Documentation

Step-by-step guides to get your company compliant with the EU AI Act.

Getting started

~15 minutes to onboard your first AI system

1

Create your account

Go to the sign-up page and fill in your name, company email and password. You'll receive a confirmation email. No credit card needed for the 14-day trial.

2

Set up your organization

Enter your company name, country, sector and size. This information helps the platform pre-select applicable obligations (e.g., public sector organizations have additional requirements under Annex III).

3

Add your first AI system

From the dashboard, click "Add AI system". Give it a name, a brief description and the intended purpose (e.g., "HR recruitment screening tool" or "Customer support chatbot"). Each tool, application or model that uses AI needs its own entry.

4

Run the classification wizard

Answer 8–12 plain-language questions about the system. The platform automatically determines the risk level (prohibited, high-risk, transparency obligations, minimal risk, or GPAI) and lists the exact obligations that apply.

5

Upload the user manual

Per Art. 13 + Art. 26(1), every AI system must have the provider's user instructions stored and accessible. Upload the manual (PDF, DOCX or URL) in the Document Vault. This step is required before deployment.

6

Register the deployment

Before going live, confirm the deployment: select the responsible person (deployment operator), the go-live date and the intended use environment. This creates the immutable audit trail required by Art. 26.

Tip: if a system was already in use before you registered it, enter the actual go-live date in the past. The platform will calculate which obligations were active from that date.

Risk classification

How the engine works and how to interpret the result

The five risk levels

Prohibited

Practices banned outright by Art. 5 (e.g., social scoring, real-time biometric surveillance in public spaces). These systems must not be deployed.

High-risk

Systems listed in Annex I (safety components of regulated products) or Annex III (AI in recruitment, credit scoring, law enforcement, education, critical infrastructure, etc.). Full obligation set applies.

Transparency obligations

Systems that interact with people (chatbots, emotion detection, deepfakes). Must disclose they are AI — Art. 50.

GPAI

General-purpose AI models integrated into your product (GPT-4o, Claude, Gemini, etc.). Triggers additional obligations under Art. 53–55 if you fine-tune or substantially integrate them.

Minimal risk

Most AI tools (spam filters, recommendation engines, AI-assisted productivity tools). No mandatory obligations — good practice documentation recommended.

How the classification engine works

The engine is rule-based (deterministic), not machine learning. It applies a decision tree of ~30 rules derived directly from the EU AI Act text and the Commission's Art. 3 and Art. 6 guidelines. Every decision is explainable and auditable — you can view the exact rule that triggered the classification.

When to re-classify

Re-run classification when: (1) the system's intended purpose changes, (2) the system is substantially modified (new training data, new features), or (3) new regulations come into force (e.g., Omnibus amendments). The platform will alert you when a re-classification is needed.

Important: if you are unsure about the classification of a system, document your reasoning in the "notes" field and consider consulting a legal expert. The platform records your justification as part of the audit trail.

Document Vault

What to upload and how retention works

Required documents per risk level

Required documents per AI system risk level
Document High-risk Transparency Minimal Legal basis
User manual (provider) ✅ Required ✅ Recommended Art. 13 + Art. 26(1)
FRIA report ✅ If Art. 27 applies Art. 27
DPIA / GDPR Art. 35 ✅ Required Art. 26(9)
EU Database registration (use) ✅ Public bodies only Art. 49(3)
Transparency notice (users) ✅ Required ✅ Required Art. 50 + Art. 26(11)
Operations log (6 months) ✅ Required Art. 26(5) + Art. 12
Incident reports ✅ Required ✅ If serious Art. 73
Annual review record ✅ Required Art. 26

Accepted file formats

PDF, DOCX, XLSX, PNG, JPG (max 50 MB per file). All files are scanned for malware on upload. URL links to external documents (SharePoint, Google Drive) are also supported with a reference note.

Document retention policy

Art. 12 requires keeping logs for at least 6 months after the end of the AI system's life. The platform automatically flags documents approaching the end of their retention window and sends reminders 30 days before deletion is possible.

Tip: documents uploaded to the Vault are versioned. If you upload a new version of the user manual, the previous version is archived (not deleted) so the audit trail remains complete.

Enterprise API & Webhooks

REST API for integrating compliance data with external GRC, BPM or BI tools.

Enterprise

The Enterprise API provides programmatic access to your compliance data. Authenticate with a personal access token generated in the platform.

Method Path Description
GET /api/v1/me Authenticated user info
GET /api/v1/ai-systems List AI systems (filterable)
GET /api/v1/ai-systems/{id} Single AI system
GET /api/v1/obligations 28 obligations with status
GET /api/v1/incidents List incidents
POST /api/v1/incidents Create incident + fires webhook

Webhook events

incident.created ai_system.classified ai_system.deployed ai_system.retired

Payloads are signed with HMAC-SHA256. Verify the X-EuAiComply-Signature header on each request.

Download OpenAPI 3.1 spec

Ready to start?

14-day free trial. No credit card required.

Create free account