@complior/engine 0.9.0

package/data/templates/eu-ai-act/ai-literacy.md

@@ -0,0 +1,184 @@
+# Template 1: AI Literacy Training Policy and Record
+
+**Obligation:** eu-ai-act-OBL-001
+**Article:** Article 4
+**For:** Both Deployers and Providers
+**Format:** DOCX / PDF
+**Status:** REQUIRED SINCE FEBRUARY 2, 2025
+
+## Document Structure:
+
+### 1. Policy Header
+<!-- GUIDANCE: Art. 4 is already enforceable since February 2, 2025. Set the
+Effective Date to no later than your compliance deadline. The review cycle should
+be 12 months maximum. Example: "Version 1.0, effective 2025-02-01, next review
+2026-02-01." -->
+
+| Field | Value |
+|-------|-------|
+| Document Title | AI Literacy Policy — [Company Name] |
+| Document ID | ALP-[YYYY]-[NNN] |
+| Version | [X.Y] |
+| Effective Date | [Date] |
+| Approved By | [Name, Title] |
+| Next Review Date | [Date + 12 months] |
+| Applicable Regulation | EU AI Act (Regulation (EU) 2024/1689), Article 4 |
+
+### 2. Training Program
+<!-- GUIDANCE: Art. 4 requires literacy "taking into account their technical
+knowledge, experience, education and training, the context the AI systems are
+used in, and the persons on whom the AI systems are used." List ALL AI systems
+in scope with their risk levels. Example: ChatGPT Enterprise (Limited risk, 45
+users) requires Level 2 training; HireVue (High risk, 8 users) requires Level 3. -->
+
+**Purpose:** This policy establishes [Company Name]'s approach to ensuring all staff and relevant third parties have sufficient AI literacy as required by Article 4 of the EU AI Act.
+
+**Scope:**
+- All employees who interact with, operate, oversee, or make decisions about AI systems
+- Contractors and temporary staff with AI system access
+- Third-party service providers who operate AI systems on behalf of [Company Name]
+- Board members and senior management with AI governance responsibilities
+
+**AI Systems in Scope:**
+
+| System Name | Provider | Risk Level | Departments Using | Users Count |
+|-------------|----------|------------|-------------------|-------------|
+| [e.g., ChatGPT Enterprise] | [OpenAI] | [Limited] | [Marketing, Sales, Support] | [45] |
+| [e.g., HireVue] | [HireVue Inc.] | [High] | [HR] | [8] |
+| [e.g., Internal ML Pipeline] | [In-house] | [High] | [Data Science, Product] | [12] |
+
+### 3. Training Levels
+<!-- GUIDANCE: Define training proportionate to exposure and risk. Level 1 covers
+all staff (what AI is, prohibited practices). Level 2 covers operators (how to
+use specific tools correctly). Level 3 covers technical staff (Art. 9-15
+requirements). Level 4 covers leadership (liability, penalties up to €35M/7%).
