Request early access
AI compliance for healthtech

When an NHS trust asks if you can prove your AI decisions — what do you say?

Velarc is a compliance layer for AI. It sits between your application and your AI provider, capturing every interaction with the business context auditors actually need.

Request early access
or explore the live demo — no login required · sample tenant with realistic clinical AI data · about this demo
The problem

Observability tools track costs and latency. Enterprise governance platforms cost six figures and take months to implement. Nothing exists for healthtech companies that need to demonstrate AI compliance now — before August 2026, before the next procurement conversation, before the first audit.

How it works
01 — Integrate
One API call

Point your application at the Velarc proxy endpoint instead of your AI provider directly. Add structured business context as metadata — use case, business object, user. That's the integration. A Spring Boot starter SDK for zero-boilerplate configuration is coming soon.

02 — Capture
Every interaction logged

Who initiated it, what clinical object it touched, what the AI decided. Structured business context, not just prompts and responses.

03 — Prove
Audit-ready on demand

When an auditor or NHS trust asks for your AI audit trail, you have one. Export it, share it, stand behind it.

What you get
Complete audit trail

Every AI interaction logged automatically. Audit events are append-only by design — the application layer never modifies or deletes them. Database-level enforcement is on the security roadmap.

Structured business context

Not just prompts and responses — clinical objects, user identity, use case metadata captured with every call.

EU AI Act coverage

Articles 12 and 19 for high-risk AI systems — automatic event logging and minimum six-month retention. Enforceable 2 August 2026.

Governance enforcement

The proxy doesn't just log — it enforces. Unknown users, unregistered use cases, and unapproved business object types are rejected with a clear error before they reach your AI provider. Your audit trail is controlled by policy, not developer discipline.

Provider-neutral

Works with OpenAI, Anthropic, and Azure OpenAI. Azure OpenAI support meets the data residency requirements of NHS and UK enterprise customers. Additional providers — including Google Gemini and AWS Bedrock — are on the roadmap.

Completeness guarantee

Velarc sits in the request path — not alongside it. Configure your network egress to allow only the Velarc endpoint and block direct AI provider access. Compliance is enforced by infrastructure, not by hoping every developer remembered to add logging.

Vanta automated SOC 2 evidence for startups. Velarc does the same for AI governance in regulated industries.

Coming soon
Spring Boot starter SDK

A single Maven dependency that auto-configures the Velarc proxy client via your existing application.yml. Zero boilerplate. No manual HTTP client wiring required.

Resilient proxy with fallback

If Velarc is ever unreachable, your AI traffic continues directly to your provider — uninterrupted. The SDK captures the interaction locally and reconciles it with your audit trail automatically on recovery.

Encryption at rest

AES-256-GCM application-layer encryption for AI request and response content, with per-tenant key management via external KMS. Infrastructure and schema are already in place.

Scheduled compliance reports

Export what an auditor actually needs — a structured record of AI activity for a given period, by use case, by user. Manual export and scheduled automated delivery are both on the roadmap.

Configurable retention periods

Configurable retention policies per pricing tier — six months on Starter, twelve months on Professional. Six months meets the EU AI Act Article 19 minimum. Professional's twelve-month default and Enterprise's configurable retention accommodate sectoral obligations — such as those common in healthcare — that require longer.

Self-hosted deployment

Run Velarc on your own infrastructure for full data residency control. Available at Enterprise tier. Designed for organisations with strict cloud infrastructure requirements.

EU AI Act — enforceable 2 August 2026

Healthcare AI is explicitly classified as high-risk under the EU AI Act. From August 2026, operators must automatically log AI interactions with a minimum six-month retention period. Velarc is built specifically to meet these obligations — not retrofitted from a developer observability tool.

Pricing
Starter
£399
per month
  • Audit trail and trace logging
  • Up to 3 use cases
  • 6-month retention
  • Manual export
  • Email support
  • Data Processing Agreement included
Request access
Professional
£1,750
per month
  • Everything in Starter
  • Unlimited use cases
  • 12-month retention
  • Scheduled compliance reports
  • Priority support
  • Data Processing Agreement included
Request access
Enterprise
Custom
annual contract
  • Everything in Professional
  • Self-hosted deployment
  • Custom retention period
  • Dedicated support + SLA
  • Data Processing Agreement included
Get in touch

Built by a healthcare technology engineer with 30 years in regulated industries.

Request early access

We're onboarding a small number of healthtech companies ahead of the August 2026 deadline. Get in touch to start the conversation.

Thanks — we'll be in touch within 48 hours.