EU AI Act Conformity Declaration
Effective: 2026-05-02 · Version 1.0 · Owned, developed, and copyright-protected by Aitech International ApS, Denmark.
QMS Nordic embeds AI features that assist regulated quality-management work — clinical evaluation reports (EU MDR Article 61), post-market clinical follow-up plans (Annex XIV Part B), predicate device search, software-bill-of-materials vulnerability scanning, customer-support drafting, hazard suggestions, root-cause suggestions, and document drafting. Several of these touch decisions about medical devices and could be classified as high-risk AI systems under the EU AI Act when used as the sole input to a regulated decision. This declaration sets out how Aitech International ApS designs and operates these features so that customers — manufacturers, providers, and deployers — can satisfy their own obligations under Articles 9–50 of the AI Act.
1. Human oversight (Article 14)
No AI output in QMS Nordic is auto-approved. Every CER section, PMCF section, predicate candidate, SBOM vulnerability finding, helpdesk reply draft, hazard suggestion, and root-cause suggestion lands as a labelled DRAFT requiring an explicit human Approve / Edit / Reject decision. Per-user role gates restrict who can approve. Activation gates refuse to advance the owning record (e.g., a CER cannot move to ACTIVE) until every AI-drafted section is approved.
2. Transparency + provenance (Article 13 + 50)
Every AI run records its model identifier, prompt hash, output hash, retrieved document chunk IDs (for RAG), web-search queries actually issued, and the citations the model used. This aiProvenance JSON is persisted on the owning record and exposed in the UI so reviewers see what the model saw. The hash-chained audit log captures the original AI run, every human edit, and the final approval signature.
3. Data governance (Article 10)
Retrieval is restricted to well-known regulatory + scientific registries only — PubMed, Cochrane, ClinicalTrials.gov, WHO ICTRP, FDA MAUDE, openFDA, EUDAMED, EMA, MHRA, BfArM, ANSM, Health Canada, TGA, PMDA, Swissmedic for clinical work; NIST NVD, GitHub Security Advisories, CISA KEV, MITRE for cybersecurity. The Anthropic web-search tool is configured with an explicit allowed_domains list — random web pages cannot enter the AI's context window. Document RAG retrieves only over the tenant's own approved documents.
4. Risk management + monitoring (Article 9 + 17)
Every AI run is logged with token consumption, latency, error rates, and confidence (where the model emits it). Tenant admins see a per-tenant AI budget meter in Admin → AI Drafting. Aitech runs quarterly post-market monitoring of accuracy and edit-rate metrics across customer tenants in aggregate (no personal data) and updates prompt + retrieval configurations when drift is detected.
Risk classification per feature
| Feature | AI Act category | Mitigation |
|---|---|---|
| CER section auto-populate | High-risk (clinical decision support) | Human approval required per section · registry allowlist · provenance retained · activation gated |
| PMCF plan auto-populate | High-risk (post-market clinical evidence) | Same controls as CER |
| AI Suggest Hazards (Risk file) | Medium · supports ISO 14971 §5.4 | Suggestions never auto-write; reviewer accepts hazard chains explicitly |
| AI Suggest Root Cause (CAPA) | Medium | Captured as a DRAFT investigation note; never closes the CAPA |
| Predicate device finder | Limited · transparency only | Per-candidate Accept / Reject before any predicate counts for 510(k) or CER equivalence |
| SBOM AI vulnerability scan | Limited · transparency only | Findings sourced from authoritative registries; reviewer triages each CVE explicitly |
| Helpdesk Copilot | Limited · customer-facing chat | Default Copilot mode requires human send · Autopilot mode is opt-in per tenant with confidence threshold |
| Document AI drafting | Medium · QMS document generation | Drafts labelled isAiDraft · Part 11 §11.50 e-signature required to make effective · provenance persists across edits |
Customer obligations
If you deploy QMS Nordic's AI features in a way that makes the AI's output the sole input to a regulated decision (for example, marking a CER ACTIVE without a human review of the AI-drafted sections), you — the deployer — are the AI Act controller for that decision. QMS Nordic's design refuses to let this happen by default: every approve/edit/reject is gated and signed. We document this position so you can provide it to your notified body or competent authority on request.
Supporting documents
- Security overview · controls, encryption, RLS isolation, hash-chained audit log
- Privacy policy · what data we process, where it lives, and what the AI sees
- Sub-processors · including Anthropic (model inference) and OpenAI (embeddings only)
- Audit log specification · hash-chained immutable per-tenant log; export available via
Admin → Bulk export
Contact
Questions about this declaration: ai-act@qmsnordic.com. For regulators: legal@qmsnordic.com.
© 2026 Aitech International ApS · Denmark. QMS Nordic™ is owned, developed, and copyright-protected by Aitech International ApS. This declaration will be updated when the AI Act phases in (final transparency obligations from August 2026, high-risk obligations from August 2027) or when our system materially changes.