Trust & complianceEU AI Act readiness

EU AI Act readiness

How CleverRouter helps you meet GPAI transparency, logging and incident-reporting obligations.

The EU AI Act lands different obligations on different actors. As an AI gateway, CleverRouter is upstream of your application. We can't make your AI system compliant on your behalf, but we can give you the provenance, logs and contracts you need to make compliance a checkbox rather than a project.

This page is not legal advice

Talk to your DPO or counsel before relying on any specific clause for compliance evidence. We can help you write a security review — email hello@clevermation.com.

What we are vs what you are

Role under the AI ActWho
GPAI model providerMistral, Anthropic, Cohere, etc.
Sub-processor (gateway operator)Clevermation GmbH
Deployer / provider of an AI systemYou

Your obligations depend on whether you deploy or provide an AI system, and whether it's high-risk or limited-risk. We can supply:

  • Provenance per call (X-CleverRouter-Provider and the model id).
  • Metadata-only logs you can export.
  • A sub-processor list and DPA that explicitly name every upstream.
  • A DPO contact (Dr. Lars Hoffmann).

What we deliver out of the box

  1. Model provenance. Every response carries X-CleverRouter-Provider, the model id is in the response body. Log both and you have a full inference trail per request.
  2. Sub-processor transparency. The list at GDPR & DPA is public and updated 30 days before any new provider goes live.
  3. Metadata-only audit log. requests table holds apiKeyId / model / provider / status / latencyMs / tokens / costCents / createdAt. No prompt or completion content. Exports available via the dashboard.
  4. Incident-reporting hook. Provider incidents that affect serving (model outage, deprecation, region-change) are mirrored to your dashboard inbox and the /status page.

What we don't do (because it's your call)

  • We do not classify your AI system as high-risk vs limited-risk.
  • We do not run conformity assessments for you.
  • We do not produce model evaluation reports — that's the upstream GPAI provider's obligation.
  • We do not have a content-filter layer between you and the model. Apply your own pre/post-filtering for sensitive use cases.

Transparency hooks we expose

  • Per-request: X-Request-Id, X-CleverRouter-Provider, response model field.
  • Per-key: usage rollups in usage_daily (5-minute aggregation).
  • Per-workspace: sub-processor allowlist toggles at /app/compliance/providers.
  • Per-incident: status page + email subscription.

Suggested checklist for a deployment review

  • Have you classified your AI system under the Act?
  • Have you signed our DPA + addendum (if relevant)?
  • Have you set per-key budgets to cap unexpected spend?
  • Have you exported a sample requests dataset for your audit?
  • Have you subscribed to status alerts at status.cleverouter.eu?
  • Have you put model-id + provider into your application logs (alongside X-Request-Id)?