UPDATE: 05/052025, 17:25p.m. - Italy

This document outlines the compliance framework for the chatbot model, ensuring its development and deployment align with applicable legal, ethical, and regulatory standards.

Our goal is to promote responsible AI use by addressing data privacy, security, transparency, and fairness throughout the model's lifecycle. This framework serves as a foundation for maintaining trust, minimizing risk, and supporting accountable AI governance.

CERTIFICATE

ISO 9001

Infrastructure security

Enforced Unique Credential Authentication

Restricted Production Database Access

Individual Authentication for Network Systems

Encrypted Remote Connections Required

Network Segmentation in Place

Organizational security

Production Asset Inventory Maintained

Encryption Applied to Portable Media

Anti-Malware Solutions Deployed

Employment Reference Checks Conducted

Contractors Sign Confidentiality Agreements

Employees Sign Confidentiality Agreements

Regular Performance Reviews Required

Password Security Standards Enforced

Mobile Device Management in Place

Product security

Annual Control Self-Assessments Performed

Routine Penetration Testing Executed

Vulnerability Management and System Monitoring Defined

Internal Security Procedures

Cybersecurity insurance maintained

SOC 2 - System Description

Whistleblower policy established

Executive leadership team oversight briefings conducted

Executive leadership team meetings conducted

System changes communicated

Risk assessment objectives specified

Risks assessments performed

Control	Status
Unique account authentication enforced The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.
Production database access restricted The company restricts privileged access to databases to authorized users with a business need.
Unique network system authentication enforced The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.
Remote access encrypted enforced The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.
Network segmentation implemented The company's network is segmented to prevent unauthorized access to customer data.

Control	Status
Enforced Unique Credential Authentication Access to company systems and applications requires the use of individual credentials or approved Secure Shell (SSH) keys, ensuring user-level traceability.
Restricted Production Database Access Access to production databases is limited to designated personnel with a validated business justification.
Individual Authentication for Network Systems Authentication to the production network mandates the use of personal credentials or authorized SSH keys to ensure secure access.
Encrypted Remote Connections Required Remote access to production environments is permitted only through company-approved, encrypted communication channels by authorized staff.
Network Segmentation in Place The network is architected with segmentation controls to safeguard customer data and prevent unauthorized lateral movement.

Control	Status
Production Asset Inventory Maintained A structured inventory of production system assets is actively maintained by the company to ensure visibility and control.
Encryption Applied to Portable Media Removable and portable storage devices are encrypted in accordance with company security protocols when in use.
Anti-Malware Solutions Deployed The company implements regularly updated anti-malware software on all applicable systems, particularly those exposed to potential threats, with logging enabled for activity tracking.
Employment Reference Checks Conducted Pre-employment reference checks are performed for all new hires to validate background and qualifications.
Contractors Sign Confidentiality Agreements All contractors are required to acknowledge and sign a confidentiality agreement upon the commencement of their engagement.
Employees Sign Confidentiality Agreements Employees are required to sign a confidentiality agreement during the onboarding process to protect sensitive company information.
Regular Performance Reviews Required Managers are expected to conduct formal performance evaluations for their direct reports at least once every two years.
Password Security Standards Enforced System passwords must comply with the organization’s password policy to ensure strong authentication and protection.
Mobile Device Management in Place A mobile device management (MDM) system is implemented to centrally control and secure mobile devices used in delivering company services.

Control	Status
Annual Control Self-Assessments Performed The company conducts internal control self-assessments at least once a year to confirm the effectiveness of operational controls. Identified issues are addressed through corrective actions, with resolution timelines aligned to applicable service-level agreements (SLAs).
Routine Penetration Testing Executed Penetration testing is conducted annually to identify security vulnerabilities. Findings are addressed through a structured remediation plan, with fixes applied in accordance with defined SLAs.
Vulnerability Management and System Monitoring Defined Formal procedures are in place to govern vulnerability management and system monitoring activities, ensuring ongoing oversight of IT and engineering environments.

Control	Status
Cybersecurity Insurance Coverage Maintained The company maintains active cybersecurity insurance to reduce the financial risk associated with security incidents and operational disruptions.
SOC 2 System Description Completed A detailed system description is prepared for inclusion in Section III of the SOC 2 audit report, outlining the scope and components of the audited environment.
Whistleblower Program Established A formal whistleblower policy is in place, supported by an anonymous reporting mechanism for raising concerns about misconduct or fraud.
Cybersecurity Oversight Briefings for Leadership Senior management provides annual briefings to the executive leadership team on cybersecurity and privacy risks. Leadership offers guidance and direction based on these updates.
Documented Leadership Oversight Charter The executive leadership team operates under a defined charter that sets forth its responsibilities related to internal control and corporate governance.
Executive Leadership Meetings Held Regularly The executive leadership team convenes at least annually, with meeting discussions formally documented through minutes.
Defined Roles and Responsibilities Responsibilities for information security program functions—including design, implementation, and monitoring—are clearly assigned through job descriptions and documented policies.
Communication of System Changes Internal system changes are formally communicated to authorized users to ensure transparency and operational continuity.
Defined Risk Assessment Objectives The organization establishes specific objectives to guide the identification and evaluation of risks that could impact the achievement of strategic goals.
Formal Risk Assessments Conducted Comprehensive risk assessments are performed at least annually, covering external and internal threats, regulatory shifts, technology changes, and potential fraud impacts on business objectives.

