AI Act Addendum
This Addendum (the “AI Act Addendum”) is entered into between QEVLAR AI, a French société par actions simplifiée with share capital of 18 298,30 €, having its registered office at 15 rue Auguste Gervais, 92130 Issy-les-Moulineaux, France, registered with the Trade and Companies Register of Nanterre under number 952 849 115 ( “Provider”), and the customer identified in the Agreement (“Customer”). This AI Act Addendum is incorporated into and forms part of the Master Services Agreement between the Parties (the “Agreement”). Capitalised terms used but not defined have the meanings given in the Agreement or the AI Act.
Preamble
The Parties acknowledge that the Services include the use of artificial-intelligence and machine-learning systems within the meaning of Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 on artificial intelligence (the “AI Act”). This AI Act Addendum sets out the Parties’ allocation of compliance responsibilities under the AI Act, including transparency, instructions for use, cooperation with deployers having high-risk obligations, and use of general-purpose AI.
1. Definitions
In addition to the terms defined in the Agreement, the following terms have the meanings given below. Where the AI Act itself defines a term, that AI Act definition prevails.
“AI Act” means Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act), as amended, supplemented, or replaced from time to time, together with any delegated acts, implementing acts, harmonised standards, and guidelines issued thereunder.
“AI System” means an AI system within the meaning of Article 3(1) of the AI Act, including the artificial-intelligence and machine-learning components of the Services.
“Deployer” means a natural or legal person using an AI system under its authority, within the meaning of Article 3(4) of the AI Act.
“GPAI Model” means a general-purpose AI model within the meaning of Article 3(63) of the AI Act, including any large language model, foundation model, or similar model that displays significant generality and is capable of competently performing a wide range of distinct tasks.
“High-Risk AI Use Case” means a use of an AI System that falls within the categories of high-risk AI systems listed in Annex III of the AI Act, or that is otherwise classified as high-risk under Article 6 of the AI Act.
“Provider AI” means the AI Systems developed by Provider and incorporated in the Services, including the proprietary machine-learning mode ls, classifiers, scoring engines, and decision-support components used in the generation of Investigation Reports.
2. Classification and Scope
2.1 Provider AI classification.
Provider classifies the Provider AI as an AI System that, when supplied by Provider and used in accordance with the Documentation, is not specifically designated as a High-Risk AI Use Case under Annex III of the AI Act. Specifically, the Provider AI is intended for cybersecurity threat investigation and advisory analysis and is not d esigned or marketed (i) as a safety component within the meaning of Article 3(14) of the AI Act, (ii) for biometric identification or categorisation of natural persons, (iii) for the management or operation of critical digital infrastructure as a safety component, (iv) for use in employment, education, access to essential services, law-enforcement, migration, or administration of justice, or (v) in any other Annex III category.
2.2 Customer-specific assessment.
Notwithstanding Section 2.1, Customer is solely responsible for determining whether its particular deployment of the Provider AI in its own environment constitutes a High-Risk AI Use Case under Article 6 or Annex III of the AI Act, including in cases where Customer integrates the Services into a regulated product, into the operation of critical infrastructure as a safety component, or into a system that would itself be classified as high-risk. Customer shall notify Provider in writing where Customer determines its deployment is a High-Risk AI Use Case (a “High-Risk Designation”), in which case Section 6 of this AI Act Addendum applies.
2.3 Order of precedence.
In the event of any conflict between this AI Act Addendum and any other provision of the Agreement on subject matter covered by the AI Act, thi s AI Act Addendum prevails. Otherwise, the order of precedence in the Agreement applies.
3. Transparency of AI-Generated Outputs (AI Act Art. 50)
3.1 AI-generated content.
Provider acknowledges that Investigation Reports, Scores, suggested remediation actions, and similar outputs of the Services are AI-generated content within the meaning of Article 50 of the AI Act. The fact that such outputs are AI-generated is disclosed (a) in the Agreement (including Section 8(b)), (b) in the Documentation, and (c) wh ere reasonably practicable, in machine-readable form in the metadata of the output itself.
3.2 Customer disclosure obligations.
Customer is responsible for any onward-disclosure obligations Customer may have under Article 50 of the AI Act in respect of th e Services, including where Customer is itself a Deployer that interacts with natural persons or generates content for distribution. Provider shall, on Customer’s reasonable request, provide reasonable information to enable Customer to comply with such obligations.
3.3 No deep-fake or manipulative use.
Provider does not market, design, or operate the Provider AI for the generation or manipulation of image, audio, or video content resembling existing persons or events (deep-fakes), and does not deploy subliminal, manipulative, or deceptive techniques within the meaning of Article 5 of the AI Act. Customer shall not configure or use the Services in a manner that would cause the Services to be used for any prohibited practice under Article 5 of the AI Act.
4. Documentation and Instructions for Use (AI Act Art. 13)
4.1 Instructions for Use.
Provider makes available to Customer instructions for use of the Services (the “Documentation”), including (a) a description of the intended purpose, (b) the level of accuracy, robustness, and cybersecurity against which the Provider AI has been tested, (c) any known or foreseeable circumstance that may lead to risks to the health and safety of natural persons or fundamental rights, (d) the measures of human oversight referred to in Article 14 of the AI Act, and (e) the expected lifetime of the Provider AI and any necessary maintenance and care measures.
