EU AI Act Compliance Statement

1. Overview

This statement describes how Vette relates to Regulation (EU) 2024/1689 (the EU AI Act) to allow the service being used in the European Union member states.

Vette is an AI-based analysis engine that automatically matches security and privacy requirements against available documentation from vendors of digital services. The requirements used in an assessment are either the customer organisation's own requirements or Vette's standard requirement sets, which customers may adopt in full or in part. The service automatically retrieves publicly available vendor documentation and also accepts documentation uploaded directly by the customer (such as SOC 2 reports, penetration-test reports, and ISMS descriptions).

The service produces structured output indicating whether relevant documentation was found and classifying the quality of evidence (third-party audit, contractual/legal documentation, or self-reported). All results are presented to a human reviewer who retains full authority to review, approve, or reject any assessment. The service supports both initial due diligence (pre-adoption) and ongoing monitoring during an active vendor relationship.

2. Classification

2.1 Not a Prohibited AI System

The service does not fall within any of the prohibited AI practices listed in Article 5 of the EU AI Act. It does not manipulate behaviour, exploit vulnerabilities, perform social scoring, conduct real-time biometric surveillance, or engage in any other prohibited practice.

2.2 Not a High-Risk AI System

We have assessed the service against Annex III of the EU AI Act, which lists high-risk AI system categories. Our assessment is that the service does not constitute a high-risk AI system, for the following reasons:

  • Sector: Vette operates in the domain of information security and procurement due diligence. It does not fall within any of the high-risk sectors enumerated in Annex III (e.g. biometric identification, critical infrastructure, education, employment, essential private and public services, law enforcement, migration, or administration of justice).

  • Nature of output: Vette produces a structured evidence quality assessment — indicating whether documentation was found and how it was sourced, rather than making decisions about natural persons. The subjects of assessment are vendor organisations, not individuals.

  • Human oversight: Vette does not make automated decision. A human reviewer must actively review the AI-generated analysis and citations, and explicitly approve any conclusion. The AI output is advisory only. The service is explicitly designed not to replace human judgment, legal interpretation, or organisational accountability.

  • Decision effects: While the output from Vette may inform downstream procurement or vendor management decisions, those decisions are made by human professionals and are not automated or solely determined by the AI system.

  • Requirements source: Whether the requirements applied in an assessment originate from the customer organisation or from Vette's standard requirement sets, they serve as the analytical framework for the assessment only. The responsibility for acting on the output — and for any resulting decisions — remains with the customer organisation.

2.3 Use of a GPAI Model

Vette is built on a third-party GPAI foundation model. Under the EU AI Act, obligations relating to the underlying GPAI model rest primarily with the GPAI model provider. As a provider building an application on top of a GPAI model, we are responsible for the overall system as deployed, including the safeguards, transparency, and human oversight described in this statement.

3. Transparency

In accordance with Article 13 of the EU AI Act and general transparency principles, users of the service are informed that:

  • The analysis is generated by an AI system.
  • AI-generated conclusions are supported by citations drawn from the vendor's documentation.
  • The requirements applied in any given assessment are either the customer's own or Vette's standard sets, and are visible to the reviewer.
  • All outputs require human review and approval before any reliance is placed on them.
  • The system does not make autonomous decisions, and does not make the customer organisation compliant with any regulation, it supports the assessment work that such compliance may require.

4. Human Oversight

The service is designed with meaningful human oversight as a core architectural principle, consistent with Article 14 of the EU AI Act:

  • Every analysis is surfaced to a named human reviewer.
  • The reviewer can inspect the citations underpinning each conclusion and add their own assessments.
  • Approval is an explicit, optional action — the system does not proceed automatically.
  • Reviewers can override, reject, or escalate any AI-generated finding.
  • The service is designed to support the organisation's own decision-making, not to substitute for it.

5. Obligations as Provider

As the provider of this AI system, we commit to the following:

  • Maintaining technical documentation sufficient to demonstrate conformity with applicable requirements.
  • Implementing a quality management and post-market monitoring approach appropriate to the risk level of the system.
  • Ensuring the third-party GPAI model provider we rely upon complies with their obligations under the EU AI Act.
  • Reviewing this classification if the system's purpose, functionality, or deployment context changes materially — including if standard requirement sets are used in ways that could alter the nature or effect of the system's output.

6. Review and Updates

This statement will be reviewed frequently before official launch of the service and at least annually thereafter, or whenever there is a material change to the system's functionality, the applicable guidance, or the regulatory environment.