EU AI Act Compliance
Risk Assessment, Transparency Statement, and Compliance Declaration
Last updated: April 2026
Executive Summary
faktry is committed to compliance with the European Union Artificial Intelligence Act (Regulation (EU) 2024/1689). This document provides a comprehensive risk assessment of our AI systems, our compliance measures, and transparency obligations under the EU AI Act.
Overall Risk Classification: Limited Risk
All AI systems operated by faktry fall under the "limited risk" category under Article 50, primarily requiring transparency obligations. None of our systems fall under the high-risk categories defined in Annex III. We are implementing compliance measures in advance of the August 2026 full-application date.
EU AI Act Application Timeline
The EU AI Act applies in phases. Provisions currently in force:
- • 2 Feb 2025: Prohibited practices (Article 5) — in force
- • 2 Aug 2025: GPAI model obligations (Articles 51–56) — in force for model providers
- • 2 Aug 2026: Transparency obligations (Article 50) and most deployer obligations — upcoming
- • 2 Aug 2027: Remaining high-risk system provisions (Annex III legacy systems)
faktry is implementing the measures described in this document ahead of the 2 August 2026 deadline.
1. About the EU AI Act
The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive legal framework for artificial intelligence. It establishes a risk-based approach to AI regulation, categorizing AI systems into four risk levels:
- Unacceptable Risk: Banned AI practices (e.g., subliminal manipulation, social scoring, real-time biometric identification in public spaces)
- High Risk: AI systems with significant potential harm, requiring strict compliance (e.g., medical devices, recruitment tools, critical infrastructure)
- Limited Risk: AI systems requiring transparency obligations (e.g., deepfake-capable generators, chatbots, content generation)
- Minimal Risk: AI systems with no specific obligations (e.g., spam filters, games)
2. Roles and Responsibilities
Under the EU AI Act, different obligations apply depending on whether an entity is a provider (developer of an AI system) or a deployer (entity that uses an AI system in a professional context).
faktry's Role: Deployer of Third-Party AI Systems
faktry acts as a deployer of AI systems provided by third parties (OpenAI, Black Forest Labs, Google, ElevenLabs, fal.ai, etc.). faktry does not develop, train, or fine-tune any foundation models or general-purpose AI (GPAI) models.
faktry also acts as a provider of an integrated AI application platform — the software that combines, sequences, and presents access to third-party AI capabilities. The GPAI-specific obligations under Articles 51–56 apply to our upstream model providers, not to faktry as deployer.
3. AI Systems Inventory
faktry integrates the following AI systems in its platform. All AI calls are routed through our backend processing pipeline with input content moderation applied before any generation request is dispatched.
3.1 Image Generation & Editing
| Feature | Models Used | Provider | Risk Level |
|---|---|---|---|
| Text-to-Image | gpt-image-1, gpt-image-1.5, gpt-image-2 | OpenAI | Limited |
| Text-to-Image | Flux 2 Pro / Max / Flex (incl. EU-hosted variants) | Black Forest Labs | Limited |
| Image Editing / Inpainting | gpt-image-1/1.5/2, Flux 2 Pro/Max/Flex Edit (incl. EU variants) | OpenAI, Black Forest Labs | Minimal |
| Upscaling / Enhancement | Various models via fal.ai | fal.ai | Minimal |
3.2 Video Generation
| Feature | Models Used | Underlying Provider | Risk Level |
|---|---|---|---|
| Text-to-Video | Kling v2.1/v2.5/o3 (Kuaishou), Sora 2 (OpenAI), Veo 3.1 (Google), LTX 2.3 (Lightricks), Wan v2.7 (Alibaba) | via fal.ai | Limited |
| Image-to-Video | Kling v2.1/v2.5/o3, Veo 3.1, LTX 2.3, Sora 2, Wan v2.7 | via fal.ai | Limited |
