marketing.docsPage.heroBadge

marketing.docsPage.heroTitle

marketing.docsPage.heroDescription

marketing.docsPage.quickLinks.quickStart

marketing.docsPage.quickLinks.quickStartDesc

marketing.docsPage.quickLinks.riskClassification

marketing.docsPage.quickLinks.riskClassificationDesc

marketing.docsPage.quickLinks.generateReports

marketing.docsPage.quickLinks.generateReportsDesc

marketing.docsPage.quickLinks.security

marketing.docsPage.quickLinks.securityDesc

marketing.docsPage.quickLinks.faq

marketing.docsPage.quickLinks.faqDesc

marketing.docsPage.nav.gettingStarted

marketing.docsPage.nav.introduction

ActLoom is a self-service SaaS platform designed for SMEs to achieve EU AI Act compliance quickly and affordably. Instead of 6-month consulting engagements costing EUR 50k–200k, ActLoom enables organisations to classify their AI systems, assess compliance gaps, and generate audit-ready documentation in as little as 48 hours.

The platform covers the full compliance lifecycle — from initial risk classification through gap analysis, remediation planning, evidence collection, and continuous monitoring.

ActLoom

Dashboard

AI Systems

Compliance

Documents

Incidents

Team

Settings

Welcome back

Dashboard

+ Add System

Overall Score

72%

AI Systems

High-Risk

Open Gaps

Compliance Score Trend

W1W2W3W4W5W6W7W8

Recruitment AI

High-Risk

45%

Support Chatbot

Limited-Risk

82%

Fraud Detection

High-Risk

61%

Content Recommender

Minimal-Risk

100%

Fig 1. The ActLoom platform — dashboard view showing AI system inventory, compliance scores, and pending actions.

Who is ActLoom for?

CTOs & Engineering Leads

Understand which systems are in scope and what technical controls you need.

Compliance Officers

Build structured evidence packages and track remediation progress.

Legal Teams

Access pre-built documentation templates aligned to AI Act articles.

Founders & CEOs

Get board-ready compliance reporting and stay ahead of enforcement.

marketing.docsPage.nav.quickStartGuide

Follow these four steps to go from zero to your first compliance assessment in under 30 minutes.

End-to-end onboarding flow

1. Sign Up

Create your account via email or Google OAuth.

2. Set Up Company

Provide company profile, industry, size & EU exposure.

3. Add AI System

4. Get Results

Receive risk classification, compliance score & gap analysis.

14-day free trial

Start with a 14-day free trial — no credit card required. Complete a full AI system classification and basic assessment. Upgrade when you need more systems, reports, and team collaboration.

marketing.docsPage.nav.createYourAccount

ActLoom supports two authentication methods:

Email & Password — Create a traditional account with a secure password. Passwords must be at least 8 characters.
Google OAuth — Single-click sign-in with your Google Workspace or personal Google account. No separate password needed.

ActLoom

Create your account

Start your AI Act compliance journey

Full name

Thomas Durand

thomas@company.eu

Password

••••••••••

Create account

Already have an account? Log in

Fig 2. Account creation — choose between email/password or Google OAuth.

One account per email

Each email address can only be associated with one ActLoom account. If you previously signed up with Google, use the same method to log in.

marketing.docsPage.nav.companyOnboarding

After sign-up, you are guided through a quick company onboarding form. This information is used to tailor your compliance experience and determine applicable obligations.

Field	Description	Required
Company Name	Your legal or trading entity name	Yes
Industry	Primary business sector (SaaS, FinTech, HR Tech, E-commerce, etc.)	Yes
Company Size	Number of employees (1–50, 51–200, 201–500, 501–1000, 1000+)	Yes
Location	Country where the company is established	Yes
EU Customers	Whether you serve customers in the European Union	Yes
Company Logo	Upload your company logo for branded reports	No

Step 1 of 1

Set up your company

This helps us tailor your compliance experience.

Company name

TechCorp Solutions

Industry

SaaS / Software

Company size

51–200 employees

Location

France

Do you have EU customers?

Yes

Don't know

Upload company logo

Optional · PNG, SVG up to 2MB

Continue →

Fig 3. One-page company onboarding — dropdown selections minimise manual input.

Extraterritorial scope

Even if your company is based outside the EU, the AI Act applies if your AI systems are used in the EU or their outputs affect EU persons. Marking "EU Customers: Yes" ensures the correct obligation scope.

marketing.docsPage.nav.platformOverview

marketing.docsPage.nav.dashboard

The dashboard is your compliance command centre. It provides a real-time overview of all registered AI systems, their risk categories, compliance scores, and outstanding actions.

Partially Compliant

By Risk Level

High-Risk3

Limited-Risk3

Minimal-Risk2

Recent Alerts

Recruitment AI score dropped below 50%

2h ago

New assessment completed for Chatbot

5h ago

Deadline reminder: Aug 2026 (155 days)

1d ago

Fig 4. Main dashboard — see aggregate compliance score, system count by risk level, and the most recent alerts.

Key dashboard components

Compliance Score Ring

Aggregate percentage across all systems with colour coding (green ≥ 80%, amber ≥ 50%, red < 50%).

System Inventory Cards

Quick view of each AI system with risk badge, score, and last assessment date.

Action Items

Prioritised list of outstanding compliance gaps requiring attention.

Score History Chart

Track compliance trajectory over time with weekly and monthly views.

Compliance Score Trend

WeeklyMonthly

100%75%50%25%0%

W10

W11

W12

≥ 80% 50–79%< 50%

Fig 5. Score history chart — track compliance improvement over time.

marketing.docsPage.nav.navigation

The platform uses a sidebar navigation layout with the following main sections:

Dashboard — Compliance overview and action items
AI Systems — Register, classify, and manage AI systems
Compliance — Assessment workflows and scoring
Documents — Generated reports and document vault
Incidents — Track and manage AI-related incidents
Team — Member management and role assignment
Settings — Company profile, billing, and preferences

ActLoom

Dashboard

AI Systems

Compliance

Documents

Incidents

Team

Settings

Thomas D.

