What is KlarvoEngine?

KlarvoEngine is Klarvo's regulatory intelligence engine. It analyses your AI system through a 3-pass classification pipeline and produces an article-cited compliance memo with obligations, deadlines, and recommended controls — in under 60 seconds.

What is the EU AI Act?

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI regulation. It classifies AI systems by risk level and imposes obligations on providers and deployers of AI systems operating in the EU.

Any organisation that provides or deploys AI systems affecting people in the EU — regardless of where the organisation is based. This includes websites with AI chatbots, companies using AI analytics, and businesses integrating AI models into their products.

Prohibited AI practices have been enforceable since February 2025. GPAI model obligations since August 2025. Article 50 transparency and most remaining obligations apply from August 2, 2026.

What are the penalties?

Up to €35 million or 7% of global turnover for prohibited practices. Up to €15 million or 3% for transparency and other violations. For SMEs, the penalty is whichever amount is lower.

Vendor Attestations — Klarvo Docs

Vendor Attestations

A vendor attestation is a formal statement from your AI vendor about their system's compliance posture. These are becoming increasingly important as the EU AI Act takes effect — they demonstrate that you've verified your vendor's claims.

What Attestations Cover

Attestation Type

What the Vendor Confirms

AI System Description

What the system does, how it works, known limitations

Risk Classification

The vendor's own assessment of their system's risk level

Transparency Support

How they support deployer transparency obligations

Logging Capability

What logs are generated, retained, and exportable

Incident Notification

Their process for notifying deployers of issues

Data Processing

Where and how data is processed; security measures

GPAI Compliance

For general-purpose AI: model card, training data transparency

No Prohibited Practices

Confirmation the system doesn't engage in Article 5 prohibited practices

Requesting Attestations

To request an attestation from a vendor:

Navigate to the vendor profile

Go to the Attestations tab

Click Request Attestation

Select the attestation type(s) needed

Klarvo generates a standardized request that you can send to the vendor

The request includes specific questions aligned to EU AI Act requirements

Recording Received Attestations

When you receive a vendor attestation:

Navigate to the vendor profile → Attestations tab

Click Add Attestation

Select the type

Upload the vendor's response document

Record:

- Date received

- Who provided it (vendor contact)

- Validity period (typically 12 months)

- Any caveats or limitations noted

Link to relevant AI systems and controls

Attestation vs. Certification

Attestation

Certification

Who provides

The vendor themselves

Independent third party (auditor)

Reliability

Self-reported; lower assurance

Independently verified; higher assurance

Cost

Free / low cost

Significant cost

Availability

Most vendors can provide

Not all vendors have certifications

Audit value

Good; shows due diligence

Excellent; independent verification

Both have value. Attestations are practical for SMEs who can't require every vendor to have third-party certification.

Renewal Tracking

Attestations have limited validity:

Set the expiration date when recording the attestation

Klarvo sends renewal reminders 30 days before expiry

A task is auto-created to request updated attestation

Expired attestations are flagged and no longer count toward due diligence completion

Best Practices

📋 Request at procurement: Include attestation requirements in your vendor onboarding process

📅 Set validity periods: Typically 12 months — align with contract renewal cycles

📄 Use standardized formats: Consistent attestation requests make vendor responses more comparable

🔗 Link to evidence: Attestations are evidence for VEN controls — link them accordingly

⚠️ Note limitations: If a vendor's attestation has caveats, record them clearly