Lineage & liability

Regulated actors

The EU AI Act distinguishes providers (build the model), deployers (use it in a product), importers, distributors, and authorised representatives. Meridian Blue is a processor that sits between deployers and providers and produces machine-readable evidence of who's responsible for what at a given request.

• Model provider — Article 53/55 obligations (training-data summary, systemic-risk red-team).
• Deployer (you) — Article 26 use logging, Article 27 FRIA, Article 14 oversight, Article 50 disclosure, GDPR lawful basis.
• Meridian Blue — Audit log integrity, residency tagging in the catalogue, policy versioning, request-level evidence.

Lineage API

Routes are gated to the management roles. Both reads filter strictly on tenantId from the auth context.

Article 15 export

The export endpoint returns a JSON packet listing every request the data subject was tagged on (via end_user_id), the processors involved (per Article 15(1)(c)), and metadata for each transformation. The endpoint sets Content-Disposition: attachment; filename="dsar-<subject>.json" so a curl caller gets a downloadable file ready to forward to the data subject.

Unknown subject IDs return an empty packet (with the tenant's processors still listed) instead of 404, so a caller cannot tell "subject exists but no activity" from "subject doesn't exist" by inspecting the response — closes an enumeration oracle.

Disputes

When an end user disputes a decision under Article 86, attach the lineage packet to the appeal: it shows which model produced the response, under which policy version, with what risk classification, and which signer stood behind that policy. The audit-vault entry hash is included so your reviewer can verify the chain hasn't been tampered with.