Owner

Main content area

Fig 7. Sidebar navigation — clear section hierarchy with active state indicators.

marketing.docsPage.nav.aiSystems

marketing.docsPage.nav.addAiSystem

Registering an AI system is a guided, 3-step wizard that collects the information needed for accurate risk classification. No legal expertise required — questions use plain business language.

AI System Registration Process

Step 1: Basics

Name, type (chatbot, recruitment, scoring, etc.), and description.

Step 2: Context

Dynamic questions about autonomy, transparency, data, and users.

Step 3: Classify

AI engine analyses answers and returns risk category in ~30s.

Step 1 — Basic Information

Give your system a recognisable name (e.g. "Customer Support Chatbot"), select its type from a predefined list, and optionally provide a description.

Add AI System

Step 1 of 3: Basic Information

System name

Customer Support Chatbot

What type of AI is this?

Chatbot / Virtual assistant

Recruitment / HR screening

Credit scoring

Fraud detection

Recommendation engine

Face recognition

Other

Brief description (optional)

AI-powered customer support for product queries…

Cancel

Fig 8. Step 1 — basic information collection with type selector dropdown.

Step 2 — Contextual Questions

Questions adapt dynamically based on the system type selected. For a recruitment screening tool, you will see questions about decision autonomy and bias testing. For a chatbot, questions focus on transparency and escalation paths.

Question Category	Example Question	Impact
Decision Autonomy	Does the system make decisions without human review?	Determines high-risk classification trigger
Transparency	Are users informed they are interacting with AI?	Triggers Article 50 transparency obligation
Data Sensitivity	Does the system process biometric or special category data?	Impacts data governance requirements
Human Oversight	Can users escalate to a human operator?	Affects risk mitigation assessment
Deployment Scope	Is the system used in safety-critical environments?	May trigger prohibited practices check

Step 2 of 3: Tell us more

Does it make decisions automatically?

This affects risk classification

Yes, it decides alone

No, a human always reviews

Partial (some decisions automatic)

Are users informed they're talking to AI?

Yes

← Back

Fig 9. Step 2 — dynamic contextual questions adapt based on system type.

Step 3 — AI Classification

ActLoom's AI engine (powered by OpenAI GPT-4 Mini) analyses your responses against the full text of the EU AI Act. Within approximately 30 seconds, you receive:

Risk category (Prohibited, High-Risk, Limited-Risk, or Minimal-Risk)
Confidence percentage (how certain the classification is)
Reasoning explanation in plain language
Specific AI Act article references

Classification Complete

Risk Category

🟡 LIMITED-RISK

Confidence

95%

Why LIMITED-RISK?

Your chatbot provides information but does not make consequential decisions. Under AI Act Article 50, transparency obligation applies: users must be informed they are interacting with AI.

Requirements (1)

Inform users about AI interactionArt. 50

← Back

Save & Continue

Fig 10. Classification result — risk category badge, confidence meter, and explanatory reasoning with legal references.

Re-classification available

Disagree with the classification? You can adjust your answers and re-run the classification at any time. The system keeps a history of all classifications.

Risk Classification

The EU AI Act uses a risk-based approach with four categories. ActLoom maps each of your AI systems to one of these categories:

Prohibited

AI practices that are entirely banned in the EU (e.g. social scoring, real-time biometric surveillance in public spaces without authorisation).

System must be discontinued or fundamentally redesigned.

High-Risk

Systems in sensitive domains (recruitment, credit scoring, critical infrastructure) with significant impact on individuals.

Must implement comprehensive compliance controls (7+ obligations).

Limited-Risk

Systems with specific transparency requirements (most chatbots, emotion recognition, deepfakes).

Must ensure users know they are interacting with AI (Article 50).

Minimal-Risk

AI systems with no specific obligation under the AI Act (spam filters, AI in video games, etc.).

No mandatory requirements, but voluntary codes of practice encouraged.

AI System Registered

Is this a prohibited practice?

Social scoring, manipulative AI, etc.

Yes →

🔴 PROHIBITED

High-risk domain? (Annex III)

Recruitment, credit, critical infrastructure…

Yes →

🟠 HIGH-RISK

Transparency trigger? (Art. 50)

Chatbot, deepfake, emotion recognition…

Yes →

🟡 LIMITED-RISK

🟢 MINIMAL-RISK

Fig 11. Risk classification decision tree — visual flowchart showing how the AI engine maps system characteristics to risk categories.

marketing.docsPage.nav.systemInventory

The AI Systems page provides a complete inventory of all registered systems. Each card displays the system name, type, risk category badge, compliance score, and last assessment date. Use filters to view systems by risk level or assessment status.

AI Systems (8)

Search…

+ Add System

All (8)High-Risk (3)Limited (3)Minimal (2)

System	Type	Risk Level	Score	Status	Last Assessed
Recruitment AI	HR Screening	High-Risk	45%	Completed	Feb 2026
Support Chatbot	Chatbot	Limited-Risk	82%	Completed	Feb 2026
Fraud Detection	Risk Scoring	High-Risk	61%	In Progress	Feb 2026
Content Engine	Recommendation	Minimal-Risk	100%	Completed	Feb 2026
CV Parser	HR Screening	High-Risk	0%	Not Started	—

Fig 12. System inventory — filterable list with at-a-glance compliance status.

Field	Description
Name	System display name (user-defined)
Type	AI system category (chatbot, recruitment, credit scoring, etc.)
Risk Category	Colour-coded badge (Prohibited / High-Risk / Limited-Risk / Minimal-Risk)
Compliance Score	Percentage score from latest assessment (0–100%)
Assessment Status	Not Started, In Progress, or Completed
Last Assessed	Date of most recent compliance assessment
Created	Date the system was registered on the platform

marketing.docsPage.nav.complianceAssessment

Assessment Workflow

Once a system is classified, ActLoom generates a tailored list of compliance requirements based on its risk category. The assessment workflow walks you through each requirement one by one.