+Example: Marketing team using ChatGPT needs Level 2; ML engineers need Level 3. -->
+
+**Level 1 — General AI Awareness (All Staff)**
+- Duration: 2 hours
+- Topics: What is AI, How AI systems work (high level), EU AI Act overview and what it means for our company, Prohibited AI practices (what we must NOT do), Our company AI usage policy, How to report concerns
+- Assessment: 10-question quiz, pass threshold: 70%
+- Mandatory for: All employees within 30 days of policy effective date or hiring
+
+**Level 2 — AI Operator Training (Staff Using AI Tools)**
+- Duration: 4 hours
+- Prerequisites: Level 1 completed
+- Topics: How to use each specific AI system correctly per provider instructions, Understanding AI outputs (limitations, confidence, potential errors), When to escalate to human review, Data input quality responsibilities, Logging and record-keeping requirements, Transparency obligations (disclosing AI to users/customers)
+- Assessment: Practical exercise + 15-question quiz, pass threshold: 80%
+- Mandatory for: All staff who directly use AI systems in their work
+
+**Level 3 — Technical AI Competence (AI Developers/Engineers)**
+- Duration: 8 hours
+- Prerequisites: Level 2 completed
+- Topics: Risk management system requirements, Data governance and bias detection, Technical documentation requirements (Annex IV), Logging architecture requirements (Article 12), Human oversight design (Article 14), Accuracy, robustness, and cybersecurity requirements (Article 15), Conformity assessment process, Post-market monitoring
+- Assessment: Technical exercise + peer review, pass threshold: 85%
+- Mandatory for: AI/ML engineers, data scientists, AI product managers
+
+**Level 4 — AI Governance (Leadership)**
+- Duration: 3 hours
+- Prerequisites: Level 1 completed
+- Topics: Board-level AI governance responsibilities, Liability and penalty exposure (up to €35M / 7% turnover), Strategic AI risk management, Quality management system overview, Incident reporting obligations, Regulatory engagement approach
+- Assessment: Discussion-based assessment
+- Mandatory for: C-suite, board members, heads of department, legal/compliance team
+
+### 4. Assessment Methods
+<!-- GUIDANCE: Define assessment methods proportionate to each training level.
+Assessments should test practical understanding, not just theoretical knowledge.
+Example: "Level 1: 10-question multiple-choice quiz. Level 2: Practical exercise
+using AI tool + 15-question quiz. Level 3: Technical exercise with peer review." -->
+
+| Level | Assessment Type | Pass Threshold | Retake Policy |
+|-------|----------------|----------------|---------------|
+| Level 1 | Multiple-choice quiz (10 questions) | 70% | Unlimited retakes |
+| Level 2 | Practical exercise + quiz (15 questions) | 80% | 2 retakes, then instructor review |
+| Level 3 | Technical exercise + peer review | 85% | Resubmission within 14 days |
+| Level 4 | Discussion-based assessment | N/A (qualitative) | Follow-up meeting if gaps identified |
+
+### 5. Training Delivery
+<!-- GUIDANCE: Consider accessibility requirements (disability formats, multiple
+languages for multinational workforce). Platform choice should support completion
+tracking and certificate generation. Example: "LMS with SCORM tracking, available
+in EN/DE/FR, WCAG 2.1 AA compliant." -->
+
+- **Method:** Combination of e-learning modules, in-person workshops, and practical exercises
+- **Platform:** [e.g., Complior.ai training modules / internal LMS / external provider]
+- **Languages:** [List languages relevant to your workforce]
+- **Accessibility:** Training materials available in accessible formats per applicable disability requirements
+
+### 6. Training Schedule
+<!-- GUIDANCE: Art. 4 does not specify a timeline, but "sufficient level" implies
+timely training. New hires should complete training before accessing AI systems.
+Annual refresh ensures staff stay current with regulatory updates.
+Example: "New hire training within 30 days of start; Level 3 refresh annually." -->
+
+| Event | Timing |
+|-------|--------|
+| Initial training (existing staff) | Within 60 days of policy effective date |
+| New hire training | Within 30 days of start date |
+| Annual refresh | Within 12 months of last training |
+| System-specific training | Before first use of new AI system |
+| Update training | Within 30 days of significant regulatory or system change |
+
+### 7. Training Record Template
+<!-- GUIDANCE: Maintain auditable records. Each record should link to a verifiable
+certificate. Scores below the pass threshold require re-training. Track "Next Due"
+to prevent lapses. Example: "Employee EMP-042 completed Level 2 on 2025-06-15,
+score 85%, certificate CERT-2025-042, next due 2026-06-15." -->
+
+| Employee ID | Name | Department | Role | Level | Completed Date | Score | Trainer | Certificate ID | Next Due |
+|-------------|------|------------|------|-------|----------------|-------|---------|----------------|----------|
+| EMP-001 | [Name] | [Dept] | [Role] | L2 | 2025-06-15 | 85% | [Trainer] | CERT-2025-001 | 2026-06-15 |
+
+### 8. Roles and Responsibilities
+<!-- GUIDANCE: Assign a named Program Owner with organizational authority. The
+owner is accountable to regulators. Department heads are responsible for their
+team's completion. Legal/Compliance validates content accuracy.
