AI compliance

Classification

Syncanix is the provider of an AI system under the EU AI Act — it places a limited-risk AI system (a chatbot that interacts with humans) on the market, which triggers Article 50 transparency obligations but not the heavier high-risk regime. The customers who embed Syncanix are deployers of that system. The separate GPAI model obligations under Article 53 (training-data summary, copyright code of practice) sit with the foundation-model providers (Anthropic, OpenAI) — Syncanix neither trains nor distributes a foundation model, so it does not carry the Article 53 model-provider duties.

Syncanix becomes high-risk if deployed for employment / HR decisions, credit scoring, education access, law enforcement, migration / border control, or judicial reasoning. Our acceptable-use policy explicitly prohibits these verticals in v1 — see the AUP section below.

Article 50 transparency obligations

Four Article 50 obligations apply to Syncanix, each met before the 2 Aug 2026 enforcement date:

1. AI disclosure to end users. Before or at first interaction, end users see the message "This is a conversation with an AI assistant." A persistent indicator stays in the chat header throughout the session. The disclosure is available in all six launch languages (English, Spanish, French, German, Arabic, Hebrew).
2. AI-generated content marking. Synthetic image, audio, or video (not applicable to Syncanix v1; reserved for v2 voice or vision features) would be machine-readable as AI-generated via the C2PA standard. Text output is visibly labelled in the chat UI rather than steganographically marked.
3. Deepfake disclosure. Not applicable to Syncanix v1 — we do not generate synthetic media depicting real people.
4. Documentation on request. Syncanix maintains a technical file with the models used, training-data provenance (passed through from providers), evaluation results, and known limitations. Supervisory authorities can request access on demand.

Who handles what: Syncanix vs. your deployer obligations

Under the AI Act, Syncanix is the provider of the AI system and you — embedding it in your product — are typically its deployer. Both roles carry Article 50 duties. Here is the split, plainly.

What Syncanix handles for you

• The end-user AI disclosure itself: a notice at first interaction plus a persistent indicator throughout the session — on by default, and not disableable (the widget even rejects custom CSS that would hide it).
• Disclosure language: the notice renders in the end user’s own language across all six supported locales, right-to-left included.
• The technical documentation file — models used, training-data provenance as passed through from providers, evaluation results, known limitations — available to you and to supervisory authorities on request.
• AI-generated-content marking: not applicable in v1 (no synthetic image, audio, or video is produced); machine-readable marking is reserved for any future voice or vision features.

What stays with you

• If you build your own UI over the Syncanix API instead of embedding the widget, the AI disclosure in that UI is your duty — our widget’s protections cannot follow you there.
• If your product blends the agent with human support, keep the boundary clear: users must be able to tell when the AI stops and a person begins.
• If you pipe the agent’s output into other AI systems (content generation, synthetic media), the marking and disclosure duties of those systems are theirs and yours, not ours.
• Sector rules on top of the AI Act — medical, financial, legal-advice gating, employment-context disclosures — stay with you as the deployer in your domain.
• Your own privacy disclosures: telling your users in your privacy policy that an AI assistant processes their requests remains your obligation.

This is engineering documentation, not legal advice. Your counsel owns your Article 50 position; ours reviews this page.

Penalties

• Up to €35M or 7% of global turnover for prohibited practices (Article 5 prohibited AI).
• €15M or 3% for most other violations.
• €7.5M or 1% for incorrect information to authorities.

Model cards

The foundation models Syncanix calls in production, by provider:

• Anthropic Claude (managed LLM). Primary chat-completion provider. Under Anthropic’s API terms, customer prompts and completions are not used to train Anthropic’s models; a Zero Data Retention (ZDR) agreement is being finalized to add contractual non-retention. See Anthropic’s published model card for capability and safety detail.
• OpenAI GPT-class (failover LLM). Secondary chat-completion provider, planned for failover — not yet active in production. When enabled it routes under OpenAI’s API terms (API data is excluded from training), with an enterprise Zero Data Retention (ZDR) agreement to be confirmed before activation.
• Amazon Bedrock — embeddings (Amazon Titan Text Embeddings V2). Retrieval indexing of documents runs through AWS Bedrock in the EU region (eu-central-1). The data stays in-region and AWS does not train its models on customer content.
• Amazon Bedrock — reranking (Amazon Bedrock Rerank). Retrieval-quality reranking of the top candidates, also via Bedrock in eu-central-1 — same in-region, no-training posture as embeddings.

