Article 22 of the GDPR grants data subjects the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. The data subject has the right to:
The EU AI Act adds further requirements: high-risk AI systems must be designed to allow human oversight (Art 14), enable effective interpretability, and provide transparency to deployers and affected persons.
DEFONEOS implements a multi-layered safeguard framework that ensures no purely automated decision with legal or significant effects can be made without human review opportunities, oversight mechanisms, and contestability.
The safeguard architecture described here is the designed system โ the BFT council, red lines, and stop button are functional in the sovereign substrate. However, DEFONEOS has not been deployed in a live public-service context where automated decisions affect data subjects. The "8 subject rights automated" describe the GDPR rights that the system's design supports, not rights that have been exercised in practice by real data subjects. The BFT quorum (23/33) is the governance rule, not a guarantee of correct decisions โ it ensures distributed consensus before action.
Seven red lines are embedded in the system at the protocol level. These are not configurable โ they cannot be overridden by any agent, council, or operator without source code modification and full BFT council approval. Attempting to violate a red line triggers an automatic halt and security SIGIL.
| Red Line | What It Prevents | Enforcement |
|---|---|---|
| โ No kinetic targeting | Strike packages, find-fix-finish, kill orders | Code-level refuse + SIGIL alert + halt |
| โ No personal surveillance | Individual tracking, face-rec, phone locating | Code-level refuse + SIGIL alert + halt |
| โ No false certifications | Claims without signed letters/evidence | Template lock + SIGIL verification |
| โ No DEFONEOS-SEAL without vote | Credential issuance without 23/33 quorum | Multi-sig enforcement (BFT) |
| โ No DSEI without pilot letter | Booth booking without MOD partner | Manual gate + evidence check |
| โ No defonos.io domain | Known trap domain acquisition | DNS blocklist |
| โ No compartment cross-linking | Mixing meok-defoneos / csoai-defoneos / dagon | Build pipeline isolation + audit |
No significant decision is made by a single agent. The 33-agent BFT (Byzantine Fault Tolerant) council must reach a quorum of 23/33 (70%) before any governance action is executed. Each vote is Ed25519-signed and recorded on the SIGIL chain.
| Decision Type | Quorum Required | Timeout | Default if No Quorum |
|---|---|---|---|
| Standard governance action | 23/33 (70%) | 5 minutes | Reject (safe default) |
| DEFONEOS-SEAL credential | 23/33 (70%) | 1 hour | Reject |
| Red line override request | 33/33 (100%) | 24 hours | Reject (hard stop) |
| Emergency halt | 11/33 (33%) | 30 seconds | Halt immediately |
| Recovery from halt | 23/33 (70%) | 1 hour | Stay halted |
| New MCP approval | 23/33 (70%) | 10 minutes | Reject |
| Conformity assessment | 23/33 (70%) | 24 hours | Reject |
Safe default: In all cases, if quorum is not reached, the safe default is NO ACTION. The system never proceeds without sufficient consensus.
For any decision that could produce legal effects or significantly affect a person, DEFONEOS routes the decision to a human reviewer before execution. The system pauses and waits for human input.
| HITL Trigger | What Pauses | Who Reviews | SLA |
|---|---|---|---|
| Automated decision with legal effect | Decision execution | Human operator + BFT council | 4 hours |
| Cross-border data transfer | Data export | Data Protection Officer | 24 hours |
| New high-risk use case | Feature deployment | DPO + council + risk officer | 48 hours |
| External communication | Message/email send | Human operator (Nick) | Manual |
| Financial transaction | Payment/charge | Human operator (Nick) | Manual |
| Serious incident report | Auto-report to regulator | DPO | 72 hours (Art 73) |
A physical and software stop button exists at the system level. When pressed, all automated processing halts within 2 seconds. The stop event is logged on the SIGIL chain with a SECURITY op type.
| Property | Specification |
|---|---|
| Response time | < 2 seconds (verified) |
| Scope | All MCP processing, all automated decisions, all agent activity |
| Recovery | Requires 23/33 BFT quorum + human confirmation |
| Logging | SIGIL SECURITY event with timestamp, actor, reason |
| Notification | All agents notified via SIGIL broadcast |
| Tested | Monthly drill, last tested: 2026-06-30 (1.8s) |
Every automated decision includes a machine-readable explanation of why the decision was made, what data was used, and which rules/models produced the output. Explanations are generated automatically and stored on the SIGIL chain.
| Explanation Component | Content | Available To |
|---|---|---|
| Decision rationale | Rule/model that fired, threshold that triggered | Data subject + DPO |
| Input data | What data was processed (GDPR Art 15) | Data subject |
| Confidence level | Statistical confidence of the output | Operator + DPO |
| Alternative outcomes | Other possible decisions and their scores | DPO + council |
| Council vote record | How each agent voted (if BFT decision) | DPO + auditor |
| Red line check | Confirmation that decision passed all 7 red lines | Auditor |
Data subjects affected by automated decisions have clear, accessible paths to object, contest, and seek human review.
