1. Provider Identification Identification du fournisseur
| Provider | Easylab AI (TLI S.A.) |
|---|
| Registered address | 55, allée de la Poudrerie, L-1899 Roeser, Luxembourg |
|---|
| Contact | governance@easylab.ai |
|---|
| Role under EU AI Act | AI Deployer (Article 26) and ICT Service Provider (DORA -- Regulation (EU) 2022/2554) |
|---|
| Scope of services | AI-powered workflow automation, process automation, data pipeline orchestration, and API integrations with AI components |
|---|
2. Scope of Automation & Workflow Services Perimetre des services d'automatisation et workflows
Easylab AI provides AI-augmented automation and workflow services encompassing the following capabilities:
- Workflow automation: AI-powered workflow automation using n8n (self-hosted and cloud deployments), enabling complex multi-step business process orchestration.
- Data processing pipelines: Automated data processing pipelines with AI enrichment, including classification, extraction, summarization, and translation.
- Email automation: Email automation with AI-generated content, including personalized messaging and templated communications.
- Document processing: Document processing workflows covering PDF extraction, OCR, and AI-driven analysis.
- Social media automation: Social media content automation with AI-assisted content generation and scheduling.
- CRM and business process automation: CRM integration and business process automation with AI decision support capabilities.
- RAG pipelines: Retrieval Augmented Generation (RAG) pipelines for intelligent document search and knowledge retrieval.
- Conversational AI: Chatbot and conversational AI deployment for customer-facing and internal use cases.
Note: Workflows may chain multiple AI providers within a single execution. Each AI node within a workflow is individually documented and classified according to its risk level and data handling requirements.
3. AI Act Compliance -- Risk Classification Conformite AI Act -- Classification des risques
Each workflow deployed by Easylab AI is individually assessed for its AI Act risk level. A workflow containing AI nodes inherits the highest risk level among its component nodes.
3.1 General Classification Principles
- Most automation workflows classify as limited risk or minimal risk under the EU AI Act.
- Prohibited practices (Article 5): All workflows are screened to ensure no manipulative, deceptive, or exploitative AI practices are employed.
- High-risk screening: Each workflow is assessed to determine whether any node falls within the categories listed in Annex III of the AI Act.
3.2 Common Automation Use Cases and Classifications
| Use Case |
Typical Classification |
Key Obligations |
| Content generation (text/image) |
Limited risk |
Art. 50 transparency |
| Email automation with AI |
Limited risk |
Art. 50, content labeling |
| Document extraction & analysis |
Minimal risk |
Best practices |
| RAG / chatbot for information retrieval |
Limited risk |
Art. 50 disclosure |
| AI-assisted data enrichment |
Minimal risk |
Data governance |
| Automated report generation |
Limited risk |
Art. 50, human review |
| Social media content automation |
Limited risk |
Art. 50, content labeling |
| AI decision support for business processes |
Depends on domain |
Full assessment required |
| HR / recruitment automation |
Potentially high-risk |
Full Chapter III if Annex III applies |
| Financial risk assessment |
Potentially high-risk |
Full Chapter III + DORA |
High-risk workflows: Any workflow identified as potentially high-risk under Annex III undergoes a dedicated conformity assessment before deployment, including risk management, data governance, and human oversight requirements as set out in Chapter III of the AI Act.
4. Transparency Obligations (Article 50) Obligations de transparence
Easylab AI implements the following transparency measures across all automation and workflow services:
- Content labeling: All AI-generated content produced within workflows is labeled as such, either through metadata, visible markers, or disclosure statements.
- Workflow documentation: Each workflow specification explicitly identifies which nodes use AI and describes the nature of AI involvement.
- End-user notification: End users are informed of AI involvement in automated communications they receive.
- Email disclosure: Email templates generated or augmented by AI include an AI-assistance disclosure.
- Document metadata: Documents produced by AI-augmented workflows carry appropriate AI metadata.
- Chatbot disclosure: Chatbots and conversational AI systems disclose their AI nature at the start of each conversation.
5. Human Oversight (Article 14) Supervision humaine
Human oversight is a fundamental design principle of all Easylab AI automation workflows:
- Human checkpoints: Workflow design incorporates human review and approval checkpoints for all critical decisions and high-impact outputs.
- Approval gates: AI-generated content intended for publication or external distribution must pass through explicit approval gates before release.
- Dashboard monitoring: A centralized dashboard provides real-time monitoring of all running workflows and their AI-related activities.
- Manual override: Every automated workflow supports manual override, allowing authorized personnel to intervene at any point in the execution.
- Anomaly alerts: An alert system flags anomalous AI outputs for immediate human review.
