EU AI Act (Regulation 2024/1689) Transparency Notice

AI Transparency Notice

Last updated: May 2026. This notice is published pursuant to Article 50 of the EU AI Act (Regulation 2024/1689) and describes how Kodex-Compliance uses artificial intelligence within the Kodex Compliance Scanner.

1. AI System Overview

System nameKodex Compliance Scanner
PurposeAutomated analysis of organisational evidence against EU regulatory frameworks (GDPR, EU AI Act, ISO 27001, SOC 2, NIS2, DORA, CRA)
ProviderKodex-Compliance
Version / release2026
Intended usersCompliance officers, legal teams, engineering leads, and data protection officers within organisations subject to EU regulation

The Kodex Compliance Scanner assists organisations in assessing their compliance posture against applicable EU regulatory frameworks. It gathers and analyses evidence — such as policy documents, audit logs, and integration signals — and produces structured compliance reports with confidence-scored control evaluations and remediation guidance.

This system is a compliance assistance tool that supports human decision-making. It does not replace the judgement of qualified legal, compliance, or technical professionals, and it does not make binding legal determinations.

2. Risk Classification

Self-assessment: Limited risk (Art. 50 transparency obligations apply)

The Kodex Compliance Scanner is not classified as a high-risk AI system under Annex III of the EU AI Act.

The system does not fall within any of the high-risk categories enumerated in Annex III of the EU AI Act. Specifically:

  • It is not used in critical infrastructure management or safety components thereof
  • It is not used for educational or vocational admission or assessment decisions
  • It is not used for employment, worker management, or access to self-employment decisions
  • It is not used in essential private or public services (e.g., credit scoring, benefit determination)
  • It is not used for law enforcement, migration or asylum, or the administration of justice

The system provides advisory compliance assessments and does not make binding legal decisions, does not directly affect fundamental rights, and requires human oversight and independent verification for all compliance determinations. Accordingly, it is classified as a limited-risk AI system subject to the transparency obligations under Article 50 of the EU AI Act.

This classification is a self-assessment by Kodex-Compliance and has not been independently verified by a notified body. We review this classification on a regular basis and will update it if the system's capabilities or deployment context change materially.

3. AI Models Used

Foundation models in use:

  • Scanning & analysis: Anthropic Claude (claude-sonnet-4-20250514)
  • Compliance chat assistant: Anthropic Claude (claude-haiku-4-5-20251001)

These are general-purpose large language models (LLMs) developed by Anthropic PBC, accessed via API. Kodex-Compliance does not perform custom model training, fine-tuning, or reinforcement learning on user data.

The AI models are used for the following tasks:

  • Evidence analysis — interpreting uploaded documents, policy excerpts, and integration signals against regulatory control requirements
  • Control evaluation — assessing whether each regulatory control is met, partially met, or unmet based on available evidence, and assigning confidence scores
  • Report generation — producing structured compliance reports, gap analyses, and remediation roadmaps
  • Compliance chat — answering user questions about regulatory requirements, scan results, and remediation steps
  • Cross-framework shadow pass — identifying coverage overlap and gaps across multiple regulatory frameworks

4. How AI Is Used in Scans

The scanning pipeline proceeds as follows:

1. Evidence assembly

Documents, code signals, and third-party integration data are gathered. Excerpts relevant to each regulatory control are extracted and synthesised into a structured evidence package.

2. Control evaluation

For each regulatory control, the AI model evaluates the assembled evidence and produces a pass, partial, or fail determination along with a confidence score between 0 and 1.

3. Clarification requests

Where the confidence score for a control falls below 0.35, the system automatically generates a clarification request asking the user for additional context or evidence.

4. Scoring and reporting

Compliance scores are calculated from the control results. A final report is generated including the overall score, per-control detail, confidence levels, identified gaps, and a prioritised remediation roadmap.

Human-in-the-loop

Users can provide clarifications at any stage, override individual control assessments, and must independently verify all results before acting on them. No compliance determination is final without human review.

5. Limitations and Known Risks

Users should be aware of the following limitations before relying on AI-generated assessments:

  • AI assessments are probabilistic, not deterministic — the same evidence may produce slightly different results across runs
  • Confidence scores reflect the model's estimated certainty, not a guarantee of accuracy
  • The system may produce false positives (flagging compliant items as non-compliant) or false negatives (failing to identify genuine gaps)
  • Evidence quality directly affects assessment quality — incomplete, outdated, or misleading evidence will produce unreliable assessments
  • The AI cannot independently verify the authenticity, completeness, or provenance of uploaded documents
  • Rapidly evolving regulatory guidance (e.g., European Data Protection Board opinions, ENISA guidance) may not be immediately reflected in the model's outputs
  • The system is not a substitute for qualified legal, compliance, or technical professional advice

6. Human Oversight Measures

Kodex-Compliance has implemented the following measures to ensure meaningful human oversight of AI-generated outputs:

  • All scan results include per-control confidence scores so users can identify and scrutinise low-confidence determinations
  • A clarification mechanism allows users to supply additional context before results are finalised
  • All results are advisory — the system takes no automated enforcement actions
  • Users can request a full human review of any AI-generated determination via our support channel
  • The cross-framework shadow pass provides an independent validation perspective for multi-framework assessments
  • Scan reports carry explicit disclaimers reminding users that results require independent verification

7. Data Isolation Architecture

The AI never accesses your systems directly.

