โ† Back to Trust Center

EU AI Act Self-Scan Report

Guardia AI (this product), scanned by its own repository scanner. Scanner: Guardia AI repository scanner โ€” the same detection engine shipped in our GitHub Action and GitLab CI/CD component.

Generated: 5 July 2026 ยท Reviewed by a human

Result at a glance

limited riskClassifier confidence: 72% ยท Compliance gaps found: 0

AI usage detected; none of it biometric, safety-critical, or in an Annex III high-risk area. The transparency tier (Article 50) applies because Guardia includes an AI chat assistant that interacts with users โ€” our obligation is to disclose that it is AI, which we do.

What the scan covered

Full Guardia AI monorepo: backend (FastAPI), frontend (Next.js), GitHub Action, GitLab component

AI detected in our own codebase

openai (npm SDK)

LLM API

The OpenAI-compatible SDK pointed at Groq (api.groq.com). Powers two assistive features: the compliance chat assistant (Llama 3.1 8B) and documentation drafting (Llama 3.3 70B). Both produce advisory text that a human reviews and edits; neither makes decisions.

EU AI Act note: Deployer of a general-purpose model via API. Article 50 transparency applies to the chat assistant: it is clearly labelled as AI.

Found in: frontend/package.json, frontend/app/api/ai/chat/route.ts, frontend/app/api/ai/generate/route.ts

scikit-learn

ML Framework

Used together with fairlearn to COMPUTE statistical fairness metrics (demographic parity, equalized odds) on model outputs customers upload for bias reports. No model is trained or deployed; it is measurement, not inference.

EU AI Act note: Not an AI system making outputs about persons; it is the measurement tooling for our bias reports.

Found in: backend/requirements.txt

GROQ_API_KEY (configuration)

Credential env key

The deployment credential for the Groq-hosted LLM features above.

EU AI Act note: Consistent with the declared LLM usage โ€” no undeclared AI providers configured.

Found in: frontend/.env.local.example, frontend/netlify.toml

What is deliberately NOT AI

The parts of Guardia that produce your compliance results are deterministic โ€” same input, same output.

Repository scanner (core product)

Deterministic pattern matching against published signature lists (AI libraries, model names, endpoints, credential keys). No ML model involved; identical output on identical input.

Risk classification engine

Rule-based mapping to EU AI Act articles (Article 5, Annex III) with cited sources. No ML model involved.

FRIA, Annex IV, ISO 42001 modules

Structured templates and rule-based applicability checks. LLM assistance is optional, labelled, and editable.

Remediation log โ€” what the scan found and what we did

2026-07-05 โ€” found by This self-scan (config-detection layer)

Stale OPENAI_API_KEY references in render.yaml, netlify.toml, .env.local.example and the /status health check, left over from before our switch to Groq-hosted models.

โœ“ Removed the stale references and fixed the health check to test the credential actually in use (GROQ_API_KEY). Fixed the same day.

Methodology

  • The scan was run with the same detection module we ship to customers (github-action/detection.py, kept identical in gitlab-component/).
  • The scanner's own signature databases (lists of AI library names inside repo_scanner.py and detection.py) are string constants, not dependencies; the detection engine distinguishes signature definitions from real imports and manifests since our June false-positive fixes.
  • Anyone with repository access can reproduce this report by running the scanner against the repo root.