Governance

AI Governance Documentation

Last updated: March 22, 2026

AI Vitals is classified as a high-risk AI system under EU AI Act Annex III, Category 4 — it evaluates AI proficiency in workforce contexts where results may inform employment decisions. This page is our compliance record: the controls we've built, the obligations we accept, and where employer responsibility begins.

1. System Classification

EU AI Act Classification: High-Risk (Annex III, Category 4)

AI Vitals is an AI system used for employment, worker management, and access to self-employment — specifically, evaluating AI proficiency in a workforce context. This places it in Category 4 of the EU AI Act's high-risk categories.

This classification applies when AI Vitals scores are used to inform employment decisions (hiring, promotion, training allocation, performance review). Employers bear responsibility for ensuring their use of AI Vitals scores complies with applicable law in their jurisdiction.

2. EU AI Act — Article 4 Compliance

Article 4 requires that providers of high-risk AI systems give users the AI literacy to operate them responsibly. Here's how we comply:

Built-in user guidance — Every assessment result page includes a psychometric disclaimer, standard error display, and guidance on appropriate use of scores.

Admin-level controls — L&D admins and executives can enable a human review workflow that allows employees to dispute any result (admin panel → Score Reviews).

Technical documentation — Full technical documentation including system architecture, data flows, and risk assessment is available to enterprise customers on request.

Conformity declaration — Enterprise customers may request a signed conformity declaration for submission to their data protection officer or legal team.

3. Human Oversight & Right of Appeal

Under GDPR Article 22 and EU AI Act Article 14, every assessed employee has the right to contest their result and receive a written resolution. Specifically:

Score review requests:Any employee can submit a written dispute of their assessment result from the results page. Disputes are routed to the organisation's L&D admin for review.
Mandatory written justification: Admins must provide a written resolution when resolving a review request. The resolution is delivered to the employee via in-platform notification.
Audit trail: All review requests and resolutions are recorded in the immutable platform audit log with actor, timestamp, and justification.
Employer responsibility: AI Vitals scores are diagnostic tools. Employers who use scores in employment decisions remain responsible for ensuring GDPR Article 22 compliance, including providing human review before any adverse automated decision.

4. Annual Bias Audit (NYC Local Law 144)

Employers subject to NYC Local Law 144 who use AI Vitals in employment decisions must conduct an annual independent bias audit of the tool and publish the results. AI Vitals provides built-in tooling to support this:

Bias Audit Export — Admin panel → Governance → Bias Audit. Generates an adverse impact analysis by age band, role category, and experience level.

4/5ths Rule — The export automatically calculates adverse impact ratios. Groups scoring below 80% of the highest-scoring group are flagged.

Privacy Protection — Demographic groups with fewer than 5 members are suppressed to prevent individual re-identification.

Audit Logging — Every bias audit export is logged with actor email, timestamp, and stated audit purpose.

Note: Completing the built-in bias audit export does not itself constitute an independent audit under NYC LL144. Employers must engage an independent auditor to validate the methodology and publish results.

5. Psychometric Transparency

Property	Status
Assessment type	Self-report Likert scale (5-point)
Items per dimension	5 items (30 total)
Score range	0–100
Standard error of measurement (SEM)	±9 points (estimated; IRT calibration in progress)
Internal reliability (Cronbach α)	Target ≥ 0.75; calibration study in progress
Validated for high-stakes employment	No — diagnostic use only
IRT calibration study	In progress; results expected Q4 2026

Every score displays a ±9 point confidence interval. The platform explicitly labels results as learning diagnostics — unsuitable as standalone employment selection instruments. This table will reflect updated reliability coefficients when the IRT calibration study concludes in Q4 2026.

6. Data Governance & GDPR

Legal basis: Assessment data is processed under GDPR Article 6(1)(b) (performance of a contract). Demographic data for bias auditing is collected under Article 6(1)(a) (consent) and is fully opt-in.

Data minimisation: We use first names only in AI prompts. Team analytics use aggregated scores, not individual identifiers. Scores are presented as band labels in AI-generated recommendations where raw scores are unnecessary.

Retention: Assessment scores are retained for 3 years. Coaching conversations are purged after 90 days. Accounts flagged for deletion are fully anonymised after 30 days.

International transfers: Data is processed in the EU/EEA by default. Where data is transferred outside the EEA (Anthropic API, Stripe), we rely on Standard Contractual Clauses (SCCs) under Article 46.

Full Privacy Policy →

7. Third-Party AI Providers

AI Vitals uses Anthropic Claude for all AI-generated content. What that means for your data:

We are an Anthropic API customer, subject to their Data Processing Addendum (DPA).
Anthropic does not use data submitted via the API to train its models.
Prompts contain anonymised data only: first names, band labels (e.g. "Proficient"), and aggregated team averages.
Extended thinking features are used for team analytics and forecasting — these features do not expose individual user data.

8. AI Incident Response

If an AI-generated output causes or risks causing harm — discriminatory output, privacy breach, or advice that a user has already acted on:

Report immediately to security@aivitals.io with subject line "AI Incident Report".
Preserve evidence: screenshot the output and note the timestamp, feature, and user context.
We will acknowledge within 4 hours (P1 SLA) and investigate within 24 hours. We will notify affected users and relevant authorities as required by GDPR Article 33.

9. Contact & Documentation Requests

Data protection questions: privacy@aivitals.io

Technical documentation / conformity declaration: enterprise@aivitals.io

Security incidents: security@aivitals.io