| Right | Legal Basis | How to Exercise | Response SLA |
|---|---|---|---|
| Object to automated processing | GDPR Art 21 | Written request to DPO | 1 month |
| Human review of decision | GDPR Art 22(3) | Written request to DPO | 15 days |
| Express point of view | GDPR Art 22(3) | Hearing or written submission | 15 days |
| Contest decision | GDPR Art 22(3) | Written challenge with evidence | 30 days |
| Right to explanation | GDPR Recital 71 + Art 15 | Access request | 1 month |
| Right to erasure | GDPR Art 17 | Erasure request | 1 month |
| Right to lodge complaint | GDPR Art 77 | Complaint to ICO (UK) | Per ICO |
| Judicial remedy | GDPR Art 79 | Court proceedings | Per court |
DEFONEOS actively mitigates the risk that human reviewers over-trust automated outputs ("automation bias"). Without active mitigation, human oversight becomes a rubber stamp.
| Mitigation | How It Works |
|---|---|
| Confidence calibration display | Decisions presented with explicit confidence scores. Low-confidence decisions flagged for closer review. |
| Dissenting opinion display | If BFT council had dissenting votes, dissenting views are shown to reviewer. |
| Random review sampling | 10% of high-confidence automated decisions are randomly selected for human review. Reviewers don't know which were sampled vs. mandatory. |
| Decision difficulty estimation | System estimates decision difficulty and presents harder cases with more context. |
| Reviewer performance tracking | Tracks reviewer agreement rate. Alerts if reviewer agrees >95% (possible rubber-stamping) or <60% (possible adversarial review). |
| Counterfactual presentation | Shows what the decision would be under different inputs, encouraging critical thinking. |
| Requirement | Legal Basis | Status | Evidence |
|---|---|---|---|
| Right not to be subject to solely automated decision | Art 22(1) | โ MET | No decision with legal effect is made solely by machine. HITL required. |
| Exceptions: contract/necessary, authorised by law, explicit consent | Art 22(2) | โ ๏ธ CONTEXTUAL | Depends on use case. Each deployment must identify which exception applies. |
| Human intervention safeguards | Art 22(3)(a) | โ MET | HITL framework. 4-hour SLA for legal-effect decisions. |
| Right to express point of view | Art 22(3)(a) | โ MET | Written submission or hearing within 15 days. |
| Right to contest decision | Art 22(3)(a) | โ MET | Written challenge with evidence within 30 days. |
| Special category data protection | Art 22(4) | โ MET | Special category data (Art 9) requires additional safeguards. DPIA mandatory. |
| Information about automated decision-making | Art 13(2)(f), 14(2)(g) | โ MET | Privacy notice includes Art 22 information. Decision explanations available. |
| Meaningful information about logic | Art 13(2)(f) | โ ๏ธ PARTIAL | Explanations generated but "meaningful" for laypersons needs UX work. |
| EU AI Act Article | How DEFONEOS Complies |
|---|---|
| Art 13 โ Transparency | Deployer instructions include automated decision-making disclosure. See Transparency for Deployers. |
| Art 14 โ Human Oversight | 5-level oversight framework. See Human Oversight. |
| Art 86 โ Right to Explanation | Individual right to explanation of individual decision-making. See Right to Explanation (planned). |
| Art 26 โ Deployer Obligations | Deployers must ensure human oversight per Art 26(2). Framework supports this. |
| Art 10 โ Data Governance | Data used for automated decisions governed by Art 10. See Data Governance. |
Every automated decision has a complete accountability chain, traceable on the SIGIL chain:
If any step in the chain fails verification, the decision is flagged as non-compliant and automatically halted.
What IS working: The BFT council, red lines, stop button, and SIGIL logging are functional components of the sovereign substrate. The accountability chain architecture is real. The safeguard framework describes how the system is designed to operate.
What IS NOT proven: DEFONEOS has not been deployed in a context where automated decisions affect real data subjects. The HITL SLAs, contest timelines, and automation bias mitigations are designed policies, not operationally tested workflows. The "meaningful information about logic" requirement (Art 13(2)(f)) requires layperson-comprehensible explanations โ current explanations are technical and would need UX work for data subjects. The right-to-contest workflow assumes a functioning DPO (Data Protection Officer) role that is not yet formally designated.
What's missing: (1) Formally designated DPO, (2) Layperson-comprehensible explanation interface, (3) Operational testing of contest workflow, (4) Integration with ICO (Information Commissioner's Office) complaint pathway.
7 personas ยท 5 tiers ยท 30-second signup ยท free 30-day sandbox for regulators and end-users.
Sign up ยท Ed25519-signed receipt โ For Defence Primes For Regulators (Free) Series A โ ยฃ45-90M Round