What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

EU AI Act compliance · Free audit · No signup

EU AI Act Compliance Audit

The EU AI Act becomes generally applicable on 2 August 2026 — fines up to €35M or 7% of global turnover. Grade your AI governance, model documentation, and data-handling policies against the 12 clauses every provider and deployer must satisfy: risk classification, data governance (Art. 10), technical documentation (Annex IV), human oversight (Art. 14), transparency (Art. 50), and GPAI obligations (Art. 53–55).

Run free EU AI Act audit

Regulation (EU) 2024/1689 — Artificial Intelligence Act · European Union — extraterritorial: applies to providers placing AI systems on the EU market AND deployers established in the EU AND providers/deployers outside the EU whose AI output is used in the EU

Who must comply with EU AI Act?

Providers placing AI systems or general-purpose AI models on the EU market (regardless of where established)
Deployers (formerly 'users') of AI systems established in the EU — including any company using a high-risk AI tool internally for HR, credit, or essential services
Providers and deployers established outside the EU when the AI system's output is used in the EU
Importers and distributors of AI systems on the EU market — joint liability with provider
All employers using AI for hiring, performance evaluation, or worker monitoring (Art. 6 + Annex III §4 = high-risk)

What this audit checks

12 required clauses, scored as Present / Partial / Missing with the exact regulatory citation and suggested fix.

Risk classification (prohibited / high-risk / limited / minimal)

Art. 6 + Annex III — biometric ID, critical infra, education, employment, essential services, law enforcement, migration, justice, democratic process = high-risk by default

Risk management system (Art. 9) — continuous, iterative, documented

Identify + analyse + estimate + evaluate foreseeable risks across full lifecycle; mitigation measures + residual risk acceptance criteria

Data governance + training data quality (Art. 10)

Relevant, representative, free of errors and complete; documented data origin, collection, labelling, cleaning + bias detection (Art. 10(2)(f))

Technical documentation (Art. 11 + Annex IV)

Drawn up before placing on market, kept up to date — system description, design, training data, testing, accuracy + robustness metrics, cybersecurity measures

Record-keeping / automatic logging (Art. 12)

Logs over the system's lifetime — period of use, reference DB, input data, persons involved in result verification — retained at least 6 months

Transparency + information to deployers (Art. 13)

Instructions for use specifying intended purpose, accuracy, robustness, cybersecurity, foreseeable misuse, human oversight measures, expected lifetime

Human oversight (Art. 14)

Natural persons able to understand capacity + limits, monitor operation, intervene or override, decide not to use, stop the system; '4-eyes principle' for biometric ID

Accuracy, robustness, cybersecurity (Art. 15)

Resilience against errors + faults + inconsistencies + attempts to alter use through data poisoning / adversarial / model evasion / confidentiality attacks

Quality management system for providers (Art. 17)

Strategy for regulatory compliance, design + development controls, examination + test + validation procedures, change management, post-market monitoring system

Conformity assessment + EU declaration of conformity (Art. 43–47)

CE marking before placing on market — internal control or notified body depending on Annex III category; EU database registration (Art. 49 + 71)

Transparency obligations for limited-risk AI (Art. 50)

Disclose AI interaction (chatbots), label deepfakes, mark synthetic content as AI-generated in machine-readable form, inform persons subject to emotion recognition / biometric categorisation

GPAI obligations (Art. 53–55) — model card, training summary, copyright policy

All GPAI providers: technical documentation, info to downstream providers, EU copyright policy, summary of training data; systemic-risk GPAI (>10^25 FLOPs): + model evaluation, adversarial testing, serious incident reporting, cybersecurity

Why EU AI Act audits actually fail

Treating 'we just use OpenAI' as out-of-scope

Art. 25 + Recital 84 — if you substantially modify a high-risk AI system or put your own brand on it, YOU become the provider with full Art. 16 obligations. Fine-tuning a foundation model for HR screening or credit decisions = you are the high-risk provider, not OpenAI.

Annex III high-risk use without conformity assessment

Recruitment screeners, performance evaluation, worker monitoring, education admission/scoring, access to essential public/private services, credit scoring (excl. fraud detection), insurance pricing/risk assessment for life + health = ALL high-risk under Annex III §3–5. Most companies don't realise their HR or insurance AI tool falls here.

GPAI 'open source' exemption misread

Art. 53(2) exempts open-source GPAI from the documentation duties UNLESS the model has systemic risk OR is monetised. Llama-3-style 'community licences' restricting commercial use generally do NOT qualify as the AI Act's open-source definition (Recital 89).

Missing copyright + training data summary

Art. 53(1)(c) + (d) require ALL GPAI providers (incl. open-source) to have a policy respecting EU copyright and to publish a 'sufficiently detailed summary' of training content. The AI Office template was published 24 July 2025 and is binding — many providers still ship a one-paragraph blurb.

EU AI Act FAQ

When does the EU AI Act apply to my product?

Phased entry: prohibitions + AI literacy = 2 Feb 2025; GPAI obligations = 2 Aug 2025; high-risk Annex III + governance + penalties = 2 Aug 2026; high-risk under Annex I (product safety integrations) = 2 Aug 2027. If you sell into the EU or your AI's output is used in the EU, you are in scope today for prohibitions and GPAI.

We're a US-only SaaS. Are we really in scope?

Yes if any EU resident uses the system OR its output is used in the EU (Art. 2(1)(c)). The Act is extraterritorial like the GDPR. Practical test: if you'd need a GDPR data processing addendum for an EU customer, you almost certainly need an AI Act conformity assessment for that same use.

Do small companies get an SME exemption?

Limited — Art. 62 requires Member States to provide priority access to regulatory sandboxes + reduced fees + simplified technical documentation for SMEs and startups. The substantive obligations (risk class, data governance, transparency) still apply. There is no general SME carve-out.

EU AI Act Compliance Audit

What EU AI Act non-compliance actually costs

Who must comply with EU AI Act?

What this audit checks

Why EU AI Act audits actually fail

EU AI Act FAQ

Grade your policy in 20 seconds