Compliance Assessment Flow

Start Assessment

Select an AI system and begin the guided assessment wizard.

Evaluate Requirements

Answer Met / Partially Met / Not Met for each obligation.

Add Evidence

Attach notes, links, or files as supporting evidence.

Review & Submit

Review summary, score calculated automatically, submit assessment.

High-Risk Requirements (7 Core Obligations)

#	Obligation	AI Act Article	Description
1	Risk Management System	Art. 9	Establish and maintain a risk management system throughout the AI system lifecycle
2	Data Governance	Art. 10	Training, validation, and testing data must meet quality criteria
3	Technical Documentation	Art. 11	Comprehensive technical documentation before market placement
4	Record Keeping	Art. 12	Automatic logging of events during operation
5	Transparency	Art. 13	Provide clear information to deployers about system capabilities and limitations
6	Human Oversight	Art. 14	Design system to allow effective human oversight
7	Accuracy, Robustness, Cybersecurity	Art. 15	Achieve appropriate levels of accuracy, robustness, and security

Assess: Recruitment AI

3 of 7

Requirement #3: Technical Documentation

Art. 11 — Comprehensive technical documentation must be prepared before the AI system is placed on the market.

Does your system have technical documentation?

Met — Full documentation exists

Partially Met — Some documentation exists

Not Met — No documentation

Unknown — Need to investigate

Notes (optional)

We have partial docs in Confluence but need to formalize…

Auto-saved 5 seconds ago

← Previous

Fig 13. Assessment wizard — one requirement per screen with clear descriptions, helper text, and progress indicator.

Auto-save

Your assessment progress is automatically saved every 30 seconds. You can leave and return at any time without losing work.

marketing.docsPage.nav.complianceScoring

ActLoom calculates a compliance score from 0–100% based on your assessment responses. Each requirement is weighted according to its regulatory importance.

Status	Points	Meaning
Met ✅	100%	Requirement fully satisfied with supporting evidence
Partially Met 🟡	50%	Some measures in place but gaps remain
Not Met ❌	0%	Requirement not addressed — action needed
Unknown ❓	0%	Unable to assess — investigation required

Met (3)

43%

Partially Met (2)

29%

Not Met (2)

28%

Fig 14. Score breakdown — donut chart showing compliance distribution with colour-coded segments.

Score colour coding

80–100%—Compliant

50–79%—Partially Compliant

0–49%—Non-Compliant

marketing.docsPage.nav.gapAnalysis

After completing an assessment, ActLoom generates a detailed gap analysis that highlights exactly what is missing and what needs to be done. Each gap includes:

Requirement — Which obligation is not met
Current Status — Not Met or Partially Met with details
Priority — Mandatory vs. Recommended
Effort Estimate — Approximate hours to remediate
Recommended Actions — Specific steps to close the gap

Gap Analysis — Recruitment AI

Priority	Requirement	Article	Status	Effort	Action
🔴	Risk Management System	Art. 9	Not Met	40h	Fix →
🔴	Data Governance	Art. 10	Not Met	32h	Fix →
🟡	Technical Documentation	Art. 11	Partially Met	16h	Fix →
🟡	Human Oversight	Art. 14	Partially Met	8h	Fix →

Fig 15. Gap analysis table — prioritised view of compliance gaps with effort estimates and action buttons.

marketing.docsPage.nav.remediationPlans

ActLoom generates AI-powered remediation plans tailored to each compliance gap. Plans include step-by-step implementation guidance, template documents, and timeline suggestions.

Remediation Lifecycle

Identify Gap

Gap detected from assessment or monitoring.

Generate Plan

AI creates actionable remediation steps with templates.

Implement

Team follows checklist, marks steps complete.

Verify

Re-assess requirement, update score automatically.

Not Met

Remediation: Risk Management System

Art. 9 · Est. 40 hours

Progress

2/6

Define risk assessment methodology

Identify and document foreseeable risks

Implement risk mitigation measures

In progress — click for guidance

Establish residual risk acceptance criteria

Create risk monitoring procedures

Schedule periodic risk reviews

Fig 16. Remediation plan — step-by-step checklist with progress tracking and associated document templates.

AI-generated guidance

Remediation plans are generated by ActLoom's AI engine, which references the AI Act text, industry best practices, and your specific system context to provide actionable guidance.

marketing.docsPage.nav.documentsReports

marketing.docsPage.nav.reportGeneration

Generate professional, audit-ready PDF reports with one click. Reports are automatically populated with your company data, AI system details, assessment results, and compliance scores. Your company logo and branding are included.

Document Generation Flow

Select Type

Choose from assessment report, risk management, technical doc, or transparency notice.

Select System

Pick the AI system the report covers.

Generate

AI engine compiles data and generates PDF (30–60 seconds).

Download

Download PDF or access from your document vault anytime.

Generate Document

Document type

Assessment Report

AI System

Recruitment AI

Include company branding

Generate Report

Estimated generation time: 30–60 seconds

Fig 17. Report generation — select type, choose system, and generate in one click.

marketing.docsPage.nav.documentTypes

ActLoom generates four categories of compliance documents, each aligned to specific AI Act requirements:

📊

Assessment Report

20–30 pages · Art. 9, 10, 11, 13, 14, 15

Comprehensive compliance assessment including executive summary, system classification, scores, gap analysis, and recommended roadmap. 20–30 pages.

⚠️

Risk Management Documentation

10–15 pages · Art. 9

Pre-filled risk management templates with identified risks, mitigation measures, residual risk assessments, and review calendars.

⚙️

Technical Documentation

15–25 pages · Art. 11, Annex IV

Structured technical description covering system architecture, data sources, performance metrics, and testing procedures.

👁️

Transparency Notice

2–5 pages · Art. 50, Art. 13

User-facing notice informing individuals they are interacting with AI, including decision logic summary and human escalation contact.

