Impero EU AI Act Policy

Purpose

This policy establishes Impero A/S’s commitment to the safe, transparent, and responsible use of Artificial Intelligence (AI) in accordance with the EU AI Act, the GDPR, and other applicable regulatory frameworks. It sets out our obligations for risk management, transparency, accountability, and governance to ensure ethical deployment of AI within our SaaS platform.

Scope

This policy applies to all AI functionalities integrated into the Impero platform, whether developed internally, procured from third parties, or built upon general-purpose AI (GPAI) models.

Principles and Commitments

Customer Control & Consent

• AI features are never enabled by default.
• Customers can opt in/out at anytime.
• Clear, transparent communication ensures customers know when AI is active.

Data Privacy & Protection

• No customer data is used to train AI models.
• All data processing complies with GDPR and other applicable privacy laws.
• Third-party AI vendors must meet equivalent data protection standards.

RiskClassification & Management

• All AI systems will be classified under the EU AI Act risk categories (Minimal, Limited, High-risk,GPAI, Prohibited).
• A continuous risk management framework will be applied, including:
  
  • Identification of foreseeable risks (bias, misuse, errors).
  • Mitigation plans and periodic reviews.
  • Escalation procedures for incident response.

Transparency & Documentation

• Documentation will cover intended purpose, system design, data sources, limitations, and model evaluations.
• Users will receive clear instructions and contextual transparency (labels, indicators, tooltips).
• Synthetic content generated byAI will always be disclosed.

High-Risk AI Obligations

For any AI systems classified as high-risk: - Maintain a full technical documentation file (Art. 11 compliance). - Implement automated logging for traceability. - Design human oversight controls to allow intervention and overrides. - Register the system in the EU High-Risk AIDatabase before market placement. - Conduct conformity assessments and ongoing monitoring.

Limited-Risk AI Obligations

For limited-risk AI (e.g. chatbots, decision-support): - Ensure user notification when interacting with AI. - Clearly label AI-generated or synthetic content. - Update Terms & Conditions and PrivacyPolicy to disclose AI use.

General-Purpose AI(GPAI)

When integrating or fine-tuning GPAI models: - Ensure availability of technical documentation and use instructions. - Demonstrate copyright compliance for training sources. - Conduct red-teaming, adversarial testing, and incident reporting where applicable. - Monitor systemic-riskGPAI models (aligned with upcoming EU thresholds).

Governance & Accountability

• The AI Compliance Officer is responsible for oversight and reporting.
• Post-market monitoring processes will capture incidents, bias, or misuse.
• Annual reviews will update compliance policies as laws and technology evolve.

Staff & Organizational Training

• All relevant staff (engineering, product, sales, marketing, and legal teams) must undergo mandatory AI compliance training.
  ‍
• Training will cover:
  
  • Overview of the EU AI Act andits risk classification system.
  • Roles and responsibilities(provider, deployer, distributor).
  • Risk management and human oversight practices.
  • Data governance, privacy, and ethical AI use.
  • Transparency obligations(labelling, disclosures, user rights).
  • Incident reporting and escalation procedures.
• Refresher training will be conducted annually, with additional sessions following regulatory updates.
• Completion of training is a compliance requirement and will be tracked.

Third-Party AI Providers

• All third-party AI vendors are subject to due diligence and contractual obligations ensuring:
  
  • Data protection equivalent to GDPR.
  • Compliance with the EU AI Act.
  • Transparency and security guarantees.

Enforcement & Contact

For any compliance concerns, questions, or to exercise rights, please contact the AI Compliance Officer at: dataprivacy@impero.com.