Skip to main content
Try it
Trust Center · 05 / AI Act

EU AI Act assessment

"Limited risk" qualification within the meaning of Article 50 of EU Regulation 2024/1689 on artificial intelligence, justified feature by feature and backed by auditable anti-bias measures.

01

AI Act qualification

Scope is qualified as limited risk under Article 50 of Regulation (EU) 2024/1689 of 13 June 2024. This category binds Scope to end-user transparency obligations, without triggering the heightened obligations of Article 9 (high risk) nor the prohibitions of Article 5 (unacceptable risk).

Selected category

Limited risk — Article 50. AI-assisted text content generation for internal organisational use.

Why not high risk

Annex III of the Regulation lists 8 high-risk domains (biometrics, critical infrastructure, education, employment, public services, law enforcement, migration, justice). No Scope use case falls into these 8 categories: Scope assists the production of B2B IT project scoping documents.

Structural exclusions

No biometric recognition, no social scoring, no categorisation of individuals, no subliminal manipulation (Article 5). No binding automated decision within the meaning of GDPR Article 22.

02

System description

Scope is an LLM assistant for the production of scoping documents. The system makes no binding decision on behalf of a human: budget allocation, HR decisions, RACI attribution and contractual validation remain entirely the user's responsibility — the user reviews and signs the deliverable.

Inputs

Text briefs entered by the user, uploaded pieces (PDF, DOCX, images), meeting audio transcripts. All inputs are voluntarily supplied by the client organisation.

Processing

4-step pipeline: structured extraction, interactive clarification, scoping (6 axes), quantitative estimation. Each step produces a deliverable that is human-reviewable before moving on.

Outputs

Exportable scoping documents (Markdown, PDF, DOCX). No executable action toward a third-party system (no payment, no HR provisioning, no contractual commitment). Export and signature require explicit human validation (human-in-the-loop).

03

Personal data: pre-LLM masking

A deterministic pre-LLM masking step transforms names, emails and phone numbers into opaque tokens server-side, before any outbound call. The module is implemented, tested and audited, but its activation on the production pipeline is staged — the actual per-stage status is in the rollout table below.

Sanitization pipeline (target)

  1. 1Named-entity extraction (regex + dictionaries).
  2. 2Deterministic masking: "Marie Dupont" → "PERSON_A1B2" (salted hash, non-reversible on the provider side).
  3. 3The masked version is sent to the LLM via OpenRouter.
  4. 4Re-hydration on the Scope server only: tokens are remapped to the original values before rendering to the user.

Source-of-truth module: lib/sanitize/mask-personal-names.ts (covered by node:test unit tests, audit log wired on every masking executed). The code is reviewed on every prompt change.

Actual rollout status per pipeline stage

Radical transparency: pre-LLM masking is implemented and tested, but its wiring into the production pipeline happens stage by stage. Until a stage is marked "Active in prod", assume briefs are sent in clear to LLM providers on that stage.

Pipeline stageWired (code)Active in prodTarget window
Extraction (briefs, transcripts)NoNoQ3 2026
Interactive clarificationNoNoQ3 2026
Scoping (6 axes)NoNoQ4 2026
Quantitative estimationNoNoQ4 2026

Update policy: this table is versioned in this page's source code. Any "Active in prod" check is added in the same commit as the actual wiring — never ahead of it. Organisations that require 100% masking before pilot can request an accelerated rollout contractually (contact: dpo@getscope.dev).

04

Anti-bias measures

Three complementary measures: pre-LLM masking, quarterly red-team audit on 50 diverse names, naming delta metrics published in the downloadable bias-audit report.

Pre-LLM masking

Once the module is activated on a pipeline stage (see rollout table in §03), proper nouns are replaced there by opaque tokens before any LLM call: no name bias (gender, perceived origin) can then influence the estimate, the RACI or the scoping on that stage.

Red-team audit (50 diverse names)

Each quarter, an internal protocol resubmits the same brief with 50 different names (genders, origins, compound first names). Metrics: delta in estimated person-days, delta in suggested RACI profile, delta in risk level. Alert threshold: variance > 5%.

Published metrics

The quarterly bias-audit report publishes: median delta per group, maximum variance observed, sample of 5 anonymised cases. Downloadable below.

05

Consolidation roadmap

Our current assessment remains an internal assessment based on public texts. Three consolidation milestones are planned, without premature marketing claims.

  1. 01

    Q2 2026 — Internal assessment (current)

    Self-assessment documented by the Scope team on the basis of EU Regulation 2024/1689 and CNIL guidelines. Publicly available (downloadable PDF).

  2. 02

    Post-pilot — Consolidation by an independent third party

    External review by a specialised IT/AI compliance consultancy (selection in progress). Timeline triggered by the first Enterprise pilots (~Q3 2026).

  3. 03

    2027 — AI Act (EU) certification scheme

    The Regulation provides for the publication of voluntary certification schemes (sectoral Article 28). As soon as an applicable scheme is published by ANSSI or a notified body, Scope will apply.

06

Indemnification clause

Scope commits its contractual responsibility in the event of bias detected during normal use of the product. This clause appears in Enterprise pilot contracts and is negotiable on a case-by-case basis for other tiers.

Scope

Proven discriminatory bias (within the meaning of Article 225-1 of the French Criminal Code) or material hallucination (false information presented as certain) leading to a direct quantifiable damage, in a use conforming to the general terms.

Incident procedure

Report to dpo@getscope.dev. Documented response within 48 business hours. Quarantine of the relevant prompt within 24 hours if necessary. Remediation plan published within 7 days.

Cap

Standard cap 12 months of subscription, negotiable up to 200% for Enterprise pilots. No cap applies in the case of an intentional fault by Scope.

07

Annex documents

Download the reference artifacts without a form, without gating.

AI Act self-assessment (PDF)

Detailed feature-by-feature self-assessment, version 2026-06.

Download

Red-team bias audit report (PDF)

Quarterly report: protocol, 50 tested names, deltas measured, anonymised samples.

Download
EU AI Act assessment · Trust Center · Scope