Sustainova Logo
Resources

Compliance FAQ

Find answers to common questions about Sustainova's compliance products, legislative updates, and how we help organizations stay ahead of EU regulations.

Vicky is our advanced AI-powered compliance assistant designed to help ESG professionals navigate the complex landscape of EU and local sustainability legislation. She can analyze documents, answer specific regulatory questions, and keep you updated on legislative changes.
ComplyOne is our comprehensive compliance management platform. It helps organizations track their regulatory requirements, manage documentation, and ensure they meet all necessary standards for CSRD, ESRS, and other major frameworks.
Our database is continuously updated and verified. We monitor EU and national legislative bodies daily to ensure that the information Vicky and ComplyOne provide reflects the latest regulatory developments.
Absolutely. While we cover core EU regulations like CSRD and EU Taxonomy, we also specialize in local legislation across various member states, including specific requirements for the Czech Republic and other CEE regions.
Yes, our platforms are designed with interoperability in mind. We offer various integration options to ensure that your compliance workflow remains seamless across your existing tech stack.

What is their support definition (deeper system knowledge / analysis and solving technical problems)? Is this support limited to max hours per week/month? Is there any flat fee once the limited hours are exceeded?

The support covers issues directly related to ComplyOne's functionality, features, and configuration, including analysis and diagnostics of more complex technical problems. The development team is available as level 2 support, and is being involved in issues that require technical expertise.

There is no max hours/week defined. Currently we offer full (unlimited) support via paid licence.

The service level targets are defined as follows:

  • Critical issues: Resolution or acceptable workaround within 3 business days.
  • Non‑critical issues: Resolution within 5 business days.

Product feedback is welcome. Development suggestions will be evaluated and potentially added to our development plan.

What are the advanced AI features? Have these AI advanced features undergone risk assessment and conformity checks?

ComplyOne includes two primary advanced AI capabilities:

  1. Vicky (Legal Assistant): A generative AI chatbot that answers complex legislative queries using RAG (Retrieval-Augmented Generation) to cite official sources.
  2. Automated Applicability Analysis: A deterministic engine that processes your company profile against thousands of legislative rules to instantly propose a tailored compliance checklist.

No formal EU Conformity Assessment is required or performed, as these features are classified as Limited Risk under the EU AI Act (Article 50).

  • Reasoning: They are research and operational tools for private entities, not high-risk systems used for the 'administration of justice' by judicial authorities.
  • Risk Mitigation: Instead of formal certification, we implement Transparency (clear labeling of AI outputs) and Human Oversight (mandatory user confirmation for all decisions) to effectively manage risk.

Where is the data hosted? How is training data validated for bias and accuracy? How do you handle sensitive company data uploaded (encryption, storage location, and retention policy)?

All data is hosted securely in the EU (Google Cloud Platform, Belgium / europe-west1), ensuring GDPR compliance.

We do not train or fine-tune our own AI models, which eliminates the risks of training bias. Instead, we use standard models purely for processing, strictly anchored to official legal texts via Retrieval-Augmented Generation (RAG). Accuracy is ensured because all answers are derived exclusively from the Official Journal of the EU, not from a generated training dataset.

We handle sensitive workspace data (such as Company Profiles and Evidence files) using enterprise-grade security standards:

  1. Infrastructure: All data is stored securely on Google Cloud Platform (GCP), utilizing GCP's physical and network security protocols.
  2. Encryption: Data is encrypted both at rest (using AES-256 encryption within the cloud storage) and in transit (via TLS/SSL standards).
  3. Retention Policy: We strictly adhere to a Data Minimization principle. Your data is stored only for the duration of your active service usage. Upon subscription termination or a specific deletion request, all workspace data is permanently removed from our systems.

This tool likely falls under high-risk AI systems (legal compliance advisory). Has the vendor implemented mandatory risk management, conformity assessment, and human oversight as per EU AI Act?