Syncanix’s BYOK (bring-your-own-key) is supported on the Enterprise tier — customers can route LLM traffic through their own Anthropic, OpenAI, AWS Bedrock, Azure OpenAI, or OpenAI-compatible endpoint. The customer’s provider sees the traffic; Syncanix does not.

System card

Syncanix is a composition of retrieval (Amazon Bedrock embeddings + rerank, in eu-central-1), the customer’s catalog of capabilities (typed tool surface discovered from the customer’s API), and a foundation-model loop (Anthropic primary, OpenAI failover) orchestrated by Syncanix’s intent-issuing layer. The LLM never holds end-user credentials — tool calls are issued as signed intent envelopes that the customer’s own API verifies and executes.

High-impact tool calls (anything with a destructive or financially-significant effect) require an explicit human-in-the-loop confirmation in the chat UI before the intent is issued. This gives the customer (as controller) the tooling to meet its GDPR Article 22 obligations — no solely-automated decision with legal or significant effect is taken without a human in the loop.

Evaluation methodology

Every Syncanix release ships against a measured eval set. The methodology mixes deterministic rubric scoring with LLM-as-judge for free-form responses:

• Retrieval F1 on a curated query / passage set per customer tenant (where a tenant has supplied a sample query set).
• Faithfulness — LLM-as-judge scores whether the generated answer is grounded in the retrieved context. Faithfulness threshold is customer-configurable; default 0.85 of 1.0.
• Tool-call accuracy — whether the LLM selected the correct capability and produced valid arguments against the capability’s strictly-validated schema. Pass / fail; no partial credit.
• Refusal rate — whether the model declined out-of-policy requests (e.g. PII exfiltration attempts, cross-tenant queries) at the expected rate. Nightly synthetic probes feed the metric.

Bias evaluation

Syncanix’s bias evaluation runs the foundation-model providers' published bias benchmarks (BBQ, BOLD, HELM bias slices) on the model versions we route to in production and tracks delta between releases. The results plus methodology are published as part of the technical file the EU AI Act Article 50 documentation requires. Customer-specific evaluations on the customer’s own scenarios are supported on the Enterprise tier with named persona probes.

Acceptable use policy

The Syncanix AUP explicitly prohibits deployment for the following high-risk verticals in v1 without a separate written agreement:

• Employment / HR decisions (hiring, firing, promotion, performance scoring).
• Credit scoring or creditworthiness determination.
• Education access (admissions, exam scoring).
• Law enforcement (predictive policing, evidence evaluation).
• Migration / border control / asylum decisions.
• Judicial reasoning or sentencing recommendations.
• Critical infrastructure operation.
• Healthcare / clinical decisions involving PHI (no HIPAA BAA in v1).
• Children under 13 (COPPA — no separate agreement).

Violations are grounds for immediate suspension. Enterprise customers requiring deployment in a regulated vertical can request a separate written agreement plus the deeper compliance regime that vertical requires.

Counsel review

The DPA, the AI disclosure copy (English baseline + 6-language translations), and this page are reviewed by EU privacy counsel before each commercial release. Sign-off is captured in docs/legal/counsel-sign-off.md with the counsel’s name, review date, and scope. Counsel review is a launch-blocking gate.

Related

• Compliance status → — JSON-driven status grid (SOC 2 / ISO 27001 / EU AI Act / GDPR / CCPA).
• Privacy notice → — retention, GDPR rights, PII handling, source-code privacy.
• Security overview → — encryption, IAM, headers, incident response.