+Example: "Program Owner: Jane Smith, Head of AI Governance." -->
+
+| Role | Responsibility |
+|------|---------------|
+| AI Literacy Program Owner | [Name, Title] — Overall accountability for training program |
+| Training Coordinator | [Name, Title] — Scheduling, logistics, record-keeping |
+| Department Heads | Ensure their staff complete required training on time |
+| All Staff | Complete assigned training and apply learnings |
+| Legal/Compliance | Review training content for regulatory accuracy |
+
+### 9. Non-Compliance Escalation
+<!-- GUIDANCE: Define progressive consequences to ensure completion. Restricting
+AI system access for non-compliant staff is both a practical safeguard and a
+regulatory defense. Example: "After 30 days overdue, AI system access credentials
+are suspended until training is completed." -->
+
+- Staff who miss training deadlines: reminder at 7 days, escalation to manager at 14 days, escalation to HR at 30 days
+- Persistent non-completion: formal performance discussion, potential access restriction to AI systems
+
+### 10. Review and Update
+<!-- GUIDANCE: Trigger-based reviews ensure the policy stays current. Key triggers
+include: new AI Act implementing acts, adoption of new AI systems, audit findings,
+and incidents. Example: "Policy updated within 30 days of new Commission guidelines
+or adoption of any new high-risk AI system." -->
+
+This policy is reviewed annually or upon:
+- New EU AI Act guidance or amendments
+- Adoption of new AI systems
+- Significant changes to existing AI systems
+- Audit findings requiring training updates
+
+### Sign-off:
+<!-- GUIDANCE: Minimum sign-offs: Policy Owner, HR (for training logistics),
+Legal/Compliance (for regulatory accuracy), and CEO/MD (organizational commitment).
+Additional sign-offs may include Works Council where required by national law.
+Example: In Germany, Betriebsrat consultation is required for training policies. -->
+
+| Role | Name | Signature | Date |
+|------|------|-----------|------|
+| Policy Owner | _________________ | _________________ | _________ |
+| HR Director | _________________ | _________________ | _________ |
+| Legal/Compliance | _________________ | _________________ | _________ |
+| CEO/Managing Director | _________________ | _________________ | _________ |
+
+## Legal Formulation:
+
+**EN:** "In compliance with Article 4 of Regulation (EU) 2024/1689 (EU Artificial Intelligence Act), [Company Name] ensures that all staff and relevant third parties dealing with the operation and use of AI systems on its behalf have a sufficient level of AI literacy, taking into account their technical knowledge, experience, education and training, the context in which the AI systems are to be used, and the persons or groups of persons on whom the AI systems are to be used."
+
+**DE:** „Gemäß Artikel 4 der Verordnung (EU) 2024/1689 (Verordnung über Künstliche Intelligenz) stellt [Firmenname] sicher, dass alle Mitarbeitenden und relevanten Dritte, die mit dem Betrieb und der Nutzung von KI-Systemen in ihrem Auftrag befasst sind, über ein ausreichendes Maß an KI-Kompetenz verfügen, unter Berücksichtigung ihrer technischen Kenntnisse, Erfahrung, Ausbildung und Schulung, des Kontexts, in dem die KI-Systeme eingesetzt werden sollen, sowie der Personen oder Personengruppen, gegenüber denen die KI-Systeme eingesetzt werden sollen."

