AI compliance

Classification

Syncanix is the provider of an AI system under the EU AI Act — it places a limited-risk AI system (a chatbot that interacts with humans) on the market, which triggers Article 50 transparency obligations but not the heavier high-risk regime. The customers who embed Syncanix are deployers of that system. The separate GPAI model obligations under Article 53 (training-data summary, copyright code of practice) sit with the foundation-model providers (Anthropic, OpenAI) — Syncanix neither trains nor distributes a foundation model, so it does not carry the Article 53 model-provider duties.

Syncanix becomes high-risk if deployed for employment / HR decisions, credit scoring, education access, law enforcement, migration / border control, or judicial reasoning. Our acceptable-use policy explicitly prohibits these verticals in v1 — see the AUP section below.

Article 50 transparency obligations

Four Article 50 obligations apply to Syncanix, each met before the 2 Aug 2026 enforcement date:

1. AI disclosure to end users. Before or at first interaction, end users see the message "You are interacting with an AI system." A persistent indicator stays in the chat header throughout the session. The disclosure is available in all six launch languages (English, Spanish, French, German, Arabic, Hebrew).
2. AI-generated content marking. Synthetic image, audio, or video (not applicable to Syncanix v1; reserved for v2 voice or vision features) would be machine-readable as AI-generated via the C2PA standard. Text output is visibly labelled in the chat UI rather than steganographically marked.
3. Deepfake disclosure. Not applicable to Syncanix v1 — we do not generate synthetic media depicting real people.
4. Documentation on request. Syncanix maintains a technical file with the models used, training-data provenance (passed through from providers), evaluation results, and known limitations. Supervisory authorities can request access on demand.

Penalties

• Up to €35M or 7% of global turnover for prohibited practices (Article 5 prohibited AI).
• €15M or 3% for most other violations.
• €7.5M or 1% for incorrect information to authorities.

Model cards

The foundation models Syncanix calls in production, by provider:

• Anthropic Claude (managed LLM). Primary chat-completion provider. Routed under Anthropic's Zero Data Retention (ZDR) contract — customer prompts and completions are not retained by Anthropic and are not used for model training. See Anthropic's published model card for capability and safety detail.
• OpenAI GPT-class (failover LLM). Secondary chat-completion provider for failover scenarios. Routed under OpenAI's enterprise ZDR contract with equivalent retention semantics.
• Amazon Bedrock — embeddings (Amazon Titan Text Embeddings V2). Retrieval indexing of documents runs through AWS Bedrock in the EU region (eu-central-1). The data stays in-region and AWS does not train its models on customer content.
• Amazon Bedrock — reranking (Amazon Bedrock Rerank). Retrieval-quality reranking of the top candidates, also via Bedrock in eu-central-1 — same in-region, no-training posture as embeddings.

Syncanix's BYOK (bring-your-own-key) is supported on the Enterprise tier — customers can route LLM traffic through their own Anthropic, OpenAI, AWS Bedrock, Azure OpenAI, or OpenAI-compatible endpoint. The customer's provider sees the traffic; Syncanix does not.

System card

Syncanix is a composition of retrieval (Amazon Bedrock embeddings + rerank, in eu-central-1), the customer's catalog of capabilities (typed tool surface discovered from the customer's API), and a foundation-model loop (Anthropic primary, OpenAI failover) orchestrated by Syncanix's intent-issuing layer. The LLM never holds end-user credentials — tool calls are issued as signed intent envelopes that the customer's own API verifies and executes.

High-impact tool calls (anything with a destructive or financially-significant effect) require an explicit human-in-the-loop confirmation in the chat UI before the intent is issued. This gives the customer (as controller) the tooling to meet its GDPR Article 22 obligations — no solely-automated decision with legal or significant effect is taken without a human in the loop.

Evaluation methodology

Every Syncanix release ships against a measured eval set. The methodology mixes deterministic rubric scoring with LLM-as-judge for free-form responses:

• Retrieval F1 on a curated query / passage set per customer tenant (where a tenant has supplied a sample query set).
• Faithfulness — LLM-as-judge scores whether the generated answer is grounded in the retrieved context. Faithfulness threshold is customer-configurable; default 0.85 of 1.0.
• Tool-call accuracy — whether the LLM selected the correct capability and produced valid arguments against the capability's strictly-validated schema. Pass / fail; no partial credit.
• Refusal rate — whether the model declined out-of-policy requests (e.g. PII exfiltration attempts, cross-tenant queries) at the expected rate. Nightly synthetic probes feed the metric.

Bias evaluation

Syncanix's bias evaluation runs the foundation-model providers' published bias benchmarks (BBQ, BOLD, HELM bias slices) on the model versions we route to in production and tracks delta between releases. The results plus methodology are published as part of the technical file the EU AI Act Article 50 documentation requires. Customer-specific evaluations on the customer's own scenarios are supported on the Enterprise tier with named persona probes.

Acceptable use policy

The Syncanix AUP explicitly prohibits deployment for the following high-risk verticals in v1 without a separate written agreement:

• Employment / HR decisions (hiring, firing, promotion, performance scoring).
• Credit scoring or creditworthiness determination.
• Education access (admissions, exam scoring).
• Law enforcement (predictive policing, evidence evaluation).
• Migration / border control / asylum decisions.
• Judicial reasoning or sentencing recommendations.
• Critical infrastructure operation.
• Healthcare / clinical decisions involving PHI (no HIPAA BAA in v1).
• Children under 13 (COPPA — no separate agreement).

Violations are grounds for immediate suspension. Enterprise customers requiring deployment in a regulated vertical can request a separate written agreement plus the deeper compliance regime that vertical requires.

Counsel review

The DPA, the AI disclosure copy (English baseline + 6-language translations), and this page are reviewed by EU privacy counsel before each commercial release. Sign-off is captured in docs/legal/counsel-sign-off.md with the counsel's name, review date, and scope. Counsel review is a launch-blocking gate.

Related

• Compliance status → — JSON-driven status grid (SOC 2 / ISO 27001 / EU AI Act / GDPR / CCPA).
• Privacy notice → — retention, GDPR rights, PII handling, source-code privacy.
• Security overview → — encryption, IAM, headers, incident response.