Brand	Service	Position
Amazon AWS	Server, Database, CLoud	Ireland
Google	Server, Database, CLoud	Ireland
SendGrid	Newsletter, Mail	Dublin
ASC27	People, Mind, Heart, Passion	Italy

AI Compliance.
No Guesswork.
No Grey Areas

An AI system built for regulated environments. Designed for compliance. Delivered with legal-grade documentation.

Speak with a Legal or Technical Advisor

An AI Model. A Legal Toolkit.

Vitruvian is a sovereign AI system developed in Europe, engineered to meet the requirements of the GDPR and the EU AI Act — not just in spirit, but in structure.

It serves two roles:

A compliant-by-design AI system, ready for deployment in sensitive or high-risk environments.

The distinction between provider and deployer is always made explicit to avoid regulatory ambiguity.

We clearly define the distinction between provider (developer) and deployer (user), ensuring full legal clarity.

Proof of Compliance. Built In.

Our compliance package is not a set of generic templates. It is a fully developed set of resources designed to integrate directly into legal, technical, and operational workflows.

Data Protection Impact Assessment (DPIA)

Fundamental Rights Impact Assessment (FRIA), where required

Internal register for high-risk AI decisions

Provider vs. Deployer obligations mapping

GDPR + AI Act integrated checklist

Training materials for DPOs, compliance managers, and leadership

Documented workflows for risk and bias mitigation

We provide DPIA and FRIA references to support implementation, but legal responsibility remains with the deployer.

Regulation-Ready. Audit-Proof.

Vitruvian is aligned with Regulation (EU) 2024/1689 and supports compliance across the full lifecycle of AI systems, especially those considered high-risk.

Article 9: Risk Management System

Article 10: Data Governance and Data Quality

Articles 16–22: Transparency, Technical Documentation, Post-Market Monitoring

For high-risk use cases, such as in the public sector or regulated industries, Vitruvian provides tools and documentation to assist deployers in meeting their specific obligations.

Know Your Role. Share Responsibility.

The EU AI Act outlines clear obligations for those who develop AI systems (providers) and those who use them (deployers). Vitruvian supports both roles with the legal and technical infrastructure needed to stay compliant.

Implement a risk management system

Ensure data governance and traceability

Maintain complete technical documentation

Conduct pre-market conformity assessments

Provide user instructions and manage post-market monitoring

Appoint an EU representative if based outside the Union

Operate the system as instructed

Monitor performance and report incidents

Conduct a FRIA if required (e.g., public bodies, financial services)

Ensure the quality and lawfulness of input data

Comply with applicable data protection laws

Avoid substantial modifications unless assuming provider responsibility

Compliance is a shared obligation. Vitruvian is designed to help you manage yours with greater clarity and less operational burden.

Built for Control. Designed for Transparency.

On-premises or private cloud deployment

Full traceability of model training and tuning

Compact architecture to reduce data exposure

Developed in Italy, aligned with European digital sovereignty principles

Compliance is not just a legal checkbox — it's a design principle.

Not Just Legal Advice. Policy Intelligence.

Vitruvian is backed by a multidisciplinary legal and policy team with expertise in:

Data protection and cybersecurity regulation

Applied AI ethics and algorithmic accountability

Public procurement and sector-specific compliance

EU digital policy and technology regulation

We don’t just interpret the rules — we help shape them.

What Legal and Compliance Teams Need to Know

Yes. We provide supporting documentation and risk management tools for general-purpose AI systems.

No. We support your process with structured inputs, but each deployer must meet their own obligations under the law.

Summarized versions may be appropriate in collaborative settings. However, these documents do not replace your own mandatory assessments where required.

Make Compliance an Advantage. Not a Burden.

Whether you're preparing for deployment, navigating procurement, or undergoing regulatory review, Vitruvian is built to help you move forward with confidence.

Talk to Our Legal Team Request a Technical Demo

DPIA (Data Protection Impact Assessment)

FRIA (Fundamental Rights Impact Assessment), where applicable

AI Act mapping: provider and deployer obligations

Integrated GDPR + AI Act compliance checklist

Training for DPOs, controllers, and C-levels

Risk management and bias mitigation documentation

The FRIA and DPIA can be shared in summary form where permitted, but do not replace individual deployer responsibilities.

Not just aligned. Documented.

Vitruvian is designed to meet the requirements of the European Regulation 2024/1689 for artificial intelligence systems.

Regulatory coverage:

Art. 9: Risk management system

Art. 10: Transparent data governance

Art. 16–22: Transparency, post-market monitoring, and technical documentation

When used in high-risk contexts (e.g., public sector, finance, healthcare), Vitruvian comes with support for deployer-specific compliance needs.

Compliance as a strategic asset, not a blocker.

Our team is ready to support you — legally, technically, and operationally.

Request a technical demo

Compliance and
Accountability

Compliance and
Accountability

AI Compliance.
No Guesswork.
No Grey Areas

An AI Model. A Legal Toolkit.

What Legal and Compliance Teams Need to Know

Make Compliance an Advantage. Not a Burden.

Not just aligned. Documented.

Regulatory coverage:

Compliance as a strategic asset, not a blocker.

Compliance and Accountability

Compliance and Accountability

AI Compliance. No Guesswork.No Grey Areas

An AI Model. A Legal Toolkit.

What Legal and Compliance Teams Need to Know

Make Compliance an Advantage. Not a Burden.

Not just aligned. Documented.

Regulatory coverage:

Compliance as a strategic asset, not a blocker.

Compliance and
Accountability

Compliance and
Accountability

AI Compliance.
No Guesswork.
No Grey Areas