package/data/templates/eu-ai-act/art5-screening.md

@@ -0,0 +1,131 @@
+# Template 2: Article 5 Prohibited Practices Screening Report
+
+**Obligation:** eu-ai-act-OBL-002 (and sub-obligations OBL-002a through OBL-002g)
+**Article:** Article 5
+**For:** Both Deployers and Providers
+**Format:** DOCX / PDF
+**Status:** REQUIRED SINCE FEBRUARY 2, 2025
+**Penalty for violation:** UP TO €35M / 7% GLOBAL TURNOVER
+
+## Document Structure:
+
+### 1. Report Header
+<!-- GUIDANCE: This report documents compliance with Art. 5 — the highest-penalty
+provision (up to €35M / 7% global turnover). Ensure the Commission Guidelines
+reference reflects the February 2025 publication. Re-screen whenever adopting a
+new AI system. Example: "ART5-2026-001, screening triggered by adoption of new
+NLP pipeline on 2026-01-15." -->
+
+| Field | Value |
+|-------|-------|
+| Document Title | Article 5 Prohibited Practices Screening Report — [Company Name] |
+| Report ID | ART5-[YYYY]-[NNN] |
+| Date of Screening | [Date] |
+| Conducted By | [Name, Title] |
+| Reviewed By | [Name, Title] |
+| Regulation Reference | EU AI Act (Regulation (EU) 2024/1689), Article 5 |
+| Commission Guidelines Reference | Guidelines on Prohibited AI Practices (Feb 2025) |
+
+### 2. AI System Inventory
+<!-- GUIDANCE: List EVERY AI system in the organization, not just those suspected
+of prohibited practices. Art. 5 applies regardless of risk level — even minimal-risk
+systems could contain prohibited features. Include shadow IT if discovered.
+Example: A marketing team's unapproved use of emotion-detection in customer calls
+would fall under Art. 5(1)(f). -->
+
+| # | System Name | Provider | Description | Domain | Deployed Since | Risk Level |
+|---|-------------|----------|-------------|--------|----------------|------------|
+| 1 | [e.g., Salesforce Einstein] | [Salesforce] | [Lead scoring] | [Sales] | [2024-03] | [Minimal] |
+| 2 | [e.g., Textio] | [Textio] | [Job posting optimization] | [HR] | [2024-06] | [Limited] |
+| 3 | [e.g., Custom NLP Pipeline] | [In-house] | [Customer sentiment] | [Support] | [2025-01] | [Limited] |
+
+### 3. Screening Matrix — Per System
+<!-- GUIDANCE: Complete ALL 8 checks for EACH system — do not skip checks that
+seem obviously inapplicable. Document your reasoning for each "No" conclusion.
+Art. 5(1)(a) "subliminal techniques" includes dark patterns in AI-powered UX.
+Example: An AI chatbot that uses urgency cues to pressure purchases could trigger
+Art. 5(1)(a) manipulative techniques. -->
+
+**For EACH AI system, complete the following assessment:**
+
+---
+
+**System: [System Name]**
+
+| # | Prohibited Practice (Article 5(1)) | Applicable? | Analysis | Conclusion |
+|---|-------------------------------------|-------------|----------|------------|
+| a | **Subliminal/Manipulative/Deceptive Techniques** — Does this AI deploy techniques beyond a person's consciousness, or purposefully manipulative or deceptive techniques, that materially distort behavior causing significant harm? | Yes / No / N/A | [Detailed analysis. Consider: Does the AI personalize content in ways that could manipulate? Does it use dark patterns? Does it target decision-making vulnerabilities? Cite specific features or capabilities.] | PASS / FAIL / REVIEW |
+| b | **Exploitation of Vulnerabilities** — Does this AI exploit vulnerabilities related to age, disability, or social/economic situation to distort behavior causing significant harm? | Yes / No / N/A | [Analysis: Does the system interact with vulnerable populations? Could it exploit their specific vulnerabilities? Is content/behavior adapted based on vulnerability indicators?] | PASS / FAIL / REVIEW |
+| c | **Social Scoring** — Does this AI evaluate or classify persons based on social behavior or personal characteristics, leading to detrimental or disproportionate treatment in unrelated contexts? | Yes / No / N/A | [Analysis: Does the system score individuals? Are scores used to determine access to services/rights? Is scoring context-appropriate or does it leak into unrelated decisions?] | PASS / FAIL / REVIEW |