ActLoom

Confidential

AI Act Compliance
Assessment Report

Recruitment AI · TechCorp Solutions

Generated Feb 28, 2026 · v1

Executive Summary

Risk Level

HIGH

Score

45%

Gaps

Key Findings

Met

3/7

Partial

2/7

Not Met

2/7

Pages

Page 1 of 24 · Generated by ActLoom

Fig 18. Sample assessment report — professional layout with company branding, executive summary, and detailed findings.

marketing.docsPage.nav.documentVault

All generated documents are securely stored in your encrypted document vault. Features include:

Version history — Track all versions (v1, v2, etc.) when reports are regenerated
Encrypted storage — All files stored with AES-256 encryption at rest on Vercel Blob
Instant download — One-click PDF download for any document version
Audit trail — Full log of who generated, viewed, or downloaded each document

Document Vault

Search documents…

📊

Assessment Report — Recruitment AI

PDF·v2·Feb 28, 2026·2.4 MB

Download

⚠️

Risk Management — Recruitment AI

PDF·v1·Feb 27, 2026·1.8 MB

Download

⚙️

Technical Documentation — Fraud Detection

PDF·v1·Feb 25, 2026·3.1 MB

Download

👁️

Transparency Notice — Support Chatbot

PDF·v3·Feb 24, 2026·0.5 MB

Download

📊

Assessment Report — Fraud Detection

PDF·v1·Feb 22, 2026·2.8 MB

Download

Fig 19. Document vault — searchable library of all generated compliance documents with version tracking.

marketing.docsPage.nav.aiActReference

Regulatory Overview

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive legal framework for artificial intelligence. Adopted in 2024, it establishes harmonised rules for the development, placement on the market, and use of AI systems within the European Union.

Key principles

Risk-Based Approach

Obligations are proportional to the level of risk the AI system poses to health, safety, and fundamental rights.

Technology Neutral

The regulation applies to AI systems regardless of the underlying technology or method used.

Extraterritorial Scope

Applies to any provider or deployer whose system is used in or affects persons in the EU.

Prohibited

Banned practices

High-Risk

Full compliance controls

Limited-Risk

Transparency only

Minimal-Risk

No mandatory obligations

← Higher riskLower risk →

← More obligationsFewer obligations →

Fig 20. The EU AI Act regulatory framework — four risk tiers with proportional obligations.

marketing.docsPage.nav.riskCategoriesDetail

A detailed breakdown of each risk tier, associated AI Act articles, and real-world examples:

Risk Level	Articles	Examples	Obligations
🔴 Prohibited	Art. 5	Social scoring by governments, real-time biometric ID in public spaces (without exceptions), manipulative AI targeting vulnerabilities	Banned — must cease use
🟠 High-Risk	Art. 6, Annex I/III	Recruitment screening, credit scoring, critical infrastructure management, law enforcement tools, education admission	Full compliance: risk management, data governance, technical docs, logging, transparency, human oversight, accuracy/robustness
🟡 Limited-Risk	Art. 50	Chatbots, emotion recognition systems, deepfake generators, AI-generated content	Transparency obligation: inform users they interact with AI
🟢 Minimal-Risk	—	Spam filters, AI in video games, inventory management	No mandatory obligations (voluntary codes encouraged)

🔴 Prohibited

Art. 5

• Social scoring
• Real-time biometric surveillance
• Manipulation targeting vulnerabilities

Banned — cease use

🟠 High-Risk

Art. 6, Annex III

• Recruitment screening
• Credit scoring
• Critical infrastructure

7+ full compliance controls

🟡 Limited-Risk

Art. 50

• Chatbots
• Emotion recognition
• Deepfake generators

Transparency obligation

🟢 Minimal-Risk

—

• Spam filters
• AI in games
• Inventory management

Voluntary codes

Fig 21. AI Act risk pyramid — from prohibited practices at the top to minimal-risk systems at the base.

Obligations by Role

The AI Act assigns different obligations depending on your role in the AI value chain:

Role	Definition	Key Obligations
Provider	Develops or commissions an AI system and places it on the market	Risk management, technical documentation, conformity assessment, EU database registration, post-market monitoring
Deployer	Uses an AI system under its authority (not for personal use)	Fundamental Rights Impact Assessment, human oversight measures, input data quality, inform affected persons
Importer	Places a non-EU provider's AI system on the EU market	Verify conformity assessment, CE marking, keep documentation accessible
Distributor	Makes an AI system available on the EU market	Verify CE marking, storage conditions, alert authorities of non-compliance
GPAI Provider	Provides General-Purpose AI models	Technical documentation, training data transparency, copyright policy, safety evaluations (systemic risk models)

Multiple roles possible

An organisation can hold multiple roles simultaneously. For example, a company that builds its own recruitment AI and also uses a third-party chatbot is both a Provider and a Deployer.

Timeline & Deadlines

The AI Act enters into force through a phased timeline. Missing deadlines exposes organisations to significant penalties.

Phase 1February 2, 2025

Prohibited Practices & AI Literacy

Ban on prohibited AI practices takes effect. All operators must ensure sufficient AI literacy among staff.

Phase 2August 2, 2025

GPAI Obligations

General-Purpose AI model providers must comply with transparency and documentation requirements.

Phase 3August 2, 2026

High-Risk Systems (Major Deadline)

Full obligations for high-risk AI systems activate, including risk management, data governance, technical documentation, and conformity assessment.

Phase 4August 2, 2027

Remaining Obligations

All remaining provisions become applicable, including obligations for AI systems in Annex I.

Feb
2025

Phase 1

Prohibited Practices

✅ Active

Aug
2025

Phase 2

GPAI Obligations

✅ Active

Aug
2026

Phase 3

High-Risk Systems

⏳ 155 days

Aug
2027

Phase 4

Full Application

📅 Future

Fig 22. Complete enforcement timeline — phased rollout from 2025 to 2027 with key obligation milestones.

August 2026 — Critical deadline

The August 2, 2026 deadline is the most impactful for SMEs. High-risk AI system obligations activate, and non-compliance can result in fines of up to EUR 15M or 3% of global annual turnover.

