What is KlarvoEngine?

KlarvoEngine is Klarvo's regulatory intelligence engine. It analyses your AI system through a 3-pass classification pipeline and produces an article-cited compliance memo with obligations, deadlines, and recommended controls — in under 60 seconds.

What is the EU AI Act?

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI regulation. It classifies AI systems by risk level and imposes obligations on providers and deployers of AI systems operating in the EU.

Any organisation that provides or deploys AI systems affecting people in the EU — regardless of where the organisation is based. This includes websites with AI chatbots, companies using AI analytics, and businesses integrating AI models into their products.

Prohibited AI practices have been enforceable since February 2025. GPAI model obligations since August 2025. Article 50 transparency and most remaining obligations apply from August 2, 2026.

What are the penalties?

Up to €35 million or 7% of global turnover for prohibited practices. Up to €15 million or 3% for transparency and other violations. For SMEs, the penalty is whichever amount is lower.

Evidence Vault Overview

The Evidence Vault is Klarvo's secure repository for all compliance documentation. It stores, organizes, and manages every artifact needed for EU AI Act compliance — from vendor DPAs to transparency notice screenshots.

What Goes in the Evidence Vault?

Evidence Type

Examples

Typical Source

Vendor documentation

DPAs, security whitepapers, model cards, SOC 2 reports

Vendor / procurement

Internal policies

AI acceptable use policy, oversight procedures, incident response plan

Compliance / legal

Training materials

Course content, completion certificates, quiz results

HR / training

Risk assessments

FRIA reports, DPIAs, internal risk reviews

Compliance

Monitoring reports

Performance metrics, bias test results, drift analysis

Engineering / data science

Incident documentation

Incident logs, postmortem reports, corrective actions

Operations / security

Transparency notices

Disclosure screenshots, notification copy, accessibility statements

Product / UX

Oversight documentation

SOPs, authority delegation, training records

Compliance / HR

Evidence Organization

Evidence can be attached to multiple entities:

AI System: System-specific documentation (the most common linkage)

Control: Proof that a specific control is implemented (e.g., evidence for DEP-02 "Human Oversight Assigned")

Vendor: Vendor due diligence records

Policy: Supporting materials for a policy document

Task: Completion evidence for a compliance task

Incident: Investigation and resolution records

Evidence Metadata

Every file in the vault carries metadata:

Name & Description: What this document proves

Evidence Type: Policy, screenshot, report, attestation, certificate, training record

Uploaded By / Date: Who added it and when

Status: Draft → Pending Approval → Approved (or Rejected → back to Draft)

Expiration Date: When this evidence needs to be refreshed

Confidentiality: Internal Only / Shareable with Auditor

Tags: Custom labels for filtering and organization

Linked Entities: Which systems, controls, or vendors this evidence supports

Evidence Completeness Score

Each AI system shows an Evidence Completeness percentage:

Calculated based on required evidence for applicable controls

Missing evidence is listed in the Gap Checklist

Improving this score directly improves your Audit Readiness Score

Security & Access

Role-based access: Who can view, upload, and approve evidence is controlled by role

Audit trail: Every action (upload, approve, delete, download) is logged

Version history: When you upload a new version of a document, previous versions are preserved

Encryption: Files are encrypted at rest and in transit

Best Practices

📁 Link evidence to controls: Don't just upload files — connect them to the specific control they support

📅 Set expiration dates: Vendor certifications, training records, and risk assessments all have limited validity

✅ Use approval workflows: For audit-critical documents, require formal approval before they count toward compliance

🏷️ Tag consistently: Develop a taxonomy (e.g., "vendor-security", "training-completion", "transparency-notice") and use it

🔄 Quarterly review: Schedule a quarterly evidence hygiene review to catch expired or outdated documents