Compliance Dashboard AI Act Art. 50 GDPR Accountability Access & Suppliers Security Intake

Use this page before shipping any new AI surface. The goal is to prove that users are informed when they interact with AI and that generated or manipulated content has a reviewed disclosure/marking decision.

Framework Rows

AI-ACT-50-1, AI-ACT-50-2, AI-ACT-50-4, AI-ACT-50-5, AI-ACT-50-6

Launch Rule

No new AI surface is launch-ready until disclosure, generated-content, human-review, and evidence rows have an owner and decision.

Source Plan

private/technology&Architecture/compliance/20260706_quick_win_compliance_closure_plan.md

Launch Checklist Fields

Field What To Capture Evidence Expectation

Identified AI Surfaces — 7 total

SurfaceEngineExposureDisclosure State
Chat widgetOpenAI via api/chatbot.jsVisitor-facingDefault ON (2026-07-06)
WhatsApp channelSame engine via api/whatsapp/webhook.jsVisitor-facingAuto-prepended
AI ReviewOpenAI via utils/hea/heaReviewAgent.jsAdmin onlyLabeled "AI Review"
Opportunity ScoutOpenAI via utils/outpost/opportunityScout.jsAdmin onlyN/A
Brief/Content EngineOpenAI via utils/outpost/briefEngine.jsAdmin draftsNo AI label on output ⚠️
Foundry enrichmentOpenAI via enrichment utilitiesInternal RAGN/A
CRM enrichmentExplorium / AI classificationAdmin onlyN/A

Exposure Audit

7 AI surfaces identified. 2 are visitor-facing (chat widget + WhatsApp). 5 are admin/internal only. Mixed audience surface: none.

Direct Interaction Assessment

  • Chat widget: YES — visitors directly interact with AI.
  • WhatsApp: YES — same engine.
  • AI Review / Scout / Brief: NO — admin tools, users are aware they're using AI features.
  • Foundry / CRM enrichment: NO — background processing.

Active Disclosure Points

  • Chat widget: Welcome message disclaimer (configurable text, default ON).
  • WhatsApp: First-message disclaimer auto-prepended.
  • Widget menu: "Powered by HEA-World" (hardcoded).
  • Widget menu: "Privacy terms" link (hardcoded).
  • Site footer: "Powered by AI, guided by humans." (hardcoded).
  • Privacy page: States "you're interacting with an AI system" (static).
  • FAQ: States AI interaction is disclosed (static).

Removability Controls

ControlDefaultGuardrailStatus
show_data_disclaimer toggle Default: true Editor shows Article 50 warning modal on toggle-off ✅ Remediated
data_disclaimer text Default: "This is an AI-powered assistant." Can be changed but default is clear ✅ Verified
intro_message text Default includes "AI assistant" Redundant — data_disclaimer already covers AI disclosure ✅ N/A
WhatsApp disclaimer Auto-prepended Low risk ✅ Verified

Generated Content Assessment

Content Engine generates publishable drafts (LinkedIn posts, emails, articles) and Canteen hero images for operator use. Each generated content card shows an ✨ AI-generated — review before publishing badge on text. Generated hero images show an on-image AI badge; crop/filter edits auto-label as AI-generated — human-edited. Downloaded hero PNGs embed C2PA Content Credentials with machine-readable provenance (Article 50).

✅ Remediated — text + image human-visible badges + C2PA at download (2026-07-07)

Machine-Readable Provenance

Text outputs (current): Content Engine text outputs (LinkedIn posts, emails, articles) are delivered via copy-paste. No machine-readable provenance standard applies to plain-text clipboard content today. Human-visible AI badge added to all outputs (2026-07-06).

✅ Text — covered by human-visible badge

Image outputs (current Canteen hero images) / video outputs (future):

  • Embed C2PA / Content Credentials on hero PNG download — ✅ `serveCanteenImage?download=1` (2026-07-07)
  • Show AI-generated badge on every generated image card — ✅ on-image badge in Canteen (2026-07-07)
  • If user applies filters or edits, mark as AI-generated, human-edited✅ in-app crop + filter editor auto-labels (2026-07-07)
  • Only full manual upload (user's own photo) removes the AI label — not yet supported in Canteen v1

✅ Canteen hero downloads — C2PA embedded with dev/test signer (Trust List cert optional via ENV)

Human Review Controls

  • Content Engine drafts: Require admin review before publishing.
  • Chat responses: Generated in real-time without human review.
  • AI Review suggestions: Require admin action (Apply button) before taking effect.

Dashboard Status Recommendations

RequirementStatusSummary
AI-ACT-50-1 ✅ Verified data_disclaimer is non-removable baseline; show_data_disclaimer toggle has Art. 50 warning modal on disable
AI-ACT-50-2 ✅ Remediated AI-generated badge on Content Engine text; on-image badge + auto human-edited marking on Canteen heroes; C2PA Content Credentials on hero PNG download (2026-07-07)
AI-ACT-50-4 🔵 Planned Future media / avatar / synthetic voice features
AI-ACT-50-5 ✅ Verified Content Engine is copy-paste only (no direct publish); boundary explicit in UI
AI-ACT-50-6 ✅ Verified Checklist enforced as policy gate via AGENTS.md (AI Act Article 50 Compliance Gate)