Penalties

The AI Act establishes a tiered penalty structure based on the severity of the infringement:

Violation Type	Maximum Fine	% of Global Turnover	Examples
Prohibited practices	EUR 35,000,000	7%	Operating a banned AI system (social scoring, unauthorised biometric surveillance)
High-risk non-compliance	EUR 15,000,000	3%	Failing to implement required risk management, missing technical documentation
False information to authorities	EUR 7,500,000	1.5%	Providing incorrect information in conformity declarations or to notified bodies

SME impact example

A startup with EUR 10M annual revenue using a non-compliant recruitment AI faces potential fines of EUR 300,000 (3% of turnover). For comparison, typical SaaS net margins are 10–20%, meaning a single fine could wipe 1.5–3 years of profits.

Tier 1

€35M

or 7% global turnover

Prohibited practices

Tier 2

€15M

or 3% global turnover

High-risk non-compliance

Tier 3

€7.5M

or 1.5% global turnover

False information

Example: Company with €10M revenue → High-risk non-compliance = €300,000 fine (3% turnover)

Fig 23. Fine structure — three tiers of penalties with proportional impact on different company sizes.

marketing.docsPage.nav.teamCollaboration

Invite Members

Compliance is a team effort. Invite colleagues from Legal, Engineering, Product, and Compliance teams to collaborate on assessments and share access to reports.

Team Invitation Flow

Send Invite

Enter email address and select role.

Member receives email and accepts invite.

Collaborate

Team members access shared workspace.

Team Members (4)

+ Invite Member

Thomas Durand

thomas@techcorp.eu

OwnerActive

Marie Lambert

marie@techcorp.eu

AdminActive

Paul Chen

paul@techcorp.eu

MemberActive

Sophie Klein

sophie@techcorp.eu

MemberPending

Fig 24. Team management — invite members, assign roles, and view team activity.

Roles & Permissions

ActLoom uses a role-based access control (RBAC) model with three permission levels:

Role	AI Systems	Assessments	Reports	Team	Billing
Owner	Full access	Full access	Full access	Manage all	Full access
Admin	Full access	Full access	Full access	Manage members	View only
Member	View & edit	View & edit	View & download	View only	No access

Plan limits apply

The number of team members depends on your subscription plan. Starter supports 1 user, Business supports up to 5, and Pro supports unlimited team members.

marketing.docsPage.nav.integrationsApi

API Keys

Open Settings > Integrations/API > API Keys & Webhooks to create, rotate, and revoke API keys for a company. Key material is displayed only once when created or rotated.

Authentication mode

Settings API key management endpoints require an authenticated dashboard session cookie. They are owner/admin-protected endpoints for lifecycle management.

Machine API mode

Use API keys with Authorization: Bearer actloom_...on machine endpoints under /api/v1/*.

Operation	Method	Endpoint	Notes
List keys	GET	/api/settings/api-keys?companyId={companyId}	Returns existing keys and supported scopes
Create key	POST	/api/settings/api-keys	Returns plaintext key once in `plaintextKey`
Rotate key	POST	/api/settings/api-keys/{apiKeyId}/rotate	Returns new `plaintextKey` once
Revoke key	DELETE	/api/settings/api-keys/{apiKeyId}	Sets `revokedAt` timestamp

Supported scopes

read:assessmentswrite:assessmentsread:reportswrite:reportsread:incidentswrite:incidentsread:systemswrite:systemsread:billing

Create a key:

curl -X POST https://api.actloom.com/api/settings/api-keys \
  -H "Content-Type: application/json" \
  -b "your_session_cookie_here" \
  -d '{
    "companyId": "your_company_id",
    "name": "CI integration key",
    "scopes": ["read:reports", "write:reports"],
    "expiresInDays": 365
  }'

Settings API Endpoints

These endpoints back the Settings UI and allow you to automate key/webhook administration in internal tooling.

Area	Method	Endpoint	Purpose
API keys	GET	/api/settings/api-keys?companyId={companyId}	List keys + supported scopes + permissions
API keys	POST	/api/settings/api-keys	Create scoped API key
API keys	POST	/api/settings/api-keys/{id}/rotate	Rotate key material
API keys	DELETE	/api/settings/api-keys/{id}	Revoke key
Webhooks	GET	/api/settings/webhooks?companyId={companyId}	List endpoints + supported event types
Webhooks	POST	/api/settings/webhooks	Create endpoint + return signing secret once
Webhooks	PATCH	/api/settings/webhooks/{id}	Update URL, description, status, events
Webhooks	DELETE	/api/settings/webhooks/{id}	Delete endpoint
Webhooks	POST	/api/settings/webhooks/{id}/test	Send test delivery to endpoint URL

Use the ready-made Postman collection:

Download `actloom-settings-api-keys.postman_collection.json`

Machine API artifacts:

OpenAPI spec: `actloom-api-v1.yaml`Postman collection: `actloom-api-v1.postman_collection.json`

Webhooks

Register outbound endpoints and select event subscriptions in Settings. Use the built-in webhook test to validate your receiver, networking, and retry/error handling.

Supported event types

incident.createdincident.updatedreport.generatedassessment.updatedai_system.updatedbilling.subscription.updated

Create a webhook endpoint:

curl -X POST https://api.actloom.com/api/settings/webhooks \
  -H "Content-Type: application/json" \
  -b "your_session_cookie_here" \
  -d '{
    "companyId": "your_company_id",
    "url": "https://your-app.example.com/webhooks/actloom",
    "description": "Production endpoint",
    "events": ["incident.created", "report.generated"]
  }'

Signing secret handling

The response includes a `signingSecret` only once at creation. Store it securely in your secret manager.

Webhook Test Payload

The Test action in Settings (or POST /api/settings/webhooks/{id}/test) sends the payload below.

Delivery headers

Content-Type: application/json
x-actloom-event: webhook.test
x-actloom-delivery-id: evt_test_<timestamp>

The current test route does not include an HMAC signature header.