- Periodic review cycles: AI-generated content and automated outputs are subject to periodic human review to ensure ongoing quality and accuracy.
- Kill switch: Any workflow can be paused or stopped immediately by authorized personnel, with no dependency on the AI component's cooperation.
6. Workflow Architecture and Security Architecture et securite des workflows
- Orchestration platform: n8n workflow automation platform, deployed either self-hosted on EU infrastructure or via n8n Cloud (EU region).
- Client isolation: Workflow execution environments are isolated per client, preventing cross-client data access.
- Credential management: All credentials and API keys are stored in encrypted vaults. No plaintext secrets exist in workflow definitions or logs.
- Key rotation: API keys are rotated in accordance with the applicable security policy.
- Network security: All communications use TLS 1.3 encryption. VPN tunnels are used where required by client security policies.
- Webhook security: Inbound webhooks are authenticated and validated to prevent unauthorized workflow triggers.
- Error handling: Comprehensive error handling and retry mechanisms with full logging ensure workflow reliability and auditability.
- Rate limiting: Rate limiting and abuse prevention mechanisms protect against misuse and excessive resource consumption.
7. Data Governance & GDPR Compliance Gouvernance des donnees et conformite RGPD
7.1 Data Flow Management
- Data flow mapping: Each workflow includes a data flow map specifying which data elements pass through which AI provider at each processing stage.
- Data minimization: Only the fields strictly required for the AI processing task are transmitted to external AI APIs.
- Personal data identification: Personal data elements within workflow data are identified and handled in accordance with GDPR requirements.
7.2 AI Provider Data Handling
Easylab AI configures all AI provider APIs to minimize data retention and prevent use of client data for model training. The zero-retention status of each provider used in workflows is detailed below:
| Provider |
Service |
Zero-Retention Configuration |
Contractually Confirmed |
| Anthropic (Claude) |
AI text generation |
Zero Data Retention (ZDR) addendum available. API Business terms include no-training clause. Must be explicitly requested and approved. |
ZDR addendum to be signed |
| OpenAI (GPT) |
AI text generation, embeddings |
store:false parameter set per API request. EU data residency available at project level. OpenAI Ireland Ltd entity for EEA clients. |
Yes -- API terms + DPA |
| Google Gemini |
Multimodal AI |
Paid API (Vertex AI) does not use data for training. Free API tier may retain data. EU region available via Vertex AI. |
Yes -- via Google Cloud DPA (paid API only) |
| EdenAI |
Speech-to-text gateway |
Data deleted within 24 hours of processing. French company (EU-native). Sub-provider retention policies vary by selected engine. |
Formal DPA to be signed |
| OpenRouter |
LLM routing gateway |
Zero Data Retention routing available (ZDR flag). EU routing endpoint available (eu.openrouter.ai) for Enterprise plans. |
Via Terms of Service |
| Perplexity |
AI search |
Enterprise tier: data never used for training. API usage protected by provider agreements with upstream AI models. |
Via DPA (Enterprise) |
| PDF.co |
PDF processing, OCR |
Files processed on dedicated servers (not third-party AI). Encrypted at rest (AES). Retention policy to be confirmed. |
DPA to be obtained |
| Jina AI |
Embeddings, reranking |
Berlin-based (EU). No-training policy to be confirmed. SOC 2 Type II certified. |
DPA to be obtained |
Note: Zero-retention configurations are verified at project inception and logged in the AI project register. This table is reviewed quarterly and updated when provider terms change. Last verified: March 2026.
7.3 Compliance Measures
- Data Processing Agreements (DPAs) cover all automated data processing activities.
- Right to erasure is honored across all workflow data stores and downstream systems.
- Data retention policies are defined per workflow and client requirements.
- Automated data cleanup mechanisms ensure timely deletion of data that has exceeded its retention period.