4.2 Technical documentation.
Provider maintains the technical documentation required for the Provider AI in accordance with Annex IV of the AI Act and any applicable harmonised standards, and shall make summaries of such technical documentation available to Customer on reasonable writ ten request and under NDA, where Customer demonstrates a legitimate need (including in connection with a High-Risk Designation or a regulatory request).
5. General-Purpose AI Models (AI Act Art. 51–56)
5.1 Third-party GPAI use.
Provider may use third-party GPAI Models within the Services on terms that contractually prohibit the third-party provider from training its models on Customer Data (consistent with Section 7(e) of the Agreement). Provider shall maintain records of the third-party GPAI Models used in the Services from time to time and shall make such records available to Customer on reasonable request.
5.2 Provider as downstream deployer.
Provider is a downstream deployer of any third-party GPAI Model used within the Services and is not itself a provider of a GPAI Model within the meaning of Article 51 of the AI Act, except where Provider develops a GPAI Model itself; Provider shall notify Customer in writing if it begins to develop and supply a GPAI Model that materially affects the Services.
5.3 Copyright and training data.
Provider warrants that the Provider AI has been trained on data lawfully obtained and used by Provider, and that Provider has implemented reasonable policies to comply with applicable copyright law (including Article 4 of Directive (EU) 2019/790 on copyright in the Digital Single Market). Customer Data is processed in accordance with Section 7(e) of the Agreement; Customer Data is not used to train Provider’s GPAI Models or to train third-party GPAI Models.
6. Cooperation with Customer Where Customer is a High-Risk Deployer
6.1 Application.
This Section 6 applies only where a High-Risk Designation is in force in respect of Customer’s deployment of the Services.
6.2 Risk management.
Provider shall, on Customer’s reasonable request and at Customer’s cost (unless otherwise agreed in the Order Form), cooperate with Customer in conducting a risk-management assessment of the Provider AI’s suitability for Customer’s High-Risk AI Use Case, including by providing reasonable information about the training data, validation methodology, performance metrics (precision, recall, false-positive and false-negative rates as available), and known limitations of the Provider AI.
6.3 Human oversight.
Provider shall make available human-oversight mechanisms within the Services, including (a) configurable thresholds for automated actions, (b) audit logs of Provider AI outputs and any actions taken by the Services, and (c) the ability for Customer’s personnel to review, override, or roll back AI-generated outputs and any automated actions. Customer is responsible for implementing and operating human-oversight measures appropriate to Customer’s High-Risk AI Use Case.
6.4 Logging and monitoring.
Provider shall log events generated by the Provider AI in accordance with Article 12 of the AI Act, sufficient to enable Customer to fulfil its post-market monitoring and incident-reporting obligations where applicable. Customer is responsible for retaining and analysing such logs.
6.5 Notification of serious incidents.
Provider shall notify Customer of any serious incident or malfunction of the Provider AI of which Provider becomes aware that may affect Customer’s High-Risk AI Use Case, without undue delay and in any event within forty-eight (48) hours of Provide r becoming aware. Customer is responsible for its own reporting obligations to competent authorities.
6.6 Updates and re-training.
Provider may update the Provider AI from time to time (including by re-training and re-validating models) and shall notify C ustomer in writing of any update reasonably likely to have a material adverse effect on the performance characteristics of the Provider AI relevant to Customer’s High-Risk AI Use Case.
7. Cooperation with Competent Authorities
7.1 General cooperation.
Provider shall, on reasonable request and to the extent legally permissible, cooperate with national competent authorities and the AI Office in connection with the supervision of the AI Act.
7.2 Access and audit.
Where a competent authority is entitled unde r the AI Act to access information about the Provider AI, Provider shall make such information available, subject to (a) reasonable safeguards on Provider’s Confidential Information and trade secrets within the meaning of Articles L.151 -1 et seq. of the French Commercial Code, (b) reasonable safeguards on other customers’ data, and (c) the audit framework set out in Section 4(e) of the DPA where access is requested through Customer.
8. Provider-Specific Obligations and Limitations
8.1 Bias and discrimination.
Provider shall implement and maintain proportionate measures during model development, training, validation, and testing to identify, monitor, and mitigate risks of unfair bias or discriminatory outcomes generate d by the Provider AI. Customer acknowledges that no machine-learning system is free of statistical bias and that Customer is responsible for evaluating the Provider AI’s suitability for Customer’s specific operational context.
8.2 Quality management.
Provider operates a quality-management system designed to support the development and provision of the Provider AI in compliance with applicable law. Documentation of the quality-management system is available to Customer under NDA on reasonable request where Customer demonstrates a legitimate need.
8.3 No mass surveillance use case.
Provider shall not deploy the Provider AI in a manner that constitutes a prohibited practice under Article 5 of the AI Act, including untargeted scraping of facial images from the internet or CCTV for facial-recognition databases, emotion inference of natural persons in the workplace or in education, or social-scoring.
9. General
9.1 Cost allocation.
Each Party bears its own costs of complying with this AI Act Addendum. Where Customer requests bespoke cooperation that materially exceeds Provider’s standard documentation (including bespoke risk-management assessments, custom logging configurations, or extended audit support), Provider may invoice Customer for such cooperation at Provider’s then-current professional services rates.
9.2 Updates.
Provider may update this AI Act Addendum from time to time to reflect changes in the AI Act, harmonised standards, or supervisory guidance, on reasonable prior written notice, provided that no update materially diminishes Customer’s rights or Provider’s obligations.
9.3 Governing law.
This AI Act Addendum is governed by, and construed in accordance with, the governing law specified in the Agreement.