| Video Editing / Extension | Kling o3, Veo 3.1, LTX 2.3, Wan v2.7 | via fal.ai | Limited |
| Video Upscaling | SeedVR | via fal.ai | Minimal |
3.3 Audio Processing
| Feature | Models Used | Provider | Risk Level |
|---|---|---|---|
| Speech-to-Text | Whisper-1 (OpenAI), ElevenLabs Scribe v2 | OpenAI direct; fal.ai | Minimal |
| Text-to-Speech | gpt-4o-mini-tts (OpenAI), ElevenLabs eleven-v3, Qwen-3 TTS, Gemini TTS | OpenAI direct; via fal.ai | Limited |
| Music Generation | Minimax Music v2, v2.6 | via fal.ai | Limited |
3.4 Text & Content Generation
| Feature | Models Used | Provider | Risk Level |
|---|---|---|---|
| Script Generation | gpt-5.4, gpt-5.4-mini, gpt-5.4-nano | OpenAI | Limited |
| Prompt Enhancement | gpt-5.4, gpt-5.4-mini | OpenAI | Minimal |
| PDF / Document Processing | gpt-5.4, gpt-5.4-mini, gpt-5.4-nano | OpenAI | Minimal |
4. Detailed Risk Assessment
4.1 Limited Risk Systems
The following AI systems are classified as "limited risk" under Article 50 of the EU AI Act (applying from 2 August 2026):
Image, Audio & Video Generation Systems (Article 50(4))
Deployers of AI systems that generate or manipulate image, audio, or video content constituting a "deep fake" must disclose that the content has been artificially generated or manipulated. faktry's image, video, and audio generation features fall under this provision.
Our Compliance: All AI-generated content is clearly labeled as AI-generated within our platform interface at the point of creation. Users are informed before and after generation that content is AI-produced. Our Terms of Service require users to include appropriate disclosures when publishing AI-generated content that resembles real persons, places, or events. We do not currently apply embedded cryptographic watermarks (C2PA) to exported files; adoption of such standards is under evaluation.
Text Generation Systems (Article 50(1))
AI systems intended to interact directly with natural persons as conversational interfaces must inform those persons that they are interacting with an AI system. faktry's script and prompt generation features are AI-assisted writing tools, not autonomous chatbots. Users knowingly invoke these features.
Our Compliance: All text generation and prompt enhancement features are explicitly labeled as AI-powered in the interface. Generated output is presented as AI-generated content, not as human-written text.
Emotion Recognition & Biometric Categorization
AI systems performing emotion recognition or biometric categorization must inform natural persons exposed to such systems.
Our Compliance: faktry does not deploy emotion recognition or biometric categorization systems. Our platform does not process biometric data for identification purposes.
4.2 High-Risk Assessment
We have evaluated our AI systems against the high-risk criteria in Annex III of the EU AI Act:
| High-Risk Category (Annex III) | Assessment |
|---|---|
| Biometric identification & categorization | ✓ Not applicable |
| Critical infrastructure management | ✓ Not applicable |
| Education & vocational training | ✓ Not applicable |
| Employment, worker management, access to self-employment | ✓ Not applicable |
| Access to essential services (credit, insurance, benefits) | ✓ Not applicable |
| Law enforcement | ✓ Not applicable |
| Migration, asylum, and border control | ✓ Not applicable |
| Administration of justice and democratic processes | ✓ Not applicable |
Assessment Result: No High-Risk Systems
Based on our analysis, faktry does not operate AI systems that fall under the high-risk categories defined in Annex III of the EU AI Act. faktry is a creative content generation platform; it does not make consequential decisions affecting individuals' rights, safety, or livelihoods. Users deploying our tools in contexts that may qualify as high-risk are responsible for conducting their own conformity assessment.