Request body

{
  "id": "evt_test_1700000000000",
  "type": "webhook.test",
  "createdAt": "2026-03-01T12:00:00.000Z",
  "data": {
    "endpointId": "wh_123",
    "companyId": "company_123"
  }
}

marketing.docsPage.nav.billingPlans

Pricing Plans

ActLoom offers flexible pricing to match your organisation's size and compliance needs:

Starter

EUR 49/month

For small teams beginning their compliance journey.

Up to 5 AI systems
10 reports/month
Core compliance scoring
Foundational governance workflows
Email support (24h)

Business

EUR 149/month

For growing companies with active compliance programs.

Up to 30 AI systems
100 reports/month
Priority support (4h)
Operational evidence tracking
Up to 5 team members
Continuous monitoring

Pro

EUR 399/month

For organisations with advanced governance needs.

Unlimited AI systems
Unlimited reports
Advanced governance workflows
Enterprise rollout readiness
Unlimited team members
API access
SSO support

All plans include a 14-day free trial. No credit card required to start.
Annual billing available with 10% discount. View full pricing details →

Subscription Management

Manage your subscription directly from the platform or through the Stripe Customer Portal:

Upgrade or downgrade — Switch plans instantly with prorated billing
Update payment method — Change credit card details securely via Stripe
View invoices — Download PDF invoices for all past payments
Cancel subscription — Cancel anytime, access continues until period end

Billing & Subscription

Current Plan

Business

EUR 149/month

Next renewal

March 28, 2026

Manage plan

View invoices

Usage This Period

AI Systems12/30

Reports34/100

Team Members4/5

Fig 25. Billing dashboard — current plan, usage, next renewal date, and quick actions.

Billing FAQ

What happens when my free trial ends?

If you don't upgrade within 14 days, your account reverts to a read-only state. All your data is preserved. You can upgrade at any time to restore full access.

Can I change plans at any time?

Yes. Upgrades take effect immediately with prorated billing. Downgrades take effect at the next billing cycle.

What payment methods are accepted?

All major credit cards (Visa, Mastercard, American Express) and SEPA direct debit for EU bank accounts. Processed securely by Stripe.

Are there any setup fees?

No. There are no setup fees, onboarding fees, or hidden charges. The subscription price is all-inclusive.

Can I get an invoice for my company?

Yes. All invoices are automatically generated by Stripe and available in your billing dashboard. You can add your VAT number and company details for proper tax invoicing.

marketing.docsPage.nav.securityData

Security Overview

Security is foundational to ActLoom. We implement defence-in-depth across all layers of the platform:

Edge Security

Vercel CDNDDoS ProtectionTLS 1.3

Application Security

CSP HeadersRate LimitingInput Validation (Zod)

Authentication & Authorization

Auth.js / NextAuthEncrypted SessionsRow Level Security

Data Protection

AES-256 at RestTLS in TransitAudit Logging

Your Data (Encrypted)

Fig 26. Security architecture — multi-layer protection from edge to database.

Authentication

Auth.js (NextAuth v5) with encrypted sessions, OAuth 2.0 (Google), and secure credential hashing.

Authorization (RLS)

PostgreSQL Row Level Security ensures users can only access their own company's data at the database level.

Encryption at Rest

All data encrypted on managed PostgreSQL (AES-256). Files stored with encryption on Vercel Blob.

Encryption in Transit

All traffic encrypted via HTTPS/TLS 1.3. No unencrypted connections accepted.

Input Validation

All API inputs validated with Zod schemas. SQL injection prevented via parameterised queries.

Rate Limiting

100 requests/minute per IP. Configurable per endpoint. DDoS protection via Vercel Edge Network.

Security Headers

CSP, X-Frame-Options (DENY), X-Content-Type-Options, Referrer-Policy enforced on all responses.

Audit Logging

All sensitive operations logged with user ID, timestamp, IP address, and action details.

Data Processing

ActLoom processes data in accordance with GDPR and applies the principle of data minimisation. Here's how your data flows through the platform:

Data Flow

Input

User provides company & AI system information.

Process

Data processed by API, AI classification via Anthropic (no training).

Store

Stored encrypted in EU-region PostgreSQL database.

Output

PDF reports generated and stored in encrypted blob storage.

Data Category	Storage Location	Retention	Encryption
Account data	PostgreSQL (EU)	Duration of account + 30 days	AES-256 at rest, TLS in transit
Assessment data	PostgreSQL (EU)	Duration of subscription + 90 days	AES-256 at rest, TLS in transit
Generated documents	Vercel Blob (EU)	Duration of subscription + 90 days	AES-256 at rest, TLS in transit
Audit logs	PostgreSQL (EU)	12 months rolling	AES-256 at rest, TLS in transit
Analytics	PostHog (EU)	24 months	Encrypted, pseudonymised

AI data processing

When ActLoom sends data to the OpenAI GPT-4 Mini API for classification, we transmit only the minimum necessary context. OpenAI does not use API data for training (zero data retention policy). All API calls use encrypted connections.

marketing.docsPage.nav.frequentlyAskedQuestions

General

What is ActLoom?

ActLoom is a SaaS platform that helps SMEs achieve EU AI Act compliance through automated risk classification, compliance assessment, gap analysis, and audit-ready document generation.

Who is ActLoom for?

ActLoom is designed for SMEs (50–500 employees) in SaaS, FinTech, HR Tech, and other sectors that use AI. It's especially relevant for CTOs, compliance officers, legal teams, and founders.

How is ActLoom different from consultants?

Consultants charge EUR 50k–200k and take 3–6 months. ActLoom provides the same compliance outputs in 48 hours for a fraction of the cost, through a self-service platform.

Is ActLoom a legal advisor?

No. ActLoom provides technical compliance tooling and pre-structured documentation. It does not constitute legal advice. For complex legal interpretations, we recommend consulting qualified legal counsel.

Which languages is ActLoom available in?

Available in 6 languages: English, French, German, Spanish, Dutch, and Italian.

Does ActLoom work for companies outside the EU?

Yes. The AI Act has extraterritorial scope — it applies to any company whose AI systems are used in the EU or affect EU persons, regardless of where the company is based.

Technical

How does the AI classification work?