ComplyOne (including the Compliance Engine and Vicky) is classified as a Limited Risk AI System under the EU AI Act (Regulation (EU) 2024/1689).

  • Why it is NOT High-Risk: While the AI Act designates "Administration of Justice" as a high-risk area (Annex III, Point 8), this strictly applies to AI used by judicial authorities (judges, courts) to interpret facts or law. ComplyOne is a "Regulatory Tech" solution used by private organizations for internal operations. Therefore, it does not fall under the High-Risk obligations (such as Conformity Assessments).
  • Applicable Category (Limited Risk): The suite falls under Article 50 (Transparency Obligations).
    • Compliance Engine: We disclose that the logic rules are derived via AI processing.
    • Vicky: We clearly disclose that you are interacting with an AI chatbot, not a human lawyer.

Because the suite is not High-Risk, a formal EU Conformity Assessment and CE marking are not legally required. However, Sustainova has proactively implemented "High-Risk Standards" regarding safety and oversight to ensure liability protection and data integrity:

  • For the Compliance Engine:
    • Human Oversight (Article 14): We utilize a strict "Human-in-the-Loop" architecture. The engine only generates proposals (e.g., "Proposed Status: Applicable"). These never become active obligations without a logged, explicit confirmation from a human user.
    • Risk Mitigation: The engine uses deterministic logic, not generative guessing. Rules are pre-validated, eliminating the risk of "hallucinating" obligations during a check.
  • For Vicky (Chatbot):
    • Grounding (RAG): We mitigate the risk of generative errors by using Retrieval-Augmented Generation (RAG). Vicky is technically restricted to answering only based on the legislative documents in our database, preventing her from inventing laws.

If the AI misinterprets obligations, who is liable? Does the vendor provide contractual guarantees or indemnity clauses for incorrect advice?

ComplyOne is architected as a Decision Support System, not a substitute for legal counsel. Liability remains with the user, supported by the following liability boundaries:

  • The "Search Engine" Principle (Vicky): Vicky acts as an advanced search interface. She provides summaries and citations, but the user is responsible for verifying the source text before making operational decisions.
  • The "User Decision" Principle (Compliance Engine): Because the system requires a human to click "Confirm" on every obligation, the final legal status is recorded as a User Decision in the audit trail. The user accepts responsibility for the compliance stance taken.
  • Contractual Terms: The platform is provided on an "as-is" basis. We do not provide indemnity for regulatory fines resulting from interpretation errors, as the final applicability determination is an operational decision made by your internal stakeholders.

How does the tool provide reasoning behind summaries and obligation mapping beyond simple text output?

We do not provide "black box" answers. We provide reasoning through Traceability and Source Attribution:

  • Compliance Engine (Textual Logic Mapping):
    • Exposed Conditions: The system does not just output a status; it explicitly displays the Textual Applicability Conditions derived from the legislation (e.g., "Applies to a body that performs conformity assessment activities when it requests accreditation...").
    • Transparent Matching: By presenting this text alongside the status, the tool allows the user to validate exactly why a match occurred—verifying that their specific business activities (entered in the Company Profile) align with the legislative conditions shown.
  • Vicky (Evidence-Based Citations):
    • Clickable Sources: Vicky does not just summarize; she cites her work. Every claim includes a reference (e.g., [Source: CSRD Article 19a]).
    • Verification: Users can click these citations to open the original legislative PDF side-by-side with the chat, allowing immediate human verification of the AI's interpretation against the official legal text.

How is the database maintained and updated? Does it cover all relevant directives for our industry?

We ensure legislative data integrity and traceability through automated synchronization with official sources:

  1. Daily Automated Updates: Our ingestion engine connects directly to EUR-Lex and other official repositories on a daily basis. This ensures that new proposals, amendments, and final acts are captured immediately.
  2. Version Control: The system maintains strict versioning for all legislative texts. When a law is updated, a new version is created rather than updating an existing document version.

Still have questions?

We're here to help you navigate your sustainability journey.

Contact Our Team