4.3 Prohibited Practices
Under Article 5 of the EU AI Act, certain AI practices are prohibited (in force since 2 February 2025). We confirm that faktry does not engage in any of the following prohibited practices:
- Subliminal or manipulative techniques operating below conscious awareness to distort behaviour
- Exploitation of vulnerabilities of specific groups (age, disability, social/economic situation) to distort behaviour
- Social scoring by public authorities or on their behalf
- Real-time remote biometric identification in publicly accessible spaces
- Biometric categorization based on sensitive attributes (race, political opinions, religion, sexual orientation)
- Emotion recognition in workplace and educational institution contexts
- Indiscriminate scraping of facial images or biometric data from the internet or CCTV footage
- AI-based predictive policing using individual profiling
5. Transparency Obligations
5.1 AI-Generated Content Disclosure
In preparation for compliance with Article 50 (applying from 2 August 2026), we implement the following transparency measures:
- Interface Labels: All AI-generated content is clearly labeled as AI-generated within our platform at the point of creation
- Model Attribution: The specific AI model used to generate content is displayed alongside results
- Public Gallery Attribution: Content in the Prompt Gallery displays the AI model and provider used for generation
- API Transparency: API documentation and responses identify the AI system used for each operation
5.2 Deep Fake Disclosure (Article 50(4))
When our AI systems generate or manipulate content that may constitute a "deep fake" — image, audio, or video content that appreciably resembles an existing person, object, place, or event — we require:
- Clear disclosure within the platform that content has been artificially generated or manipulated
- Users must accept our Terms of Service, which explicitly require downstream disclosure of AI-generated content that resembles real individuals
- Our content moderation system actively filters prompts requesting generation of content that could mislead audiences about real individuals
Note: We are evaluating adoption of C2PA (Coalition for Content Provenance and Authenticity) standards for embedding machine-readable provenance metadata in exported files. This will be implemented as a future compliance enhancement.
5.3 Copyright and Training Data Transparency
Training data transparency obligations under Article 53(1)(d) apply to GPAI model providers, not to faktry as a deployer. We rely exclusively on third-party AI providers (OpenAI, Black Forest Labs, Google, ElevenLabs, Alibaba, Lightricks, Kuaishou, Minimax) who are responsible for their own compliance with Article 53 training data disclosure requirements. We select providers that commit to EU AI Act compliance and transparency about their model development practices.
6. AI Governance Framework
6.1 Human Oversight
Our platform is designed with human control as the default:
- No AI outputs are automatically published, acted upon, or forwarded without user review and explicit action
- Users can reject, modify, or regenerate all AI outputs before use
- Content flagged by moderation is blocked before generation and logged for human review
- An admin interface enables human review, override, and audit of AI-related decisions
- Users can report inappropriate or harmful AI outputs via our support channels
6.2 Data Governance
We implement robust data governance practices:
- faktry does not develop or train any AI models; all AI capabilities are provided by established third-party providers
- User content submitted to the platform is processed solely to provide the requested service; it is not used for AI training by faktry
- We do not share user content with third parties beyond what is necessary to fulfill individual API calls to AI providers
- Data processing complies with our Privacy Policy and applicable data protection law (GDPR)
6.3 Technical Documentation
We maintain documentation for our integrated AI platform including:
- System purpose and intended use cases
- Inventory of AI models and providers in use (as listed in Section 3)
- Content moderation architecture and policies
- Risk mitigation measures and human oversight mechanisms
- Incident logging and response procedures
6.4 Quality Management
Our quality management for AI systems includes:
- Continuous monitoring of AI provider availability and output quality
- User feedback integration and issue tracking
- Version control for moderation policies and prompt filters
- Regular review of content moderation effectiveness
- Change management process for adding new AI models or providers
7. Risk Mitigation Measures
7.1 Input Content Moderation (Two-Layer System)
faktry operates a two-layer content moderation system applied to all user-submitted prompts before any generation request is dispatched to an AI provider:
Layer 1 — Local Pattern Matching (real-time, <1 ms)
A rule-based filter checks prompts against curated patterns for sexual content, violence, hate speech, and self-harm content across English, German, and Spanish. High-severity matches (hate speech, self-harm) result in immediate blocking with no further API call. Medium-severity matches are escalated to Layer 2.
Layer 2 — OpenAI Moderation API (borderline cases)
Prompts flagged as medium severity by Layer 1 are evaluated by the OpenAI omni-moderation-latest model. This provides classifier-based scoring across categories including sexual content, hate, harassment, self-harm, and violence. A prompt is blocked if either layer determines it violates policy.
Moderation Audit Logging
All blocked prompts are logged server-side for audit and review purposes. Logs include the endpoint, model, and moderation category triggered. An admin interface enables human review of moderation events and policy adjustments.