+| d | **Criminal Risk Profiling** — Does this AI assess criminal risk of individuals based solely on profiling or personality traits? | Yes / No / N/A | [Analysis: Does the system predict criminal behavior? If yes, is it based on objective verifiable facts (allowed) or personality/demographic profiling (prohibited)?] | PASS / FAIL / REVIEW |
+| e | **Untargeted Facial Image Scraping** — Does this AI create or expand facial recognition databases through untargeted scraping from internet or CCTV? | Yes / No / N/A | [Analysis: Does the system collect/process facial images? If yes, what is the source? Is collection targeted and lawful, or untargeted mass scraping?] | PASS / FAIL / REVIEW |
+| f | **Emotion Recognition in Workplace/Education** — Does this AI infer emotions of persons in workplace or educational institution settings? | Yes / No / N/A | [Analysis: Does the system detect or infer emotions (facial expression, voice tone, body language, text sentiment)? Is it used in workplace or education context? Medical/safety exception documentation if claimed.] | PASS / FAIL / REVIEW |
+| g | **Biometric Categorization by Sensitive Characteristics** — Does this AI use biometric data to categorize persons by race, political opinions, trade union membership, religion, sex life, or sexual orientation? | Yes / No / N/A | [Analysis: Does the system process biometric data? Does it infer any sensitive characteristics from biometric inputs?] | PASS / FAIL / REVIEW |
+| h | **Real-Time Remote Biometric ID in Public Spaces** — Does this AI perform real-time remote biometric identification in publicly accessible spaces for law enforcement purposes? | Yes / No / N/A | [Analysis: Does the system perform real-time biometric identification? Is it in publicly accessible spaces? For law enforcement? If yes, do any narrow exceptions (Art. 5(2)-(3)) apply?] | PASS / FAIL / REVIEW |
+
+---
+
+[Repeat screening matrix for each AI system in inventory]
+
+### 4. Summary Results
+<!-- GUIDANCE: Aggregate results across all systems. Any FAIL requires immediate
+action — continued use of a prohibited system exposes the organization to maximum
+penalties. REVIEW items should have a deadline for resolution.
+Example: "12 systems screened: 10 PASS, 2 REVIEW (deadline: 2026-04-01), 0 FAIL." -->
+
+| Total Systems Screened | PASS (All Clear) | REVIEW (Needs Further Analysis) | FAIL (Prohibited Use Detected) |
+|------------------------|------------------|---------------------------------|-------------------------------|
+| [Number] | [Number] | [Number] | [Number] |
+
+### 5. Systems Requiring Action
+<!-- GUIDANCE: For each system flagged REVIEW or FAIL, specify the exact prohibited
+practice reference (e.g., "Art. 5(1)(c)"), the required action, and a named
+responsible person. Cessation of prohibited use must be immediate per Art. 5.
+Example: "Emotion detection feature in call center AI — cease use immediately,
+remove feature by 2026-04-01, responsible: CTO." -->
+
+| System | Issue | Prohibited Practice | Required Action | Deadline | Responsible |
+|--------|-------|---------------------|-----------------|----------|-------------|
+| [Name] | [Description] | Art. 5(1)([x]) | [Cease use / Modify / Remove feature] | [Date] | [Name] |
+
+### 6. Methodology Notes
+<!-- GUIDANCE: Document your screening methodology to demonstrate due diligence.
+Include: who was interviewed, what documentation was reviewed, whether system
+testing was performed. Apply the precautionary principle for uncertain cases.
+Example: "Reviewed provider documentation, tested system with synthetic data,
+interviewed 3 system operators, reviewed source code for in-house systems." -->
+
+- This screening was conducted by reviewing: system documentation, provider disclosures, system functionality testing, code review (where applicable), and interviews with system operators.
+- Classification criteria follow the European Commission's Guidelines on Prohibited AI Practices published February 2025.
+- Where uncertainty exists, the precautionary principle is applied: the system is flagged for REVIEW and further expert analysis is required before continued use.
