Compliance & Governance
Compliance overview
The compliance surface is the set of API routes, audit primitives, and dashboard tools Meridian Blue exposes for EU AI Act and GDPR obligations. This section maps each obligation to the route or feature that satisfies it, so you can build evidence as you ship.
Regulatory scope
Meridian Blue is built for organisations operating AI under the EU AI Act and GDPR, with hooks for sectoral regimes (DORA for financial services, MDR for medical devices, HDS for French health hosting). Where the platform's defaults differ across regimes, those decisions are documented per page.
EU AI Act article map
| Article | Subject | Where it lives |
|---|---|---|
| Art. 4 | AI literacy | Shadow AI & literacy — quizzes + completion records via /api/v1/literacy. |
| Art. 5 | Prohibited practices | Risk classification — built-in detector + LLM-judge. |
| Art. 13 | Transparency to users | Explainability — explainability field on every response. |
| Art. 14 | Human oversight | Human oversight — review queue at /api/v1/review. |
| Art. 26 | Deployer obligations | Policy engine — signed deployer policy at /api/v1/policies. |
| Art. 27 | FRIA | FRIA & conformity — assessments via /api/v1/conformity. |
| Art. 28 | Sub-processors | GDPR alignment — public list at /api/v1/sub-processors. |
| Art. 50 | User disclosure | User disclosure — user_notice on response envelope. |
| Art. 53/55 | GPAI obligations | GPAI — provider compliance posture via /api/v1/gpai. |
| Art. 72 | Post-market monitoring | Post-market — drift detection + corrective-action workflow. |
| Art. 73 | Serious incident reporting | Incidents — /api/v1/incidents. |
| Art. 86 | Right to explanation | Explainability + appeals via /api/v1/appeals. |
Where to start
- If you're integrating for the first time: Quickstart → Policy engine.
- If you're responding to a regulator: Audit vault → Lineage.
- If you're classifying a system: Risk classification → FRIA & conformity.