iCOMPLY Self-Compliance Report

We use our own platform to classify iCOMPLY under the EU AI Act and to produce our own transparency disclosures. This page is the public record. It is the first thing an auditor, customer, or journalist should ask for — so we publish it.

1. The iCOMPLY AI System

• System name: iCOMPLY Conversational Compliance Assistant
• Provider: AimRank AI Innovation Labs (registered in Lithuania)
• Intended purpose: Help SMEs prepare EU AI Act conformity documentation (classification, obligation mapping, Annex IV technical documentation, post-market monitoring plans, serious-incident templates, Declaration of Conformity). Output is advisory; the SME remains the provider or deployer of their own AI system.
• Underlying models: Anthropic Claude Sonnet 4.6 and Claude Opus 4.8 via AWS Bedrock, invoked through EU cross-region inference profiles (eu.anthropic.*) that keep model inference within EU AWS regions.
• Residency, not sovereignty: inference stays in EU AWS regions, but AWS and Anthropic are US-incorporated companies, so full EU sovereignty is a roadmap item (a planned migration to an EU-sovereign cloud) — not something we claim today.
• Training data: We do not train or fine-tune the underlying models. Customer conversations are not sent to Anthropic for training; AWS Bedrock is configured with zero data retention.

2. Risk Classification Under the EU AI Act

We walked iCOMPLY through the same classification flow we offer to customers. The classification reasoning, verbatim:

Article 5 (Prohibited Practices): Not triggered. iCOMPLY does not use subliminal techniques, exploit vulnerabilities, perform social scoring, scrape biometric identifiers, or do real-time remote biometric identification.

Annex III (High-Risk Categories): Not triggered. iCOMPLY does not decide access to essential services, does not perform creditworthiness or risk-based insurance underwriting, does not operate in employment decision-making, education proctoring, law enforcement, migration, or administration of justice. It produces documentation that the SME then uses to self-assess — it is preparatory to a human judgement, and its output is always reviewed by the customer (or our AIGP-certified specialist on paid tiers).

Annex I (Product Safety Legislation): Not triggered. iCOMPLY is not a safety component of a regulated product.

Article 50 (Limited Risk — Transparency): Triggered. iCOMPLY interacts directly with natural persons through its chat interface and generates text content. Article 50(1) and 50(2) obligations apply.

Chapter V (GPAI):iCOMPLY is a deployer of general-purpose AI models (Anthropic Claude) — not itself a GPAI provider. We rely on Anthropic's Article 53 transparency documentation.

3. Applicable Obligations We Comply With

3.1 Article 50(1) — Disclosure of AI Interaction

Every chat interface in iCOMPLY is explicitly labelled as an AI assistant. The welcome message, input field placeholder, and assistant avatar make clear the user is interacting with an AI system, not a human. Output text is streamed with a visible model indicator (“Claude Sonnet / Opus”).

3.2 Article 50(2) — Marking of AI-Generated Content

Every document generated by iCOMPLY carries a provenance block identifying:

• that the document was produced by an AI system;
• the underlying model(s) used across sections;
• the UTC timestamp of generation;
• the conversation ID(s) that contributed extracted data to the document;
• the iCOMPLY-internal document ID and section count.

DOCX exports render the provenance as a delimited [AI-PROVENANCE] … [/AI-PROVENANCE] block on the cover page — visible to human readers and grep-able by downstream tooling. The same provenance is available as structured fields on the document JSON returned by /api/documents/generate (the content.metadata object: generatedAt, model, conversationIds).

The current implementation satisfies Article 50(2) at the state-of-the-art level for text artefacts. Adoption of richer standards (e.g. C2PA Content Credentials for DOCX) is tracked as a quarterly review item. Our self-audit report (in the public repo at docs/SELF_AUDIT.md) documents the gap analysis and remediation history.

3.3 Article 4 — AI Literacy of Our Team

Our founding compliance specialist holds the IAPP AIGP credential. All contractors performing expert review on paid tiers must hold AIGP or equivalent AI-governance certification. AI literacy training is tracked as an ongoing requirement, not a one-off.

3.4 Article 10 — Data Governance (Voluntarily Applied)

Although we are not a high-risk provider, we apply Article 10-style data governance to the data we process:

• Customer conversation data is isolated by organizationId at the database layer. Every query is tenant-scoped.
• No customer conversation or document content is used to train or evaluate any ML model.
• Uploaded source documents are stored on the EU-hosted VPS data volume and served only via short-lived, authenticated, app-streamed responses (no public URLs). Full-disk encryption of the data volume is completed before any real customer data is processed.
• Audit logs capture every create / update / review action with user, IP, and timestamp.

3.5 Article 13-14 — Transparency & Human Oversight

The classification output includes a confidence level and surfaces edge cases explicitly so the user can override. Paid-tier outputs additionally pass through AIGP-specialist review — a human in the loop before the document reaches the customer.

4. What iCOMPLY Is Not

We publish this section because the boundary matters more than the tagline.

• Not a law firm. Our specialists hold AIGP, not bar licences. Outputs are compliance advisory — not legal advice or regulator defence.
• Not a notified body. We do not perform Annex VII conformity assessments. For biometric-ID systems under Annex III point 1, our outputs prepare the technical documentation that a notified body will then assess.
• Not a substitute for the provider's judgement. iCOMPLY produces documentation inputs. The provider signs the Declaration of Conformity, registers in the EU database (Article 49), operates post-market monitoring (Article 72), and reports serious incidents (Article 73). Our platform provides templates and reminders — it does not file on your behalf.

5. Post-Market Monitoring of iCOMPLY Itself

Even though the platform is limited-risk, we operate the same monitoring cadence we recommend to customers:

• Per-organisation token and cost logging (via the usage_logs table) to detect runaway generation loops or anomalous usage.
• Conversation-state validation on every read — corrupted state is logged and reset rather than silently propagated.
• Tool-input validation on every model call; malformed inputs are refused and reported back to the model with a specific reason.
• Rate-limited APIs on chat, document generation, uploads, and reviews.

6. Incident Reporting

Although Article 73 serious-incident obligations do not apply to limited-risk systems, we operate a voluntary disclosure policy. If an iCOMPLY output materially contributes to a customer's compliance failure and the cause traces to a defect on our side, we will disclose publicly within 30 days and notify all potentially affected customers within 15 days. Reporting contact: security@aimrank.io.

7. Review Cadence

This self-compliance report is reviewed at least quarterly, and re-issued whenever:

• the underlying model family changes,
• a new feature is added that could change the risk classification (for example, any feature that makes automated decisions about natural persons),
• a relevant harmonised standard is published under Article 40, or
• a regulatory update changes applicable obligations.

Questions, corrections, or an audit request? compliance@aimrank.io. Related pages: Terms of Service · Privacy Policy.