AI Transparency Notice — Attestia.eu

In case of any discrepancy between the Polish and English versions, the Polish version shall prevail.

Version: 1.0 Effective date: 2026-04-22 Last updated: 2026-04-22 Published at: attestia.eu/transparency Related documents:

Terms of Service § 7 (Use of artificial intelligence) — attestia.eu/terms
Privacy Policy section 13 (Notice on AI use) — attestia.eu/privacy
Subprocessor list — attestia.eu/subprocessors

1. Regulatory context and purpose

This AI Transparency Notice (the "Notice") fulfils transparency obligations under Article 50 of Regulation (EU) 2024/1689 (EU AI Act) and expands on § 7 of the Attestia Terms of Service and section 13 of the Privacy Policy. Capitalised terms have the meaning given in the Terms (Platform, User, Organisation, AI System, Risk Classification, Compliance Documents, EU AI Act, GDPR).

Article 50 EU AI Act enters into application on 2 August 2026, imposing transparency obligations on providers and deployers of AI systems that generate synthetic content, interact with humans or produce deepfakes. This Notice is a proactive implementation of those obligations one month ahead of the formal deadline.

2. Attestia's role in the AI chain

Attestia performs two roles under the EU AI Act:

Role	With respect to	Basis
Deployer	Azure OpenAI GPT-5.4 model (provided by Microsoft)	Attestia deploys a ready-made AI system into its services — Art. 3(4) EU AI Act
Provider	The Attestia service as a compliance decision-support system	Attestia integrates Azure OpenAI into its product and offers it to Organisations under the "Attestia" brand — Art. 3(3) EU AI Act

3. The AI we use

Item	Details
Model	OpenAI GPT-5.4 and GPT-5.4-mini
Model provider	Microsoft Corporation (Azure OpenAI service)
Integration layer	Vercel AI SDK 6 + `@ai-sdk/azure`
Processing region	EU — Sweden Central (swedencentral)
Data location	Within EU/EEA — no transfers outside EEA
Use of data for training	PROHIBITED — per Azure OpenAI Enterprise Agreement terms
Provider-side retention	Transient processing — no retention after processing
Human-in-the-loop	Mandatory — triple verification (section 6)

4. What AI DOES on the Platform

Risk Classification recommendation — analysis of the AI System description submitted by the User and a suggested risk category per the EU AI Act (prohibited / high / limited / minimal). Output includes:
- suggested category,
- justification referencing EU AI Act articles,
- confidence score (percentage).
Compliance Document drafting — generating drafts of documents required by the EU AI Act (e.g. Annex IV, FRIA, declarations of conformity, Art. 50 notices) based on Organisation Data.
Regulatory explanations — generating descriptions of requirements, definitions and commentary helping Users understand their EU AI Act obligations.
Edge-case analysis — identifying grey areas where classification is not unambiguous and flagging them for mandatory expert review.

5. What AI DOES NOT do

The AI on the Platform does NOT:

make binding legal decisions — every Risk Classification is a recommendation; the final decision rests with the Organisation (§ 4(2) of the Terms);
provide legal advice — Attestia is not a law firm and does not replace professional legal counsel (§ 4(1));
certify compliance — the Platform does not replace conformity assessment by notified bodies for high-risk AI Systems (§ 4(4));
generate deepfakes or misleading content — AI is used solely for analysis and drafting of compliance documentation;
perform emotion recognition or biometric categorisation — Art. 50(3) EU AI Act does not apply;
make fully automated decisions producing legal effects on natural persons — Art. 22 GDPR is respected; human approval is always required.

6. Human oversight — triple verification

The Platform applies a three-step verification process for every Risk Classification (§ 7(3) of the Terms):

Step	Mechanism	Type of analysis
1	Rules engine (deterministic)	Analysis based on codified EU AI Act provisions (Art. 5, Annex III, Art. 50). Fully explainable.
2	AI recommendation	Contextual analysis using GPT-5.4. Supplements the rules engine in grey areas.
3	User review and approval	Final decision — User may accept, modify or reject the AI recommendation.

Right to override: Users may reject or correct AI recommendations at any stage. Every action is recorded in an immutable Audit Log (hash-chained, SHA-256) including who decided and when.

7. Accuracy, limitations and confidence display

AI recommendations are probabilistic and may contain errors. The Platform mitigates this via:

Confidence score display — percentage value with justification for each Risk Classification.
Grey-area flagging — Classifications with low confidence or covering disputed areas are flagged as requiring mandatory expert review (§ 7(4) of the Terms).
Model versioning — each Classification is logged with the model version used. Model change triggers an Audit Log notification.
Accuracy regression — we plan periodic regression tests on a benchmark set. A material accuracy drop triggers rollback of the model version.

