Published April 2026 · Updated quarterly

EU AI Act — Our Transparency Report

How our compliance AI is trained, what data it sees, how it protects your confidential documentation, and where we stand on the EU AI Act compliance roadmap.

How the EU AI Act classifies our AI

The EU AI Act (Regulation 2024/1689) creates four risk tiers. Understanding where we sit is the first question every CTO and legal team asks.

Unacceptable Risk

Social scoring, real-time biometric surveillance, manipulation. We are not in this category.

High Risk

Critical infrastructure, employment, essential services, law enforcement. We are not in this category.

Limited Risk (Our classification)

AI systems that interact with users or generate content. Our AI extracts structured data from documents and interacts with compliance professionals. Transparency obligations apply.

Minimal Risk

Spam filters, AI in video games, basic automation. No mandatory obligations.

Our obligations under Limited Risk

We must (1) disclose when users are interacting with AI-generated content, (2) maintain a register of our AI system, and (3) cooperate with national competent authorities on request. We exceed all three requirements.

How our AI works — no black boxes

Every AI extraction in Traceable is traceable. Here is exactly what happens when you upload a document.

1

You upload a document

Zero cross-contamination

Your PDF, specification sheet, test report, or certificate is uploaded to your isolated EU-hosted workspace. It is never shared with other organisations and never used to train our models.

2

AI extracts structured data

Powered by Anthropic Claude

Our AI reads the document and extracts values that map to regulatory fields (e.g. Annex XIII for batteries, ESPR fields for textiles). It uses Claude (Anthropic) as its reasoning engine — the leading EU AI Act-aware foundation model.

3

Every extraction is source-linked

Full source citation

Each extracted value is linked back to the exact paragraph and page number in your document where it was found. You verify what the AI found — you are never asked to trust a number without seeing its source.

4

You verify and approve

Human-in-the-loop always

When the EU Central Registry goes live in July 2026, no value will be published without explicit human approval. Your compliance officer reviews each extracted field. You can override, correct, or flag any AI output before it is submitted.

5

Immutable audit trail

Regulator-ready audit log

Every AI extraction, every human review, and every approval is timestamped and stored in an immutable audit log. If a regulator asks why a specific value was submitted, you can show them exactly which document, which AI run, and which human approved it.

How we protect your confidential data

Strict data isolation

Your documents and extracted data are stored in an isolated workspace. No other organisation can query, view, or access your data — ever.

100% EU data residency

All data is stored exclusively on AWS eu-west-1 (Dublin, Ireland). We do not transfer data to US servers. Your data never leaves EU jurisdiction.

Your data never trains our models

Documents you upload are used solely to extract compliance data for your passports. They are not used to fine-tune, retrain, or improve our AI models. This is contractually binding in our DPA.

Encryption at rest and in transit

All data is encrypted with AES-256 at rest. All data in transit uses TLS 1.3. Encryption keys are managed per-customer and rotated annually.

GDPR-compliant DPA

We sign a Data Processing Agreement (DPA) with every customer under Article 28 GDPR. The DPA explicitly covers AI processing and restricts any use beyond contracted purposes.

AI disclosure to all users

Every value extracted by AI is labelled "AI Extracted" in the UI. Users always know which data was AI-generated versus manually entered. There is no silent AI output.

Our EU AI Act compliance roadmap

The EU AI Act entered force on 1 August 2024 with phased obligations. This is where we stand on each milestone.

Aug 2024

AI Act enters force

Complete

Regulation (EU) 2024/1689 entered into force. We began our internal classification review and appointed an AI Act compliance lead.

Feb 2025

Prohibited practices ban

Complete

Article 5 prohibitions apply. We confirmed none of our AI systems fall under prohibited categories. Internal review complete and documented.

Aug 2025

GPAI model obligations

Complete

General-purpose AI rules apply. We use Anthropic Claude as our foundation model, which maintains its own EU AI Act compliance programme. Our DPA with Anthropic covers GPAI obligations.

Aug 2026

Limited risk transparency obligations

In progress

Full transparency obligations for Limited Risk systems. We are implementing: AI system register, user-facing AI disclosures in UI, fundamental rights impact assessment, and post-market monitoring log. Target completion: Q2 2026.

Aug 2027

Full regulation applies

Planned

All remaining articles apply. We will maintain our AI system register, conduct annual conformity assessments, and publish updates to this transparency report on a quarterly basis.

Questions about our AI?

Our legal and technical team reviews AI Act questions for enterprise prospects. If you need a completed security questionnaire, AI impact assessment, or custom DPA clause, contact us directly.

Contact Us → Trust & Security