8. AI Providers Used in Workflows Fournisseurs d'IA utilises dans les workflows
| Provider |
Services |
Usage in Workflows |
Data Handling |
Certifications |
| Anthropic |
Claude API |
Text generation, analysis, summarization |
ZDR addendum available; no-training clause |
SOC 2 Type II, ISO 27001, ISO 42001 |
| OpenAI |
GPT, Embeddings, Whisper |
Text generation, embeddings, speech-to-text |
store:false per request; DPA in place |
SOC 2 Type II, ISO 27001, ISO 27701 |
| Google |
Gemini, Vertex AI |
Text generation, image generation, analysis |
DPA, EU option |
SOC 2 Type II, ISO 27001, C5 |
| EdenAI |
Multi-provider API |
OCR, speech-to-text, translation |
EU processing |
GDPR compliant |
| Jina AI |
Embeddings, Reranker |
Semantic search, RAG |
DPA in place |
GDPR compliant |
| Perplexity |
Search API |
Web research, fact-checking |
API terms |
SOC 2 |
| Firecrawl |
Web scraping |
Content extraction |
DPA in place |
GDPR compliant |
| PDF.co |
Document processing |
PDF extraction, OCR |
Processor |
GDPR compliant |
| Resend |
Email delivery |
Transactional emails |
DPA in place |
GDPR compliant |
| n8n |
Workflow engine |
Orchestration |
Self-hosted / Cloud |
SOC 2 Type II |
9. Record-Keeping and Logging (Article 12) Conservation des registres et journalisation
Easylab AI maintains comprehensive records of all workflow executions involving AI components:
- Execution logs: Complete workflow execution logs including start time, end time, nodes executed, and AI API calls made.
- AI input/output logging: Per-node logging of AI inputs and outputs, configurable according to client requirements and data sensitivity.
- Error logging: All errors and exceptions are logged with full context for diagnosis and audit purposes.
- Modification audit trail: All changes to workflow definitions are tracked with timestamps and author identification.
- Retention period (tiered policy):
- Minimal/limited risk deployments: 6 months minimum.
- High-risk deployments or regulated sectors (finance, health, employment, public services): 2 years minimum (EU AI Act Article 12).
- Accounting and tax records: 10 years (Luxembourg commercial law).
- Extended retention available per contractual agreement or regulatory requirement.
- Log security: All logs are stored encrypted on EU-hosted infrastructure.
10. Incident Reporting Signalement des incidents
10.1 Detection and Monitoring
- Workflow failure monitoring: Automated monitoring and alerting for workflow failures and degraded performance.
- AI output anomaly detection: Mechanisms to detect anomalous or unexpected AI outputs that may indicate model failure or data quality issues.
Important: The notification clock starts at the moment of detection (T0), not confirmation. A suspected serious incident triggers the notification timeline immediately.
10.2 Notification Timeline
| Notification | Timeline | Basis |
|---|
| Client notification (suspected serious incident) | Within 24 hours of detection (T0) | Contractual obligation |
| Authority notification (GDPR personal data breach) | Within 72 hours of detection (T0) | GDPR Article 33 |
| Authority notification (AI Act serious incident) | Within 72 hours of detection (T0) | AI Act Article 73 |
| DORA incident notification (financial sector clients) | Per DORA timelines (initial notification without undue delay, intermediate within 72 hours, final within 1 month) | DORA Regulation (EU) 2022/2554 |
10.3 Post-Incident Process
- Immediate containment and mitigation measures.
- Root cause analysis conducted within 10 business days.
- Post-incident report provided to the client, including root cause, impact assessment, remediation measures, and preventive actions.
- Lessons learned integrated into the risk management system.
Incident contact: governance@easylab.ai
Reports are acknowledged within 4 hours during business hours (CET/CEST, Monday--Friday, 09:00--18:00).
11. AI Literacy (Article 4) Competences en matiere d'IA
Easylab AI is committed to ensuring that all stakeholders have an adequate understanding of the AI systems used within automation workflows:
- Workflow documentation: Each deployed workflow includes documentation describing the AI capabilities and limitations of the AI components involved.
- Client training: Clients receive training on workflow monitoring, interpretation of AI outputs, and use of manual override capabilities.
- Model change notifications: Clients are informed whenever AI models used in their workflows are updated, changed, or replaced, along with a description of any impact on workflow behavior.
12. Deployer Obligations for Workflow Clients (Article 26) Obligations des deployers pour les clients workflows
Clients deploying Easylab AI workflows that incorporate AI components assume the role of AI deployer under the EU AI Act and must ensure the following:
- Design review: Review and approve workflow designs before deployment, with particular attention to AI nodes and their risk classification.
- Output monitoring: Monitor workflow outputs periodically to verify the quality, accuracy, and appropriateness of AI-generated results.
- Issue reporting: Report any AI output issues, anomalies, or concerns to Easylab AI promptly via governance@easylab.ai.
- Human review: Ensure that human review is applied to all high-stakes automated decisions before they take effect.
- End-user transparency: Inform their own end users about AI involvement in automated processes where required by Article 50 or applicable law.
13. Contact Contact
| Governance | governance@easylab.ai |
|---|
| Technical support | support@easylab.ai |
|---|
| General inquiries | jdoussot@easylab.ai |
|---|
| Postal address | TLI S.A., 55, allée de la Poudrerie, L-1899 Roeser, Luxembourg |
|---|