What is KlarvoEngine?

KlarvoEngine is Klarvo's regulatory intelligence engine. It analyses your AI system through a 3-pass classification pipeline and produces an article-cited compliance memo with obligations, deadlines, and recommended controls — in under 60 seconds.

What is the EU AI Act?

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI regulation. It classifies AI systems by risk level and imposes obligations on providers and deployers of AI systems operating in the EU.

Any organisation that provides or deploys AI systems affecting people in the EU — regardless of where the organisation is based. This includes websites with AI chatbots, companies using AI analytics, and businesses integrating AI models into their products.

Prohibited AI practices have been enforceable since February 2025. GPAI model obligations since August 2025. Article 50 transparency and most remaining obligations apply from August 2, 2026.

What are the penalties?

Up to €35 million or 7% of global turnover for prohibited practices. Up to €15 million or 3% for transparency and other violations. For SMEs, the penalty is whichever amount is lower.

Uploading & Organizing Evidence

Getting evidence into Klarvo is straightforward. This guide covers the upload process, metadata best practices, and organizational strategies to keep your vault audit-ready.

How to Upload Evidence

Method 1: From the Evidence Vault

Navigate to Evidence in the sidebar

Click Upload Evidence

Drag and drop files or click to browse

Fill in metadata (see below)

Click Save

Method 2: From an AI System

Open the AI System detail page

Navigate to the Evidence tab

Click Add Evidence

Upload and the evidence is automatically linked to that system

Method 3: From a Control

Open Controls and find the relevant control

Click Add Evidence in the evidence section

Upload and the evidence is automatically linked to that control

Method 4: During the Wizard

Several wizard steps accept file uploads inline — vendor contracts, oversight SOPs, training materials. Files uploaded during the wizard are automatically linked to the system being created.

Supported File Types

Setting Metadata

When uploading, fill in these fields:

Field

Guidance

Name

Descriptive name: "Vendor X SOC 2 Report 2025" not "doc1.pdf"

Description

What this document proves: "Demonstrates vendor security controls meet SOC 2 Type II requirements"

Evidence Type

Select: Policy, Screenshot, Report, Attestation, Certificate, Training Record, Contract, Other

Expiration Date

When this evidence needs refresh — e.g., annual certifications expire in 12 months

Confidentiality

Internal Only (default) or Shareable with Auditor

Tags

Add relevant tags for filtering: "vendor-security", "soc2", "annual-renewal"

Linking Evidence to Entities

Evidence gains compliance value when linked:

Link to AI System: Shows up in that system's evidence tab and contributes to its completeness score

Link to Control: Proves the control is implemented — this is the most valuable linkage

Link to Vendor: Supports vendor due diligence

Link to Task: Proves a compliance task was completed

You can link a single piece of evidence to multiple entities. For example, a vendor's SOC 2 report might be linked to the vendor record, the AI system that uses it, and the VEN-03 control.

Organizational Strategies

By system: Create a mental model of "everything related to System X is linked to System X"

By control family: Tag evidence by control family (GOV, DEP, TRN, VEN, etc.) for easy filtering

By renewal cycle: Use expiration dates and tags like "annual-renewal" to batch renewal efforts

Naming Conventions

Adopt a consistent naming convention:

[Type]_[Entity]_[Description]_[Date]

Examples:

"Certificate_VendorX_SOC2_2025-12"

"Screenshot_Chatbot_DisclosureNotice_2026-01"

"Policy_Internal_AIAcceptableUse_v2"

"Training_AllStaff_AILiteracy_CompletionReport_Q1-2026"

Best Practices

📋 Upload immediately: Don't let evidence accumulate — upload when you receive or create it

🏷️ Metadata matters: Well-tagged, well-described evidence is 10x more useful during an audit

🔗 Link aggressively: Every piece of evidence should be linked to at least one system or control

📅 Set expirations: This prevents stale evidence from counting toward compliance

📸 Screenshots are evidence: A screenshot of your transparency notice in production is valid evidence