Trust & complianceEU AI Act readiness
EU AI Act readiness
How CleverRouter helps you meet GPAI transparency, logging and incident-reporting obligations.
The EU AI Act lands different obligations on different actors. As an AI gateway, CleverRouter is upstream of your application. We can't make your AI system compliant on your behalf, but we can give you the provenance, logs and contracts you need to make compliance a checkbox rather than a project.
This page is not legal advice
Talk to your DPO or counsel before relying on any specific clause for compliance evidence. We can help you write a security review — email hello@clevermation.com.
What we are vs what you are
| Role under the AI Act | Who |
|---|---|
| GPAI model provider | Mistral, Anthropic, Cohere, etc. |
| Sub-processor (gateway operator) | Clevermation GmbH |
| Deployer / provider of an AI system | You |
Your obligations depend on whether you deploy or provide an AI system, and whether it's high-risk or limited-risk. We can supply:
- Provenance per call (
X-CleverRouter-Providerand the model id). - Metadata-only logs you can export.
- A sub-processor list and DPA that explicitly name every upstream.
- A DPO contact (Dr. Lars Hoffmann).
What we deliver out of the box
- Model provenance. Every response carries
X-CleverRouter-Provider, the model id is in the response body. Log both and you have a full inference trail per request. - Sub-processor transparency. The list at GDPR & DPA is public and updated 30 days before any new provider goes live.
- Metadata-only audit log.
requeststable holdsapiKeyId / model / provider / status / latencyMs / tokens / costCents / createdAt. No prompt or completion content. Exports available via the dashboard. - Incident-reporting hook. Provider incidents that affect
serving (model outage, deprecation, region-change) are mirrored
to your dashboard inbox and the
/statuspage.
What we don't do (because it's your call)
- We do not classify your AI system as high-risk vs limited-risk.
- We do not run conformity assessments for you.
- We do not produce model evaluation reports — that's the upstream GPAI provider's obligation.
- We do not have a content-filter layer between you and the model. Apply your own pre/post-filtering for sensitive use cases.
Transparency hooks we expose
- Per-request:
X-Request-Id,X-CleverRouter-Provider, responsemodelfield. - Per-key: usage rollups in
usage_daily(5-minute aggregation). - Per-workspace: sub-processor allowlist toggles at
/app/compliance/providers. - Per-incident: status page + email subscription.
Suggested checklist for a deployment review
- Have you classified your AI system under the Act?
- Have you signed our DPA + addendum (if relevant)?
- Have you set per-key budgets to cap unexpected spend?
- Have you exported a sample
requestsdataset for your audit? - Have you subscribed to status alerts at
status.cleverouter.eu? - Have you put model-id + provider into your application logs
(alongside
X-Request-Id)?
Related
- Zero data retention — schema proof.
- GDPR & DPA — sub-processors, lawful basis.
- Errors —
CRModelDeprecatedErrorfor upstream retirement.