EU AI Act interpretation is dynamic and evolving — harmonised standards, Commission guidance, national implementations and case law may affect the correct reading. Attestia does not guarantee completeness or currency of regulatory information (§ 4(6) of the Terms).

8. How to identify AI-generated content

Implementation of Art. 50(2) EU AI Act (synthetic content labelling):

Location	Label
Risk Classification recommendation in UI	"AI-assisted" badge next to every recommendation, with an icon
Generated documents (PDF, DOCX)	Footer note: "Document generated using artificial intelligence by Attestia.eu. Requires review by a qualified specialist."
Explanations and analyses	Every AI-generated text block is labelled "AI-generated" and visually separated from static content
Data export (JSON/CSV)	Field `ai_generated: true` and `ai_model_version` for every record containing AI content
API	`X-Attestia-AI-Generated: true` header in responses containing AI content (once the API is exposed)

Metadata labelling (C2PA / watermarking) — per Art. 50(2) second sentence we plan to implement C2PA-compliant technical marks once the industry standard stabilises. Currently the standard is in adoption phase; Attestia monitors progress and will implement it in a Platform update [ROADMAP].

9. Data and privacy in the AI context

Key data-protection principles (consistent with § 7(5) of the Terms and section 4.3 of the Privacy Policy):

Pseudonymisation before dispatch — AI System descriptions sent to Azure OpenAI are stripped of: Organisation name, User personal data, billing data, Account identifiers.
EU location — processing in Sweden Central only. No transfer outside the EEA.
No model training — Organisation Data is not used by Microsoft or OpenAI to train AI models (Azure OpenAI Enterprise Agreement).
Transient processing — no retention at Azure OpenAI after request processing ends.
Encryption in transit — communication with Azure OpenAI via TLS 1.3.
Audit trail — every AI call logs: timestamp, model version, prompt length, response length, User ID. We do NOT log prompt or response content in a form enabling re-identification of Organisation Data.

For processing details see Privacy Policy sections 3–8 and 13.

10. Mapping to Article 50 EU AI Act requirements

Provision	Scope	Applicability to Attestia	Implementation
Art. 50(1)	Providers of AI systems interacting with natural persons (duty to inform about AI interaction)	✅ Applies (AI-generated regulatory explanations are visible to Users)	Clear "AI-assisted" labelling in UI (section 8) + content of this Notice
Art. 50(2)	Providers generating synthetic content — duty to mark machine-readable metadata	✅ Applies (Compliance Documents are generated text)	Visual labels + PDF/DOCX notes + `ai_generated: true` in exports + planned C2PA
Art. 50(3)	Deployers of emotion recognition / biometric categorisation	❌ Does not apply — Platform does not use such features	No implementation required
Art. 50(4)	Deployers producing deepfakes or AI-generated text informing the public	⚠️ Partly applies — Compliance Documents may be filed with supervisory authorities (informing public)	"AI-generated" footer in exported documents + mandatory qualified review (§ 4(3) of the Terms)
Art. 50(5)	Manner of disclosure — clear, distinguishable, at first interaction at the latest	✅ Applies	This Notice + User onboarding + permanent access at `/transparency`

11. User rights in connection with AI

Right to explanation — every Risk Classification is displayed with justification (rules engine — references to EU AI Act articles; AI — narrative explanation).
Right to override AI — at any stage.
Right not to be subject to a decision based solely on AI (Art. 22 GDPR) — fully automated decisions are not made (section 5).
Right of access to the Audit Log — Users (depending on role) may review AI and human decision history within their Organisation.
Right to lodge a complaint — regarding AI processing inconsistent with the EU AI Act: to the national AI authority (in Poland: to the authority designated under the Polish EU AI Act implementation law, once in force). Also — under the GDPR — to the President of UODO (ul. Stawki 2, 00-193 Warsaw).

Exercise of rights: privacy@attestia.eu (GDPR matters) or contact@attestia.eu (general AI matters).

12. Changes to this Notice

We will notify you of material changes to this Notice (e.g. AI model change, provider change, expansion of AI use) with at least 30 days' notice (aligned with § 14 of the Terms):

via email to the Account Owner,
via in-app notification,
via update to this page.

The current version is published at attestia.eu/transparency. Previous versions are archived and available on request.

13. Contact


General AI questions	contact@attestia.eu
Data protection matters	privacy@attestia.eu
Security reports	privacy@attestia.eu (future: security@attestia.eu)
Postal address	Trimalert sp. z o.o., ul. Przasnyska 7/319, 01-756 Warsaw, Poland