+
+### 7. Sign-off
+<!-- GUIDANCE: The reviewer must be independent of the assessment — ideally
+Legal/Compliance. Schedule the next screening at least annually and upon any
+new AI system adoption. Example: "Next screening due 2027-03-01, or upon
+adoption of any new AI system, whichever is earlier." -->
+
+| Role | Name | Signature | Date |
+|------|------|-----------|------|
+| Assessor | _________________ | _________________ | _________ |
+| Reviewer (Legal/Compliance) | _________________ | _________________ | _________ |
+| Decision Maker | _________________ | _________________ | _________ |
+
+**Next Screening Due:** [Date — recommend annually or upon adoption of any new AI system]
+
+## Example Completed Entry:
+
+**System: Salesforce Einstein Lead Scoring**
+
+| # | Prohibited Practice | Applicable? | Analysis | Conclusion |
+|---|---------------------|-------------|----------|------------|
+| a | Subliminal/Manipulative | No | System scores inbound leads based on explicit company data (company size, industry, engagement history). Does not interact with or attempt to influence lead behavior. No dark patterns. | PASS |
+| b | Exploitation of Vulnerable | No | B2B context only. No individual vulnerability indicators processed. | PASS |
+| c | Social Scoring | No | Scores are business leads, not individuals' social behavior. Score is used only for sales prioritization, not access to services. | PASS |
+| d | Criminal Risk Profiling | No | N/A — not used for criminal risk assessment. | PASS |
+| e | Facial Scraping | No | No facial/biometric data processed. | PASS |
+| f | Workplace Emotion Recognition | No | No emotion detection capability. | PASS |
+| g | Biometric Categorization | No | No biometric data processed. | PASS |
+| h | Real-Time Biometric ID | No | N/A — not a biometric system. | PASS |
+
+**Overall: PASS — No prohibited practices identified.**

package/data/templates/eu-ai-act/data-governance.md

@@ -0,0 +1,145 @@
+# Data Governance Policy
+
+> **Regulation**: EU AI Act (Regulation (EU) 2024/1689), Article 10
+> **Obligation**: OBL-004 — Data and Data Governance
+> **For**: Providers of High-Risk AI Systems
+> **Deadline**: August 2, 2026
+> **Document ID**: DGP-[YYYY]-[NNN]
+
+<!-- GUIDANCE: Art. 10 requires high-risk AI systems to be developed using training, validation,
+     and testing data sets that meet specific quality criteria. This document establishes
+     the data governance framework. -->
+
+---
+
+## 1. Document Control
+
+| Field | Value |
+|-------|-------|
+| AI System | [AI System Name] |
+| Provider | [Company Name] |
+| Version | [X.Y] |
+| Risk Class | [Risk Class] |
+| Created | [Date] |
+| Last Review | [Date] |
+| Next Review | |
+| Approved By | [Name, Title] |
+
+---
+
+## 2. Data Sources
+
+<!-- GUIDANCE: Art. 10(2)(a) — Describe design choices, data collection processes,
+     the origin of data, and in the case of personal data, the original purpose of collection. -->
+
+| # | Source Name | Type | Origin | Personal Data? | Legal Basis | Volume |
+|---|-----------|------|--------|----------------|-------------|--------|
+| 1 | | Training / Validation / Test | | Yes/No | | |
+
+---
+
+## 3. Collection Methods
+
+<!-- GUIDANCE: Art. 10(2)(a)-(b) — Document data collection processes and data preparation
+     operations such as annotation, labelling, cleaning, updating, enrichment, aggregation. -->
+
+### 3.1 Data Collection
+
+| Method | Description | Frequency | Responsible |
+|--------|-------------|-----------|-------------|
+| | | | |
+
+### 3.2 Data Preparation
+
+| Step | Description | Tools Used | QA Check |
+|------|-------------|-----------|----------|
+| Annotation | | | |
+| Labelling | | | |
+| Cleaning | | | |
+| Enrichment | | | |
+| Aggregation | | | |
+
+---
+
+## 4. Quality Metrics
+
+<!-- GUIDANCE: Art. 10(2)(f) — Examination in view of possible biases that are likely
+     to affect health, safety, or fundamental rights. Art. 10(3) — Data sets shall be
