Monitor ongoing compliance

A compliance program running once is a compliance program failing the second time it is inspected. Bizzi runs every legal control on a published cadence, holds the evidence in a single repository, and measures itself with compliance KPIs going to the CPTO and DPO every quarter. This section sets out the cadence, the repository, and the metrics.

Context

Auditors do not accept “we did this once.” They expect a calendar, evidence per cycle, and traceable changes between cycles. You design the compliance program around that expectation rather than against it.

Audit cadence

Activity	Frequency	Owner
DPIA review per feature	Annual, or on material change	DPO and Steward
ROPA update	Continuous (every new processing activity)	DPO
Sub-processor list review	Quarterly	DPO and CPTO
Vendor compliance check	Quarterly	Legal and CPTO
OSS license attestation	At every new model release	Legal and CoE
Internal compliance audit	Twice a year	Internal Audit
External compliance audit	Annual	External Auditor

The evidence repository

Every audit needs evidence. You maintain a single repository holding.

• DPIAs for every AI feature touching personal data.
• ROPA at the organization level, version-controlled.
• Vendor contracts and DPAs for every sub-processor.
• OSS license attestations for every deployed open-source model.
• Audit trail samples. Random samples of the audit log with timestamped hash signatures.
• Incident reports. Post-Incident Reviews for every SEV1 and SEV2.
• Red-team reports. Internal and external penetration test results.
• Training records. Compliance training certifications for every employee.

The repository enforces.

• Strict access control (DPO, Legal, Internal Audit, CPTO).
• Tamper-evident logging. Every access is recorded.
• Off-site backups with retention beyond 5 years, as required by Decree 13.

Triggers for out-of-cycle audits

Some events fire an audit outside the published cadence.

• SEV1 incident. The Post-Incident Review demands a compliance review.
• Material regulatory change. Updates to Decree 13 or a new EU AI Act phase.
• Vendor breach. A sub-processor incident triggers a vendor risk register review.
• Customer concern. A specific enterprise concern triggers an on-demand audit.
• M&A activity. Bizzi acquiring or being acquired triggers full due diligence.

Compliance KPIs

These are not operating KPIs (those live in Pillar I §12). They are compliance KPIs, reported to the CPTO and DPO each quarter.

100% AI features with completed DPIA Target: Before production

<30 days Mean time to DSAR completion Target: Decree 13 obligation

0 Vendors failing quarterly review without remediation plan Target: Quarterly target

You also track the count of OSS models flagged with a license issue and resolved, and the count of incidents including a compliance failure.

Communication

When a compliance change is material, three audiences hear about it.

• Internal. Cross-squad announcement through the compliance channel. Training materials are updated.
• Customers. Notice through the contract channel plus the quarterly transparency report.
• Public. A BAGF minor-version update and a CHANGELOG entry.

Standards mapping

Standards Mapping

ISO/IEC 42001 A.9 (performance evaluation), A.10 (improvement). Decree 13/2023 Articles 21 to 22 (ROPA and DPIA maintenance). NIST AI RMF GOVERN-1.6, MANAGE-4.