[ studio brief, positioning ]

Evidence, not just
observability.

AI agents now produce regulated data flows. VIGIL gives your agents pre-flight compliance checks they call before they act, each producing a signed, tamper-evident record of the decision, plus audit-grade event logs tagged with the regulatory frame at ingest. Mapped to 13 jurisdictions and 28 regimes.

[ the problem your existing tools don't solve ]

Two stacks, one missing answer.

The buyer's actual problem

AI agents now produce regulated data flows. A retrieval-augmented chatbot touches a Quebec resident's record. A coding assistant logs an Aadhaar. The buyer's question isn't "can I see what my agent did?" or "am I compliant?". It is both at once: "what just happened, and was it legal?"

Why this doesn't split cleanly along existing tool lines

Observability tools (Datadog, Sentry, Splunk) capture what happened. Compliance tools (Drata, Vanta) document policies + run audits. Neither answers "is this agent action legal in real time?" The buyer has to wire two stacks together and write their own glue, usually after a regulator asks.

Why VIGIL is built differently

VIGIL captures every event AND tags it with the regulatory frame (DPDP / GDPR / PIPL / etc.) AT INGEST. The DPIA, ROPA, breach classifier, and cross-border registries all run against the live event stream. The dashboard and the compliance reports are the same surface, drawn from the same database.

[ how vigil differs from datadog + drata ]

Side-by-side.

Capability	VIGIL	Datadog / Sentry	Drata / Vanta
Real-time agent event feed VIGIL emits SIEM-grade events (CEF / LEEF).	✓	✓	no
Multi-jurisdiction PII detection Aadhaar Verhoeff, PAN, UPI, SIN, CPF, NRIC, RRN, NIN, BVN, IBAN, VAT, My Number, China ID.	13 jurisdictions	Generic	no
Per-jurisdiction breach classifier DPDP §8, GDPR Art 33, CPRA §1798.82, LGPD Art 48, PDPA §26B, US-FED sectoral.	6+ jurisdictions	no	Generic
EU AI Act classifier (Reg 2024/1689) Risk tiers + effective dates + penalties + obligations.	✓	no	no
Pre-flight consent enforcement Agents call /api/consent/check BEFORE processing, not after.	✓	no	no
DPIA generator (live + snapshot) Generated from live processing record; weekly snapshot for audit history.	✓	no	Template
DPDP §16 / APPI Art 28 / PIPL Art 38 cross-border registries Country-level lookup with sectoral caveats.	✓	no	no
MCP server (agents call compliance tools) @costrinity/vigil-compliance-mcp, 20 tools.	✓	no	no
Indigenous data sovereignty (OCAP / CARE / UNDRIP) COSTRINITY is Indigenous-owned. Real position, not marketing.	Authentic	no	no
Cryptocurrency-native payments (Solana Pay) Lower fees, no card-network forex markup, India + EM friendly.	✓	Card-only	Card-only

[ the built thing, verifiable ]

Numbers you can verify.

143

production API routes

compliance regimes

jurisdictions hand-coded

identifier validators

Indian sectoral regulators

US state privacy laws

Verify any number: /api/compliance/global-status, /api/.well-known/openapi, and /api/health/security are public + machine-readable.

[ positioning pillars ]

Four things that make us different.

Operator-first, not enterprise-first

Most compliance tools are sold to CISOs of 500-person companies. VIGIL is built for the solo founder shipping an AI agent who needs DPIA + breach + cross-border notice in 5 minutes, not a 6-week audit kickoff.

Honest pre-audit readiness

We don't claim SOC 2 / ISO 27001 / HIPAA attestations we don't have. We DO publish detailed pre-audit readiness scorecards mapping every control to evidence. Procurement teams get the truthful answer they can verify.

Indigenous-owned, with real position

COSTRINITY operates from Treaty 4 territory (Regina, Saskatchewan). We support OCAP™ + CARE Principles + UNDRIP Article 31 because we live them, not because they're marketable.

Crypto-native + local-first

Solana Pay billing skips card networks. storage_mode=local means events stay on the operator's device. VIGIL stores nothing server-side. Data sovereignty as a default, not a checkbox.

[ new in 2026 ]

VIGIL for agents, called by agents

The @costrinity/vigil-compliance-mcp package exposes 20 VIGIL compliance tools as MCP. Your AI agent can ask, mid-task: "Is this transfer DPDP §16 OK? Is this incident reportable? Is this AI use case high-risk under the AI Act?" and get the answer before it acts.

compliance as runtime decision support, not yearly DPIA

[ start here ]

Try VIGIL in three steps.

Read the surface

Hit /docs or pull the OpenAPI spec for the 143-route catalogue.

Sign up

Free tier on /upgrade. PayPal or Solana Pay. No card walls on the free tier.

Wire up MCP

Add @costrinity/vigil-compliance-mcp to your agent. Your LLM can now call VIGIL.

Start free →

Evidence, not justobservability.