+     relevant, sufficiently representative, and to the best extent possible, free of errors
+     and complete in view of the intended purpose. -->
+
+| Metric | Target | Current | Measurement Method | Last Measured |
+|--------|--------|---------|-------------------|---------------|
+| Completeness | | | | |
+| Accuracy | | | | |
+| Representativeness | | | | |
+| Timeliness | | | | |
+| Consistency | | | | |
+
+---
+
+## 5. Bias Analysis
+
+<!-- GUIDANCE: Art. 10(2)(f)-(g) — Identify possible biases and describe measures
+     to detect, prevent, and mitigate them. Identify relevant data gaps or shortcomings
+     and how they can be addressed. -->
+
+### 5.1 Identified Biases
+
+| # | Bias Type | Affected Group | Detection Method | Severity | Status |
+|---|-----------|----------------|-----------------|----------|--------|
+| 1 | | | | Low/Medium/High | Identified/Mitigated/Monitored |
+
+### 5.2 Mitigation Measures
+
+| Bias | Mitigation | Implementation Status | Responsible |
+|------|-----------|----------------------|-------------|
+| | | Planned/Implemented/Verified | |
+
+---
+
+## 6. Representativeness
+
+<!-- GUIDANCE: Art. 10(3) — Data sets shall take into account the specific geographical,
+     contextual, behavioural, or functional setting within which the AI system is intended
+     to be used. Art. 10(4) — Where special categories of personal data are strictly
+     necessary for bias detection and correction, additional safeguards apply. -->
+
+### 6.1 Population Coverage
+
+| Demographic | Representation in Data | Target Population | Gap |
+|-------------|----------------------|-------------------|-----|
+| Geographic | | | |
+| Age groups | | | |
+| Gender | | | |
+
+### 6.2 Special Categories of Personal Data (Art. 10(5))
+
+| Category | Used? | Justification | Safeguards |
+|----------|-------|--------------|------------|
+| Racial/ethnic origin | No | | |
+| Political opinions | No | | |
+| Religious beliefs | No | | |
+| Health data | No | | |
+| Biometric data | No | | |
+
+---
+
+## 7. Data Retention and Access Control
+
+<!-- GUIDANCE: Ensure compliance with GDPR for personal data and document access controls
+     for training/validation/test datasets. -->
+
+| Dataset | Retention Period | Access Level | Encryption | Deletion Policy |
+|---------|-----------------|-------------|------------|----------------|
+| | | | | |
+
+---
+
+## Sign-off
+
+| Role | Name | Signature | Date |
+|------|------|-----------|------|
+| Data Officer | | | |
+| Technical Lead | | | |
+| DPO / Privacy Officer | | | |

package/data/templates/eu-ai-act/declaration-of-conformity.md

@@ -0,0 +1,161 @@
+# EU Declaration of Conformity
+
+> **Regulation**: EU AI Act (Regulation (EU) 2024/1689), Article 47 / Annex V
+> **Obligation**: OBL-019 — EU Declaration of Conformity
+> **For**: Providers of High-Risk AI Systems
+> **Deadline**: August 2, 2026
+> **Document ID**: DOC-[YYYY]-[NNN]
+
+<!-- GUIDANCE: Art. 47 requires a SEPARATE declaration for each high-risk AI system.
+     It must be kept up to date and available to national authorities for 10 years
+     after the system is placed on the market. The content shall follow Annex V.
+     Keep a signed copy with the technical documentation (Art. 18). -->
+
+*In accordance with Article 47 of Regulation (EU) 2024/1689 (Artificial Intelligence Act)*
+
+---
+
+## 1. AI System Identification (Annex V §1)
+
+| Field | Value |
+|-------|-------|
+| AI System Name | [AI System Name] |
+| System Type | |
+| Version | [X.Y] |
+| Unique Reference / Serial | |
+| Risk Class | [Risk Class] |
+
+---
+
+## 2. Provider Information (Annex V §2)
+
+| Field | Value |
+|-------|-------|
+| Provider Name | [Company Name] |
+| Registered Address | |
+| Contact Person | |
+| Contact Email | |
+| Authorised Representative (if applicable) | |
+| Representative Address (if applicable) | |
+
+---
+
+## 3. Sole Responsibility Statement (Annex V §3)
+
+This EU declaration of conformity is issued under the sole responsibility of the provider named in section 2.