ActLoom uses the OpenAI GPT-4 Mini API to analyse your responses against the full EU AI Act text. The model maps system characteristics to risk categories based on Articles 5, 6, 50, and Annexes I/III. Classifications include a confidence score and legal article references.

Is my data sent to AI models for training?

No. OpenAI does not use API data for model training (zero data retention policy). Your data is transmitted only for the classification request and is not stored by OpenAI beyond the API session.

What happens if the AI classification is wrong?

You can re-classify at any time by adjusting your answers. ActLoom also displays confidence scores — lower confidence prompts a manual review recommendation. We always recommend validating high-risk classifications with legal counsel.

Can I export my data?

Yes. You can export all your AI system data, assessments, and reports in JSON and PDF formats from Settings > Data Export.

What is the uptime SLA?

ActLoom targets 99.9% uptime, backed by Vercel's infrastructure. We use global CDN distribution, automated failover, and real-time monitoring via Sentry.

Legal

Does using ActLoom guarantee AI Act compliance?

ActLoom provides tools, templates, and guidance to help you work towards compliance. However, final compliance determination depends on your specific implementation and may require validation by regulators or legal counsel.

Is ActLoom itself AI Act compliant?

Yes. ActLoom's own use of AI (the classification engine) is classified as minimal-risk and we comply with all applicable transparency and documentation requirements.

Where is my data stored?

All data is stored in EU-region data centres (PostgreSQL via Neon/Vercel Postgres, file storage via Vercel Blob). We do not transfer data outside the EEA without appropriate safeguards.

Can I delete my data?

Yes. In accordance with GDPR Article 17, you can request complete data deletion from Settings > Privacy > Delete Account. All data is permanently removed within 30 days.

Does ActLoom sign a Data Processing Agreement (DPA)?

Yes. ActLoom provides a standard GDPR-compliant DPA. Contact support@actloom.com to request your copy.

Ready to get started?

Join hundreds of companies using ActLoom to simplify AI Act compliance. Start your free assessment today — no credit card required.

Start Free Assessment View Pricing

Questions? Contact us at support@actloom.com

Field

Description

Required

Company Name

Your legal or trading entity name

Yes

Industry

Primary business sector (SaaS, FinTech, HR Tech, E-commerce, etc.)

Yes

Company Size

Number of employees (1–50, 51–200, 201–500, 501–1000, 1000+)

Yes

Location

Country where the company is established

Yes

EU Customers

Whether you serve customers in the European Union

Yes

Company Logo

Upload your company logo for branded reports

Question Category

Example Question

Impact

Decision Autonomy

Does the system make decisions without human review?

Determines high-risk classification trigger

Transparency

Are users informed they are interacting with AI?

Triggers Article 50 transparency obligation

Data Sensitivity

Does the system process biometric or special category data?

Impacts data governance requirements

Human Oversight

Can users escalate to a human operator?

Affects risk mitigation assessment

Deployment Scope

Is the system used in safety-critical environments?

May trigger prohibited practices check

System

Type

Risk Level

Score

Status

Last Assessed

Recruitment AI

HR Screening

High-Risk

45%

Completed

Feb 2026

Support Chatbot

Chatbot

Limited-Risk

82%

Completed

Feb 2026

Fraud Detection

Risk Scoring

High-Risk

61%

In Progress

Feb 2026

Content Engine

Recommendation

Minimal-Risk

100%

Completed

Feb 2026

CV Parser

HR Screening

High-Risk

Not Started

—

Field

Description

Name

System display name (user-defined)

Type

AI system category (chatbot, recruitment, credit scoring, etc.)

Risk Category

Colour-coded badge (Prohibited / High-Risk / Limited-Risk / Minimal-Risk)

Compliance Score

Percentage score from latest assessment (0–100%)

Assessment Status

Not Started, In Progress, or Completed

Last Assessed

Date of most recent compliance assessment

Created

Date the system was registered on the platform

Obligation

AI Act Article

Description

Risk Management System

Art. 9

Establish and maintain a risk management system throughout the AI system lifecycle

Data Governance

Art. 10

Training, validation, and testing data must meet quality criteria

Technical Documentation

Art. 11

Comprehensive technical documentation before market placement

Record Keeping

Art. 12

Automatic logging of events during operation

Transparency

Art. 13

Provide clear information to deployers about system capabilities and limitations

Human Oversight

Art. 14

Design system to allow effective human oversight

Accuracy, Robustness, Cybersecurity

Art. 15

Achieve appropriate levels of accuracy, robustness, and security

Status

Points

Meaning

Met ✅

100%

Requirement fully satisfied with supporting evidence

Partially Met 🟡

50%

Some measures in place but gaps remain

Not Met ❌

Requirement not addressed — action needed

Unknown ❓

Unable to assess — investigation required

Priority

Requirement

Article

Status

Effort

Action

🔴

Risk Management System

Art. 9

Not Met

40h

Fix →

🔴

Data Governance

Art. 10

Not Met

32h

Fix →

🟡

Technical Documentation

Art. 11

Partially Met

16h

Fix →

🟡

Human Oversight

Art. 14

Partially Met

Fix →

Risk Level

Articles

Examples

Obligations

🔴 Prohibited

Art. 5

Social scoring by governments, real-time biometric ID in public spaces (without exceptions), manipulative AI targeting vulnerabilities

Banned — must cease use

🟠 High-Risk

Art. 6, Annex I/III

Recruitment screening, credit scoring, critical infrastructure management, law enforcement tools, education admission

Full compliance: risk management, data governance, technical docs, logging, transparency, human oversight, accuracy/robustness

🟡 Limited-Risk

Art. 50

Chatbots, emotion recognition systems, deepfake generators, AI-generated content

Transparency obligation: inform users they interact with AI

🟢 Minimal-Risk

—

Spam filters, AI in video games, inventory management

No mandatory obligations (voluntary codes encouraged)

Role

Definition

Key Obligations

Provider

Develops or commissions an AI system and places it on the market

Risk management, technical documentation, conformity assessment, EU database registration, post-market monitoring

