About this demo

The demo environment

You're viewing a live instance of Velarc running against a sample tenant — MediPath Technologies — a fictional healthtech company with realistic clinical AI use cases.

One-click demo access — no account required. You're seeing the compliance officer and administrator view — the same view a CTO or audit lead would use to review AI activity across their organisation.

The traces in this demo were generated to simulate realistic clinical AI interactions. In a live deployment, each trace is captured in real time as it passes through the proxy.

The technology stack

The backend is a Java application running on dedicated infrastructure in Hetzner's EU-central data centre.

Backend Java 21 + Spring Boot 3.5.x
Database PostgreSQL 16
Frontend React 19 + TypeScript
Proxy Reverse proxy + TLS
Hosting Hetzner, eu-central

How the proxy works

When a healthtech application calls POST /v1/proxy/chat, it sends both the AI request and structured business context — use case, business object, initiated by. Velarc stores everything together, then forwards the original request to the AI provider unchanged. The response is captured on the way back and a structured audit trail is written.

All of this happens in a single synchronous call. The client application sees no difference in behaviour. The compliance layer is invisible to end users.

A Spring Boot starter SDK is available — a single Maven dependency that auto-configures the Velarc proxy client. Automatic fallback routing if Velarc is ever unreachable is coming soon. The proxy API is also available directly for any HTTP client.

Governance enforcement

Velarc enforces governance at the point of entry, not after the fact. Requests from unregistered user identities or for unregistered use cases are rejected with a 422 error before any AI provider call is made. This is what distinguishes Velarc from observability tools, which accept everything and analyse later.

Human reviewers can record outcomes — approved, edited, rejected, or escalated — against any trace, with full audit trail.

Compliance reporting

Exportable compliance reports in PDF, CSV, and JSON format, filterable by date range, use case, and status. Metadata only — no clinical or sensitive content is included in exports, making reports safe to share with auditors.

Completeness assurance

Velarc captures everything that flows through it. Customers enforce network egress rules to ensure all AI traffic routes through the proxy. Both parts are required for a complete and credible audit trail — Velarc guarantees the integrity of what it captures, the customer guarantees that everything passes through it.

Engineering quality

Velarc is built with the same rigour we ask of our customers. 97% test coverage enforced in CI. Over 500 unit, integration, and end-to-end tests across the server and SDK.

End-to-end tests run against every build and every deployment. Automated dependency vulnerability scanning on every build. Continuous dependency monitoring across all ecosystems.

Every API request is authenticated via API key. The proxy rejects unauthenticated requests before any processing occurs.

Automated daily backups to cross-datacenter object storage with 30-day tamper-proof retention. Recovery procedures tested and documented.

Audit events are append-only by design — the application layer never modifies or deletes them. Database-level enforcement of append-only semantics is on the security roadmap.

Export everything via the reporting API at any time — no lock-in.

The production environment runs on dedicated infrastructure in Hetzner's ISO 27001-certified, GDPR-compliant EU-central data centre. Operational status is publicly visible at status.velarc.io. The production environment runs behind a load balancer with zero-downtime rolling deploys.

Security

All data in transit is encrypted via TLS. Content is encrypted at rest using AES-256-GCM with per-tenant key isolation. BYOK — customer-managed keys via external KMS — is on the security roadmap. A Data Processing Agreement is required at all pricing tiers — a legal requirement before any customer data is processed.

EU AI Act compliance

Healthcare AI is explicitly classified as high-risk under Annex III of the EU AI Act. The enforcement deadline is 2 August 2026. Velarc is built to address two specific articles:

Article 12 — Record-keeping

High-risk AI systems must technically allow for the automatic recording of events throughout their lifetime, enabling traceability, risk identification, and post-market monitoring. Velarc implements this automatically for every proxy call — no manual instrumentation required.

Article 19 — Automatically generated logs

Providers must retain automatically generated logs for a minimum of six months. Velarc supports configurable retention periods — six months on Starter, twelve months on Professional — with the audit store protected against modification or deletion at the application layer. Database-level enforcement of tamper-evident audit events is on the security roadmap.

Note: Velarc addresses the technical logging obligations under Articles 12 and 19. Full EU AI Act compliance for a high-risk AI system involves additional obligations including risk management, technical documentation, and human oversight processes that are the responsibility of the deploying organisation. We recommend taking independent legal advice on your specific compliance position.

What's coming

Velarc is in active development. The proxy, audit trail, and EU AI Act coverage described here are live and working today. The following are on the near-term roadmap:

Resilient fallbackAutomatic direct-to-provider routing if Velarc is unreachable, with local capture and reconciliation on recovery
Retention enforcementAutomated enforcement of minimum retention periods per tier
Scheduled reportsAutomated compliance report delivery
DB-level append-onlyDatabase trigger enforcement of tamper-evident audit events