+
+---
+
+## 4. Object of Declaration (Annex V §4)
+
+<!-- GUIDANCE: Describe the AI system unambiguously so it can be traced.
+     Include software version, model identifiers, deployment environment. -->
+
+| Field | Value |
+|-------|-------|
+| System Description | [Description] |
+| Intended Purpose | |
+| Software Version | [X.Y] |
+| Model Identifier | |
+
+---
+
+## 5. Conformity Statement (Annex V §5)
+
+The AI system described in section 4 is in conformity with:
+
+- [ ] Regulation (EU) 2024/1689 — Artificial Intelligence Act
+- [ ] Regulation (EU) 2016/679 — General Data Protection Regulation (where applicable)
+- [ ] Other applicable Union harmonisation legislation: _________________
+
+---
+
+## 6. Standards Applied (Annex V §6)
+
+<!-- GUIDANCE: List specific harmonised standards or common specifications.
+     If no harmonised standards exist yet, state which standards/specifications
+     you followed and explain why they are appropriate. -->
+
+| Standard / Specification | Title | Relevant Articles Covered |
+|--------------------------|-------|--------------------------|
+| | | |
+
+---
+
+## 7. Notified Body (Annex V §7)
+
+<!-- GUIDANCE: Only applicable if conformity assessment was performed by a notified body
+     (Annex VII route). For internal control (Annex VI), state "Not applicable". -->
+
+| Field | Value |
+|-------|-------|
+| Notified Body Name | Not applicable / [Name] |
+| Notified Body Number | |
+| Certificate Reference | |
+| Intervention Description | |
+| Certificate Date | |
+
+---
+
+## 8. Conformity Assessment Procedure (Annex V §8)
+
+| Field | Value |
+|-------|-------|
+| Assessment Route | Annex VI (internal control) / Annex VII (notified body) |
+| Assessment Date | |
+| Date of First CE Marking | |
+| Technical Documentation Reference | [TDD-YYYY-NNN] |
+| Risk Management Reference | [RMS-YYYY-NNN] |
+| QMS Reference | [QMS-YYYY-NNN] |
+
+---
+
+## 9. Evidence
+
+### 9.1 Documents Reviewed
+
+| Document | Reference | Status |
+|----------|-----------|--------|
+| Technical Documentation (Art. 11) | | Complete / In progress |
+| Risk Management System (Art. 9) | | Complete / In progress |
+| Data Governance (Art. 10) | | Complete / In progress |
+| Quality Management System (Art. 17) | | Complete / In progress |
+| Instructions for Use (Art. 13) | | Complete / In progress |
+
+### 9.2 Tests Conducted
+
+| Test | Date | Result | Report Reference |
+|------|------|--------|-----------------|
+| Accuracy (Art. 15) | | Pass/Fail | |
+| Robustness (Art. 15) | | Pass/Fail | |
+| Cybersecurity (Art. 15) | | Pass/Fail | |
+| Bias/Fairness (Art. 10) | | Pass/Fail | |
+
+---
+
+## 10. Additional Information
+
+| Field | Value |
+|-------|-------|
+| EU Database Registration (Art. 71) | |
+| Post-Market Monitoring Plan Ref | |
+| Validity Period | |
+| Review Schedule | |
+
+---
+
+## Signatory
+
+Signed for and on behalf of: **[Company Name]**
+
+| Field | Value |
+|-------|-------|
+| Place | |
+| Date | [Date] |
+| Name | |
+| Title / Function | |
+| Signature | |
+
+---
+
+*This declaration shall be kept for 10 years after the AI system has been placed on the market or put into service (Art. 18).*