Deployer

Uses an AI system under its authority (not for personal use)

Fundamental Rights Impact Assessment, human oversight measures, input data quality, inform affected persons

Importer

Places a non-EU provider's AI system on the EU market

Verify conformity assessment, CE marking, keep documentation accessible

Distributor

Makes an AI system available on the EU market

Verify CE marking, storage conditions, alert authorities of non-compliance

GPAI Provider

Provides General-Purpose AI models

Technical documentation, training data transparency, copyright policy, safety evaluations (systemic risk models)

Violation Type

Maximum Fine

% of Global Turnover

Examples

Prohibited practices

EUR 35,000,000

Operating a banned AI system (social scoring, unauthorised biometric surveillance)

High-risk non-compliance

EUR 15,000,000

Failing to implement required risk management, missing technical documentation

False information to authorities

EUR 7,500,000

1.5%

Providing incorrect information in conformity declarations or to notified bodies

Role

AI Systems

Assessments

Reports

Team

Billing

Owner

Full access

Manage all

Full access

Admin

Full access

Manage members

View only

Member

View & edit

View & download

View only

No access

Operation

Method

Endpoint

Notes

List keys

GET

/api/settings/api-keys?companyId={companyId}

Returns existing keys and supported scopes

Create key

POST

/api/settings/api-keys

Returns plaintext key once in `plaintextKey`

Rotate key

POST

/api/settings/api-keys/{apiKeyId}/rotate

Returns new `plaintextKey` once

Revoke key

DELETE

/api/settings/api-keys/{apiKeyId}

Sets `revokedAt` timestamp

curl -X POST https://api.actloom.com/api/settings/api-keys \ -H "Content-Type: application/json" \ -b "your_session_cookie_here" \ -d '{ "companyId": "your_company_id", "name": "CI integration key", "scopes": ["read:reports", "write:reports"], "expiresInDays": 365 }'

Area

Method

Endpoint

Purpose

API keys

GET

/api/settings/api-keys?companyId={companyId}

List keys + supported scopes + permissions

API keys

POST

/api/settings/api-keys

Create scoped API key

API keys

POST

/api/settings/api-keys/{id}/rotate

Rotate key material

API keys

DELETE

/api/settings/api-keys/{id}

Revoke key

Webhooks

GET

/api/settings/webhooks?companyId={companyId}

List endpoints + supported event types

Webhooks

POST

/api/settings/webhooks

Create endpoint + return signing secret once

Webhooks

PATCH

/api/settings/webhooks/{id}

Update URL, description, status, events

Webhooks

DELETE

/api/settings/webhooks/{id}

Delete endpoint

Webhooks

POST

/api/settings/webhooks/{id}/test

Send test delivery to endpoint URL

curl -X POST https://api.actloom.com/api/settings/webhooks \ -H "Content-Type: application/json" \ -b "your_session_cookie_here" \ -d '{ "companyId": "your_company_id", "url": "https://your-app.example.com/webhooks/actloom", "description": "Production endpoint", "events": ["incident.created", "report.generated"] }'

Data Category

Storage Location

Retention

Encryption

Account data

PostgreSQL (EU)

Duration of account + 30 days

AES-256 at rest, TLS in transit

Assessment data

PostgreSQL (EU)

Duration of subscription + 90 days

AES-256 at rest, TLS in transit

Generated documents

Vercel Blob (EU)

Duration of subscription + 90 days

AES-256 at rest, TLS in transit

Audit logs

PostgreSQL (EU)

12 months rolling

AES-256 at rest, TLS in transit

Analytics

PostHog (EU)

24 months

Encrypted, pseudonymised

marketing.docsPage.nav.gettingStarted

marketing.docsPage.nav.introduction

Who is ActLoom for?

CTOs & Engineering Leads

Compliance Officers

Legal Teams

Founders & CEOs

marketing.docsPage.nav.quickStartGuide

End-to-end onboarding flow

marketing.docsPage.nav.createYourAccount

Create your account

marketing.docsPage.nav.companyOnboarding

Set up your company

marketing.docsPage.nav.platformOverview

marketing.docsPage.nav.dashboard

Key dashboard components

marketing.docsPage.nav.navigation

marketing.docsPage.nav.aiSystems

marketing.docsPage.nav.addAiSystem

AI System Registration Process

Step 1 — Basic Information

Add AI System

Step 2 — Contextual Questions

Step 3 — AI Classification

Classification Complete

Risk Classification

marketing.docsPage.nav.systemInventory

marketing.docsPage.nav.complianceAssessment

Assessment Workflow

Compliance Assessment Flow

High-Risk Requirements (7 Core Obligations)

marketing.docsPage.nav.complianceScoring

Score colour coding

marketing.docsPage.nav.gapAnalysis

marketing.docsPage.nav.remediationPlans

Remediation Lifecycle

Remediation: Risk Management System

marketing.docsPage.nav.documentsReports

marketing.docsPage.nav.reportGeneration

Document Generation Flow

Generate Document

marketing.docsPage.nav.documentTypes

Assessment Report

Risk Management Documentation

Technical Documentation

Transparency Notice

AI Act ComplianceAssessment Report

marketing.docsPage.nav.documentVault

marketing.docsPage.nav.aiActReference

Regulatory Overview

Key principles

Risk-Based Approach

Technology Neutral

Extraterritorial Scope

marketing.docsPage.nav.riskCategoriesDetail

Obligations by Role

Timeline & Deadlines

Penalties

marketing.docsPage.nav.teamCollaboration

Invite Members

Team Invitation Flow

Roles & Permissions

marketing.docsPage.nav.integrationsApi

API Keys

Settings API Endpoints

Webhooks

Webhook Test Payload

marketing.docsPage.nav.billingPlans

Pricing Plans

Starter

Business

Pro

Subscription Management

Billing FAQ

marketing.docsPage.nav.securityData

Security Overview

Data Processing

Data Flow

marketing.docsPage.nav.frequentlyAskedQuestions

General

AI Act Compliance
Assessment Report

AI Act Compliance
Assessment Report