AI Compliance Questionnaire — Draft Responses
Prepared for: Acme Workflows BV (fictional) · 13 July 2026 · For review before submission. Not legal advice.
Legal basis verified as of: 13–14 July 2026 (Regulation (EU) 2024/1689 via official OJEU text; Digital Omnibus status as adopted 29 June 2026)
Q1. Do you maintain an inventory of AI systems used in your product?
Yes. An AI systems inventory covering all AI functionality embedded in the product is provided as an appendix to this response (see "One-Page AI Inventory" below). It identifies each AI capability, the underlying model and provider, the purpose, the data processed, and the processing region. [PENDING CLIENT: confirm the internal owner responsible for keeping the inventory current as features change.]
Q2. Which foundation models or AI providers does your product rely on?
The product relies on Anthropic's Claude models, accessed via Anthropic's commercial API. No models are self-hosted, and no additional foundation-model providers are used. Anthropic is disclosed on our public subprocessor list.
Q3. Is customer data used to train or fine-tune any AI model?
No. Acme Workflows does not train or fine-tune any AI model, on customer data or otherwise. Customer document text is transmitted to the Anthropic API solely to generate the requested output, under a signed data processing agreement with Anthropic under which API inputs and outputs are not used for model training. [PENDING CLIENT: confirm the current version/date of the Anthropic DPA on file so it can be cited precisely.]
Q4. Describe how end users are informed they are interacting with an AI system.
Every AI-generated draft is labelled "AI-generated draft" within the application, at the point where the user encounters the content, and no draft becomes a final document without explicit human review and approval. This provides disclosure at the moment of exposure to AI output, consistent with the timing principle of Regulation (EU) 2024/1689, Art. 50(5) (information "at the latest at the time of the first interaction or exposure"). A complementary notice at first use of the AI assistant feature is recommended and noted in the Gap Summary.
Q5. Are you compliant with EU AI Act Article 50 transparency obligations?
Our position, structured per the Regulation: (1) Classification — the product is a report-drafting assistant for internal business documents; it is not among the high-risk use cases of Annex III, so the high-risk regime does not apply. (2) Applicable obligations — as the company offering an AI system under its own brand, Acme is a provider for the purposes of Art. 50; the relevant obligations are transparency towards users (Art. 50(1) and 50(5)), applicable from 2 August 2026 — a date confirmed and not postponed by the 2026 "Digital Omnibus" amendments. (3) Measures in place — in-product "AI-generated draft" labelling on all AI output, mandatory human review before any draft is used, and 90-day retention of prompt/output logs. (4) Ongoing work — items listed in the Gap Summary (first-interaction notice wording, formal AI use policy) are being addressed ahead of the application date. We do not claim blanket "full compliance"; we document concrete measures against each applicable article.
Q6. Provide details of your AI risk management and human oversight controls.
Human oversight: AI output never reaches a final document without user review and approval — a human-in-the-loop control at 100% of AI-generated content. Traceability: prompts and outputs are logged and retained for 90 days in our EU-hosted database (AWS Frankfurt), supporting audit and incident review. Data boundaries: AI processing is limited to documents the customer submits; retrieval indexes reside in the same EU environment. A formal, documented AI risk management policy and staff AI training programme are not yet in place; interim risk control is provided by the human-approval workflow and logging described above, and the policy work is identified in the Gap Summary as the priority item. [PENDING CLIENT: confirm intended timeline for adopting the internal AI policy so a target date can be stated.]
Gap Summary
| # | Gap | Impact on deal | Recommended action |
|---|---|---|---|
| 1 | No formal internal AI policy or staff AI literacy programme (Regulation (EU) 2024/1689, Art. 4 — in force since 2 Feb 2025 as a support-measures obligation) | High — commonly a scored question | Adopt a lightweight AI use policy (2–3 pages) and a short recorded training for staff; keep completion records |
| 2 | First-interaction AI notice: current labelling is per-draft; an explicit notice when the user first engages the AI assistant strengthens the Art. 50(5) position | Medium | Add a one-time in-app notice at first use of the AI feature |
| 3 | Anthropic DPA version not confirmed in intake | Medium — buyers often ask for the document | Locate the signed DPA; be ready to share on request |
| 4 | No certifications (SOC 2 / ISO 27001 / ISO 42001) | Medium-low for this deal size | State honestly if asked; evaluate ISO 42001 only if repeatedly required by target buyers |
| 5 | Inventory maintenance owner undefined | Low | Assign an owner; review quarterly |
One-Page AI Inventory
| Field | Detail |
|---|---|
| AI capability 1 | Report draft generation from customer data |
| AI capability 2 | Summarisation of uploaded documents |
| Model / provider | Anthropic Claude, via commercial API (no self-hosting, no fine-tuning) |
| Customer data sent to model | Document text as submitted by the customer (not anonymised) |
| Training on customer data | None |
| Processing region | Model API processing in US; data at rest in EU (AWS Frankfurt); retrieval index in EU |
| Human oversight | Mandatory user review and approval of every AI draft |
| Logging | Prompts and outputs retained 90 days (EU database) |
| User-facing disclosure | "AI-generated draft" label on all AI output |
| Subprocessor disclosure | Anthropic on public subprocessor list |
| DPA with model provider | Signed (Anthropic commercial DPA) |