Governance

AI Governance Documentation

Last updated: March 22, 2026

AI Vitals is used in employment-adjacent contexts — helping organisations understand, develop, and act on employee AI skills. This page documents our obligations, controls, and commitments under applicable AI and data protection law.

1. System Classification

EU AI Act Classification: High-Risk (Annex III, Category 4)

AI Vitals is an AI system used for employment, worker management, and access to self-employment — specifically, evaluating AI proficiency in a workforce context. This places it in Category 4 of the EU AI Act's high-risk categories.

This classification applies when AI Vitals scores are used to inform employment decisions (hiring, promotion, training allocation, performance review). Employers bear responsibility for ensuring their use of AI Vitals scores complies with applicable law in their jurisdiction.

2. EU AI Act — Article 4 Compliance

Article 4 of the EU AI Act requires providers of high-risk AI systems to take measures to ensure users have sufficient AI literacy to operate the system responsibly. We meet this through:

Built-in user guidance — Every assessment result page includes a psychometric disclaimer, standard error display, and guidance on appropriate use of scores.

Admin-level controls — L&D admins and executives can enable a human review workflow that allows employees to dispute any result (admin panel → Score Reviews).

Technical documentation — Full technical documentation including system architecture, data flows, and risk assessment is available to enterprise customers on request.

Conformity declaration — Enterprise customers may request a signed conformity declaration for submission to their data protection officer or legal team.

3. Human Oversight & Right of Appeal

In compliance with GDPR Article 22 (rights related to automated decision-making) and EU AI Act Article 14 (human oversight), AI Vitals provides:

Score review requests:Any employee can submit a written dispute of their assessment result from the results page. Disputes are routed to the organisation's L&D admin for review.
Mandatory written justification: Admins must provide a written resolution when resolving a review request. The resolution is delivered to the employee via in-platform notification.
Audit trail: All review requests and resolutions are recorded in the immutable platform audit log with actor, timestamp, and justification.
Employer responsibility: AI Vitals scores are diagnostic tools. Employers who use scores in employment decisions remain responsible for ensuring GDPR Article 22 compliance, including providing human review before any adverse automated decision.

4. Annual Bias Audit (NYC Local Law 144)

Employers subject to NYC Local Law 144 who use AI Vitals in employment decisions must conduct an annual independent bias audit of the tool and publish the results. AI Vitals provides built-in tooling to support this:

Bias Audit Export — Admin panel → Governance → Bias Audit. Generates an adverse impact analysis by age band, role category, and experience level.

4/5ths Rule — The export automatically calculates adverse impact ratios. Groups scoring below 80% of the highest-scoring group are flagged.

Privacy Protection — Demographic groups with fewer than 5 members are suppressed to prevent individual re-identification.

Audit Logging — Every bias audit export is logged with actor email, timestamp, and stated audit purpose.

Note: Completing the built-in bias audit export does not itself constitute an independent audit under NYC LL144. Employers must engage an independent auditor to validate the methodology and publish results.

5. Psychometric Transparency

Property	Status
Assessment type	Self-report Likert scale (5-point)
Items per dimension	5 items (30 total)
Score range	0–100
Standard error of measurement (SEM)	±9 points (estimated; IRT calibration in progress)
Internal reliability (Cronbach α)	Target ≥ 0.75; calibration study in progress
Validated for high-stakes employment	No — diagnostic use only
IRT calibration study	In progress; results expected Q4 2026

We display a ±9 point confidence interval on every score and a disclaimer that this is a learning diagnostic, not a validated employment selection instrument. We will update this documentation when the IRT calibration study completes.

6. Data Governance & GDPR

Legal basis: Assessment data is processed under GDPR Article 6(1)(b) (performance of a contract). Demographic data for bias auditing is collected under Article 6(1)(a) (consent) and is fully opt-in.

Data minimisation: We use first names only in AI prompts. Team analytics use aggregated scores, not individual identifiers. Scores are presented as band labels in AI-generated recommendations where raw scores are unnecessary.

Retention: Assessment scores are retained for 3 years. Coaching conversations are purged after 90 days. Accounts flagged for deletion are fully anonymised after 30 days.

International transfers: Data is processed in the EU/EEA by default. Where data is transferred outside the EEA (Anthropic API, Stripe), we rely on Standard Contractual Clauses (SCCs) under Article 46.

Full Privacy Policy →

7. Third-Party AI Providers

AI Vitals uses Anthropic Claude as its AI provider. Key facts:

We are an Anthropic API customer, subject to their Data Processing Addendum (DPA).
Anthropic does not use data submitted via the API to train its models.
Prompts contain anonymised data only: first names, band labels (e.g. "Proficient"), and aggregated team averages.
Extended thinking features are used for team analytics and forecasting — these features do not expose individual user data.

8. AI Incident Response

If an AI-generated output causes or may cause harm (discriminatory output, incorrect advice acting on, privacy breach):

Report immediately to security@aivitals.io with subject line "AI Incident Report".
Preserve evidence: screenshot the output and note the timestamp, feature, and user context.
We will acknowledge within 4 hours (P1 SLA) and investigate within 24 hours. We will notify affected users and relevant authorities as required by GDPR Article 33.

9. Contact & Documentation Requests

Data protection questions: privacy@aivitals.io

Technical documentation / conformity declaration: enterprise@aivitals.io

Security incidents: security@aivitals.io