Trust & AI Act Compliance

DocuGardener is classified as a General Purpose AI (GPAI) system under Regulation (EU) 2024/1689 (the EU AI Act). It does not fall into any high-risk category listed in Annex III, because:

• It operates exclusively in software development workflows, not in safety-critical domains (healthcare, law enforcement, critical infrastructure, biometrics, education, employment).
• All AI-generated suggestions are delivered as GitHub Pull Requests requiring explicit human review and merge — DocuGardener never autonomously modifies production systems.
• No individual persons are scored, ranked, profiled, or subject to automated decisions with legal or similarly significant effect.

As a GPAI system, DocuGardener complies with the obligations in Chapter V of the EU AI Act, including:

• Article 12 — Transparency: We publish model cards for each supported LLM provider (see Section 2 below), disclose intended use and known limitations, and maintain this public trust page.
• Article 14 — Human Oversight: All AI outputs require an explicit human decision before taking effect. See our Human Oversight Attestation.
• Article 53 — GPAI obligations: We maintain technical documentation, cooperate with competent authorities on request, and provide a public summary of training data sourcing for models we operate (hosted mode).

DocuGardener is a documentation workflow tool, not an autonomous decision-making system. It surfaces suggestions; humans decide.

DocuGardener supports four LLM providers. Each provider has a dedicated model card describing intended use, known limitations, bias considerations, and training data transparency.

DocuGardener is designed so that no AI-generated change can reach production without an explicit human decision. Every documentation suggestion is delivered as a GitHub Pull Request. A human must review, approve, and merge the PR before any change takes effect.

An optional auto-merge feature exists for teams using AI coding agents (Copilot, Cursor, Devin). It is disabled by default, is admin-only, and applies only to AI-authored branches — never to human-authored documentation. All auto-merges are audit-logged.

Read the full Article 14 Attestation →

Ephemeral analysis: Code and PR content submitted for analysis is processed in RAM and wiped immediately after each analysis job completes. We do not store customer source code as long-term application data.

No training use: Customer code, documentation, and PR content are never used to train any AI model — including DocuGardener's hosted models and any BYOK provider you configure. See Section 3 of our Privacy Policy.

Audit log retention: Security-relevant actions (triage decisions, role changes, settings modifications) are recorded in a tamper-evident audit log retained for 90 days (standard plans) or per your plan's retention setting. Logs use SHA-256 hash chaining and are exportable.

Vector DB (Weaviate): Used only for ephemeral RAG during analysis. The Weaviate instance operates in-memory only with zero-retention policy — no embeddings or content are persisted beyond the analysis job.

The following sub-processors are used to operate DocuGardener. Enterprise customers may request the full Data Processing Agreement by contacting [email protected].

If you discover a security vulnerability, a data breach, or AI-related harm attributable to DocuGardener, please contact us immediately:

• Security incidents: [email protected]
• AI Act / compliance queries: [email protected]

We will acknowledge reports within 24 hours and aim to provide an initial assessment within 72 hours. In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware, in accordance with GDPR Article 33.

Responsible disclosure reports that follow coordinated disclosure practices will not be subject to legal action.

A one-page PDF summary of DocuGardener's EU AI Act compliance position is available for download. This document is suitable for sharing with your legal, compliance, or procurement team.

Document version: 2026-04-18. Built from docs/specs/FEAT-014-AI-Act-Compliance-Pack.md.