Legal · EU AI Act
IRP Compliance uses artificial intelligence in two features:
| EU AI Act Quick Scan | Analyses publicly accessible company websites and produces a structured EU AI Act exposure assessment. Powered by GLM-5.1 via Grunden.ai. |
| Support Chat | Answers questions about EU AI Act, NIS2, and DORA. Powered by GLM-5.1 via Grunden.ai. |
| FRIA Draft Assistant | Generates a structured Fundamental Rights Impact Assessment draft from your assessment data. Powered by GLM-5.1 via Grunden.ai. |
Intended purpose: The Quick Scan, Support Chat, and FRIA Draft Assistant are designed to help organisations understand their EU AI Act exposure and begin compliance preparation. They are not legal advice. They are not a comprehensive audit. They are a structured starting point.
Model and origin: These features are powered by GLM-5.1, a general-purpose model originally developed by Zhipu AI (China) and operated by Grunden.ai on EU infrastructure under Swedish law. We disclose this non-EU model origin to you here, as part of these instructions for use. Customer data is processed within the EU and does not leave EU infrastructure.
Transfer and processing safeguards: GLM-5.1 is an open-weight model: a published set of parameters that Grunden.ai self-hosts on its own hardware (NVIDIA H200, Stockholm). Running it involves no connection to its original developer. There is no call-home mechanism, no telemetry, and no ongoing relationship between Grunden.ai's inference and Zhipu AI's systems. Prompts, outputs, and customer data are processed entirely within the EU and are never transmitted to the developer or outside the EU/EEA. No personal data is transferred to or processed in a third country: the developer (Zhipu AI) has no access to prompts, outputs, or any personal data, and all processing occurs within the EU/EEA on Grunden.ai's infrastructure. Because self-hosting an open-weight model severs the runtime link to its developer, the model's non-EU origin is a matter of provenance only and does not engage GDPR Chapter V (international transfers).
Known limitations:
How to use the outputs responsibly: Treat Quick Scan results and FRIA drafts as informed starting points, not final conclusions. Engage qualified legal counsel before submitting any FRIA to a supervisory authority or using any output in a regulatory context.
IRP Compliance acts as a deployer of GLM-5.1 (provided by Grunden.ai) for the AI features described above. As required under the EU AI Act, we have designated a named oversight owner responsible for monitoring AI system outputs and ensuring appropriate human control.
| Oversight owner | Johan Lopes Helgesson, Architect · IRP Compliance / Intent Record AB |
| Contact | info@irp-compliance.xyz |
| Review process | AI outputs are reviewed regularly for accuracy, bias, and alignment with current regulatory interpretations. Users are always presented with results as AI-generated drafts requiring human confirmation before any record is written. |
| Human confirmation | The FRIA Draft Assistant and Remediation Tracker require explicit human confirmation before any section becomes a compliance record. No AI output is treated as a final decision without a named human confirming it. |
We are not required to complete a FRIA for our own limited-risk features. But producing FRIAs is exactly what our platform does, so here is a sample of what the FRIA Draft Assistant generates. If your AI deployment is high-risk under Annex III, you carry the Art. 27 obligation, and we can draft yours in minutes.
Identifies the individuals affected by the AI system (applicants, employees, service users) and the fundamental rights engaged: non-discrimination, data protection, human dignity, and the right to an effective remedy.
Documents each plausible adverse impact, its likelihood and severity, and the groups exposed, drawn from the deployment context and assessment responses.
Sets out the measures that reduce each risk: human review gates, bias testing, transparency notices, and the named oversight owner accountable, with every confirmation recorded in the IRP ledger.
Need a FRIA? Generate your own →Human oversight at IRP Compliance is not a policy statement. It is built into the product and recorded as evidence. IRP Compliance runs on IRP (Intent Record Protocol), our own open-source decision-record substrate, and we hold ourselves to the same standard we offer customers.
Every AI-assisted output that becomes a compliance record requires explicit confirmation by a named human. That confirmation is written to an append-only IRP ledger with full provenance: what the AI proposed, what the human decided, who confirmed it, and when. The result is a durable, timestamped, tamper-evident trail of human control over AI outputs.
| Oversight mechanism | IRP decision-record substrate (append-only ledger). Each human confirmation is captured as a structured record, not an undocumented click. |
| What is recorded | The AI output, the human decision taken on it, the named confirmer, the timestamp, and the rationale. |
| Accuracy and bias review | Every material AI output is reviewed and confirmed individually by the named oversight owner before it becomes a record. Each confirmation, amendment, or rejection is captured in the ledger, creating a per-decision audit trail rather than a periodic spot-check. No AI output is treated as final without a named human confirming it. |
| Why this is different | Most organisations can assert human oversight. We can produce the evidence, because generating that evidence is exactly what our underlying technology does. |
This is what a single human-control event looks like in the ledger:
Representative example of the structured record written on every human confirmation. This is the documented evidence of human control that Art. 14 asks for, generated as a byproduct of how the product works.
Inspect the audit trail: a publicly accessible sample ledger is available as raw, append-only JSONL: sample-oversight-ledger.jsonl (also on GitHub). Each line is one human-control event: what the AI proposed, the human decision taken on it, who confirmed it, when, and why. The records show humans amending, rejecting, and declining AI outputs, not rubber-stamping them.
See it in action: try the live FRIA workbench demo, where each AI-drafted section requires explicit human confirmation before it becomes a record. The same human-in-the-loop confirmation runs across every assessment and remediation flow.
IRP Compliance is a deployer of a general-purpose AI model, not a GPAI provider. We use GLM-5.1, provided by Grunden.ai (Grunden AI AB, Stockholm, Sweden).
| Model | GLM-5.1 (open-weight, 754B MoE, 40B active parameters, 200K context window) |
| Provider | Grunden AI AB · Stockholm, Sweden · grunden.ai |
| Infrastructure | NVIDIA H200, Stockholm data centre. EU jurisdiction. Data processing agreement in Swedish. |
| Model origin | GLM-5.1 is an open-weight model originally developed by Zhipu AI (China). Grunden.ai operates the model on EU infrastructure under Swedish law. IRP Compliance's customer data does not leave EU infrastructure. |
| Training data | Training data summary and copyright policy are obligations of the GPAI provider (Grunden.ai / Zhipu AI). IRP Compliance has requested this documentation from Grunden.ai and will publish a link here when it becomes available. |
| Prompts and outputs | Prompts submitted to the Quick Scan, Support Chat, and FRIA Assistant are not used for model training, per Grunden.ai's published terms. |
For questions about the model's technical documentation, training data, or copyright compliance, contact Grunden.ai directly at grunden.ai.
If you have questions about how IRP Compliance uses AI, want to report a concern about an AI output, or need this documentation for your own compliance records, contact us: