being pasted.
03
Run the host scan + desktop agent
One-line install for macOS, Windows or Linux. Detects AI coding tools and the API endpoints they reach. Starts reporting in seconds.
04
Read your inventory & scorecards
Your shadow-AI inventory and live EU AI Act / NIS2 / DORA scorecards appear automatically — your first auditable snapshot, ready to export.
# One-line client install — everything pre-filled
curl -sSL https://app.threatvec.com/client-setup.sh | bash
Start Free — EU Resident

Get ahead of the EU AI Act.
Start with the inventory you're missing.

Your first shadow-AI inventory and compliance scorecards in 10 minutes. Free for 180 days — no credit card, no sales call, data resident in Frankfurt.

No credit card · 180-day free beta · Data resident in Frankfurt · Self-install · Chrome extension live