Output moderation: For AI-generated outputs, faktry relies on the content policies and output safety systems of upstream AI providers (OpenAI, Black Forest Labs, Google, ElevenLabs, fal.ai, etc.), each of which implements their own output-level safety controls. faktry does not additionally filter generated content files, but users may report outputs via our support channels for human review.
7.2 Prohibited Content Categories
The following content categories are blocked at input and/or output level:
- Child sexual abuse material (CSAM) — immediate block, zero tolerance
- Violent or graphic content glorifying harm
- Hate speech targeting protected characteristics
- Self-harm and suicide-related prompts
- Non-consensual intimate imagery
- Prompts designed to generate disinformation about real identifiable individuals
7.3 Security Measures
Our AI systems are protected against misuse:
- Input validation and sanitization on all API endpoints
- Prompt injection protection
- Rate limiting and quota enforcement per user and API key
- Secure API key management for all third-party AI providers
- Authentication required for all AI generation endpoints
8. User Obligations
Users of faktry are responsible for how they use and publish AI-generated content. Under the EU AI Act and applicable law:
- Transparency: When publishing or distributing AI-generated content, users must disclose its artificial origin where required by Article 50 of the EU AI Act (applying from 2 August 2026)
- Deep Fake Disclosure: Content generated to resemble real persons, places, or events must include clear disclosure that it is AI-generated or AI-manipulated
- High-Risk Use Cases: Users deploying faktry outputs in contexts that may qualify as high-risk under Annex III must conduct their own conformity assessment independently of faktry
- Legal Compliance: Users are responsible for ensuring their use of AI-generated content complies with all applicable laws, including copyright, defamation, data protection, and electoral regulation
- Content Responsibility: Users are responsible for the content they create and its downstream use
9. Third-Party AI Providers
All AI capabilities in faktry are delivered by third-party providers. We select providers that commit to safety, transparency, and regulatory compliance. The following table lists our primary providers and the AI systems accessed:
| Provider | AI Systems / Models Used | Access Method |
|---|---|---|
| OpenAI | gpt-image-1/1.5/2 (image gen), gpt-5.4 series (text), gpt-4o-mini-tts (TTS), Whisper-1 (STT) | Direct API |
| Black Forest Labs | Flux 2 Pro / Max / Flex (image gen + editing), incl. EU-hosted variants | Direct API |
| fal.ai (aggregator) | Kling Video (Kuaishou), Sora 2 (OpenAI), Veo 3.1 (Google/DeepMind), LTX 2.3 (Lightricks), Wan v2.7 (Alibaba), ElevenLabs TTS/STT, Qwen-3 TTS (Alibaba), Gemini TTS (Google), Minimax Music, SeedVR | via fal.ai API |
The GPAI-specific obligations under Articles 51–56 of the EU AI Act apply to each model provider listed above. faktry, as a deployer, relies on these providers maintaining their own GPAI compliance documentation and making it available per Article 53.
10. Incident Management
We maintain an incident management system for AI-related issues:
- Incident Logging: All AI-related incidents are logged and tracked, including moderation overrides and reported outputs
- Response Procedures: Defined processes for investigating, containing, and resolving AI incidents
- User Reporting: Users can report harmful or inappropriate AI outputs via our support channels
- Authority Notification: Serious incidents involving potential harm are escalated and reported to competent authorities as required under applicable law
- Post-Incident Review: Root cause analysis and policy updates following significant incidents
11. Contact & Compliance
For questions about our EU AI Act compliance, to report AI-related incidents, or to exercise rights related to AI systems:
AI Compliance, Incident Reporting & General Inquiries: [email protected]
12. Updates to This Statement
This statement will be reviewed and updated as:
- New AI systems or providers are integrated into the platform
- The EU AI Act application timeline reaches new milestones (next: 2 August 2026)
- New guidance or implementing acts on the EU AI Act are published by the European AI Office
- Our risk assessment identifies new considerations or obligations
This EU AI Act compliance statement was last updated on April 2026. faktry is committed to ongoing compliance with the EU AI Act and will update this document as regulations evolve and new guidance is issued by the European AI Office.
Related legal documents: Privacy Policy · Terms of Service