Kodex's own servers fetch data from your connected integrations (GitHub, Google Workspace, Slack, Notion) using the OAuth tokens you authorise. The AI model has no access to your repositories, accounts, or infrastructure. It only receives a pre-processed, anonymised summary of compliance signals from Kodex.

1. Kodex fetches evidence (no AI involved)

When you start a scan and select a repository, Kodex’s server connects to the GitHub API using your OAuth token. It reads file names and configuration metadata — not your source code. The result is a set of boolean signals: “has authentication middleware: yes/no”, “has branch protection: yes/no”, “has CI/CD: yes/no”. The same pattern applies to Google Workspace, Slack, and Notion — Kodex’s server fetches the data, not the AI.

2. PII is stripped before AI sees anything

Before any data reaches the AI model, Kodex runs a PII anonymiser that replaces emails with [EMAIL], phone numbers with [PHONE], personal names with [PERSON], national ID numbers (German, French, Spanish, Italian, UK) with [ID], IBANs with [IBAN], your company name with [COMPANY], and URLs with [URL]. The AI only needs to understand policy structure and control language — not who wrote it or who it’s about.

3. AI receives only anonymised signals

The AI model receives a sanitised dossier containing: boolean compliance signals (e.g. “hasAuth: true”), anonymised document excerpts with PII removed, regulatory control descriptions, and framework metadata. It acts as a judge evaluating pre-gathered evidence — it does not search, browse, or connect to any external system.

What data is sent to the AI model:

  • Anonymised boolean signals (e.g. “hasAuth: true”, “hasBranchProtection: true”)
  • Anonymised document excerpts with all PII replaced by placeholders
  • Regulatory control descriptions
  • User-provided clarification answers
  • Framework and company metadata (industry, country, size — no names or identifiers)

What is NOT sent to the AI model:

  • OAuth tokens, API keys, or authentication secrets (extracted and isolated before processing)
  • Source code, repository contents, or file contents
  • Personal names, email addresses, phone numbers, or national ID numbers
  • Payment or billing data
  • Direct access to GitHub, Google Workspace, Slack, Notion, or any other integration

Data transmitted to Anthropic's API is subject to Anthropic's Privacy Policy and Data Processing Agreement. Anthropic does not use API inputs to train its models. All data is transmitted over TLS-encrypted channels. For details on how Kodex-Compliance processes your data, please see our Privacy Policy.

8. Your Rights Under the EU AI Act

As a user of an AI system subject to the EU AI Act, you have the following rights:

Right to be informed (Art. 50)

You have the right to know that you are interacting with an AI system. This notice, and in-product disclosures on scan results, fulfil this obligation.

Right to meaningful explanation

You have the right to receive an intelligible explanation of any AI-generated compliance assessment, including the evidence considered and the confidence score assigned.

Right to human review

You have the right to request that any AI-generated determination be reviewed by a qualified human. Contact us at contact@kodex-compliance.eu to exercise this right.

Right to contest

You have the right to contest any AI-generated compliance score or control determination that you believe is inaccurate or based on incomplete evidence.

Right to opt out

You have the right to opt out of AI-assisted processing. Manual assessment workflows are available upon request — please contact us to arrange this.

9. Incident Reporting

If you believe the AI system has produced a harmful, inaccurate, or discriminatory output, or if you have any concerns about its operation, please contact us:

AI concerns & errors: contact@kodex-compliance.eu

When reporting an incident, please include: a description of the AI-generated output you believe is erroneous or harmful, the regulatory framework and controls involved, any evidence you provided, and the expected versus actual assessment result. We aim to acknowledge all reports within 2 business days and investigate within 10 business days.

10. Disclaimer

Important notice

  • This transparency notice is provided in good faith to assist compliance with the EU AI Act (Regulation 2024/1689) and does not constitute legal advice.
  • Kodex-Compliance is not a law firm. Nothing in this notice or in the Kodex Compliance Scanner constitutes legal advice, and users should consult qualified legal professionals for compliance determinations.
  • The risk classification set out in Section 2 is a self- assessment by Kodex-Compliance. It has not been independently verified by a notified body or any competent authority under the EU AI Act.
  • AI-generated compliance scores and assessments are indicative only. They are not audit certificates and should not be presented to regulators as independent verification of compliance.
Contents
TABLE OF CONTENTS