What is KlarvoEngine?

KlarvoEngine is Klarvo's regulatory intelligence engine. It analyses your AI system through a 3-pass classification pipeline and produces an article-cited compliance memo with obligations, deadlines, and recommended controls — in under 60 seconds.

What is the EU AI Act?

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI regulation. It classifies AI systems by risk level and imposes obligations on providers and deployers of AI systems operating in the EU.

Any organisation that provides or deploys AI systems affecting people in the EU — regardless of where the organisation is based. This includes websites with AI chatbots, companies using AI analytics, and businesses integrating AI models into their products.

Prohibited AI practices have been enforceable since February 2025. GPAI model obligations since August 2025. Article 50 transparency and most remaining obligations apply from August 2, 2026.

What are the penalties?

Up to €35 million or 7% of global turnover for prohibited practices. Up to €15 million or 3% for transparency and other violations. For SMEs, the penalty is whichever amount is lower.

Due Diligence Checklists

Vendor due diligence is essential for deployers — you remain responsible for how you use AI, even when it's built by someone else. Klarvo provides structured checklists to systematically evaluate your AI vendors.

The Due Diligence Checklist

Each vendor has a checklist covering key areas:

Section 1: Vendor Identification (VEN-01)

[ ] Vendor legal name and registration

[ ] Country of incorporation and EU presence

[ ] Primary contact information

[ ] Contract or terms of service on file

Section 2: AI System Description (VEN-02)

[ ] Clear description of what the AI system does

[ ] What type of AI/ML approach is used

[ ] What data the system processes

[ ] What outputs it produces

[ ] Known limitations documented

Section 3: Security & Data Protection (VEN-03)

[ ] Security certification (SOC 2, ISO 27001, or equivalent)

[ ] Data processing agreement (DPA) in place

[ ] Data residency information (where data is stored/processed)

[ ] Encryption standards (at rest and in transit)

[ ] Access controls and authentication

Section 4: Transparency Support (VEN-04)

[ ] Vendor provides information about AI system operation

[ ] Output marking for synthetic content (if applicable)

[ ] Support for deployer's transparency obligations

[ ] Model card or similar documentation available

Section 5: Logging & Export (VEN-05)

[ ] System generates automatic logs

[ ] Logs can be exported by deployer

[ ] Log retention meets minimum requirements (≥ 6 months for high-risk)

[ ] Log format is usable and documented

Section 6: Incident Communication (VEN-06)

[ ] Vendor has incident notification process

[ ] Contact path for reporting issues is defined

[ ] SLA for incident response is documented

[ ] Vendor notifies deployers of material changes

Section 7: EU AI Act Readiness

[ ] Vendor is aware of EU AI Act obligations

[ ] Vendor has published EU AI Act compliance statement (if applicable)

[ ] Instructions for use are provided (critical for Article 26)

[ ] Vendor supports deployer obligations

Completing the Checklist

Navigate to the vendor profile

Open the Due Diligence tab

Work through each section, checking items as you verify them

Attach evidence for each checked item (vendor documents, email confirmations, etc.)

Note any gaps or concerns

Record the review date

Completion Scoring

Klarvo shows a completion percentage:

Score

Meaning

90-100%

Excellent due diligence — vendor well-documented

70-89%

Good — some gaps to address

50-69%

Moderate — significant gaps require attention

Below 50%

Inadequate — prioritize completing this checklist

Renewal Reviews

Due diligence should be reviewed:

At contract renewal: Before signing a new term

After vendor changes: Model upgrades, ownership changes, service changes

Annually: Even without changes, verify documentation is current

After incidents: If an incident involves this vendor's system

Best Practices

📋 Request documentation at procurement: The easiest time to get vendor docs is before you sign

🔄 Set renewal reminders: Don't let due diligence go stale

📄 Attach evidence to each item: A checked box without evidence has limited audit value

⚠️ Flag gaps clearly: If a vendor can't provide something, document the gap and your risk acceptance

🔗 Link to controls: Due diligence evidence supports VEN-01 through VEN-08 controls