1. General
1.1. Scope. This Appendix sets out the Parties' obligations under Regulation (EU) 2024/1689 (the "EU AI Act") with respect to the Services provided under the Main Agreement. It supplements, and does not replace, the Data Processing Addendum in Appendix 2.
1.2. Role allocation. For the purposes of the EU AI Act, UNLESS acts as the "provider" of the AI systems embedded in the Services, and Customer acts as the "deployer" of those AI systems. Each Party shall perform the obligations applicable to its role. Where a use case qualifies as high-risk under the EU AI Act, the Parties shall cooperate in good faith to allocate responsibilities accordingly.
1.3. AI literacy. In accordance with Article 4 of the EU AI Act, each Party shall take measures to ensure, to its best extent, a sufficient level of AI literacy among its staff and any other persons dealing with the operation and use of the AI systems on its behalf, taking into account their technical knowledge, experience, education, and training, and the context in which the AI systems are to be used.
2. Risk classification
2.1. Use case assessment. UNLESS classifies the AI systems it provides according to the risk categories defined in Articles 5, 6 and 50 of the EU AI Act. On Customer's reasonable request, UNLESS shall share the applicable classification for the AI systems used by Customer.
2.2. Prohibited practices. UNLESS shall not provide, and Customer shall not deploy, AI systems for practices prohibited under Article 5 of the EU AI Act.
2.3. High-risk use cases. If Customer intends to deploy the Services in a use case that qualifies as high-risk under Annex III of the EU AI Act, Customer shall inform UNLESS in advance. UNLESS may condition such deployment on additional technical, organisational, or contractual measures.
3. Transparency
3.1. Disclosure to End Users. UNLESS provides functionality that allows End Users to be informed they are interacting with an AI system, in line with Article 50 of the EU AI Act. Customer is responsible for enabling and configuring this functionality in its deployments.
3.2. AI-generated content. Where the Services generate or manipulate content that could reasonably be mistaken for human-created content, UNLESS provides technical means to mark such content as AI-generated. Customer shall use these means where required by Applicable Law.
4. Human oversight
4.1. Oversight design. The Services are designed to allow Customer to exercise meaningful human oversight, including the ability to review, override, or disable AI-generated outputs.
4.2. Customer responsibility. Customer is responsible for assigning competent personnel to supervise the AI systems in its deployments and for acting on the oversight signals the Services provide.
5. Deployer obligations
5.1. General. Customer acknowledges that, as a deployer under the EU AI Act, it is responsible for the obligations set out in Article 26 of the EU AI Act to the extent they apply to its deployment of the Services. These include, where applicable:
- using the Services in accordance with their instructions for use;
- assigning human oversight to natural persons with the necessary competence, training, authority, and support;
- ensuring that input data is relevant and sufficiently representative for the intended purpose, to the extent the input data is under Customer's control;
- monitoring the operation of the Services based on the instructions for use and, where relevant, informing the Processor of any risk or serious incident identified;
- retaining logs automatically generated by the Services for the period required under Article 26(6) of the EU AI Act, where logs are under Customer's control;
- informing workers and their representatives before putting into service or using any high-risk AI system in the workplace; and
- carrying out a Fundamental Rights Impact Assessment under Article 27, where applicable.
5.2. Provider support. UNLESS shall make available, on reasonable request, the information and technical documentation reasonably necessary for Customer to meet its deployer obligations, including model cards or equivalent documentation for high-risk use cases.
6. Logging and auditability
6.1. Audit trails. UNLESS maintains automatic logging of AI interactions processed through the Services, sufficient to support traceability and post-incident analysis, in line with Article 12 of the EU AI Act.
6.2. Access. Customer may access logs relating to its own deployments through the UNLESS dashboard or, where not available there, upon reasonable request. Retention periods are aligned with the Data Processing Addendum.
7. General-purpose AI models
7.1. Underlying models. The Services rely on general-purpose AI models hosted within the environments of the cloud Sub-Processors listed in Appendix 2. UNLESS does not transmit Customer Data directly to separate LLM vendors. The model providers selected by UNLESS comply with the obligations applicable to providers of general-purpose AI models under the EU AI Act.
7.2. Model changes. UNLESS may change the underlying general-purpose AI models at its discretion, provided that the change does not materially reduce the compliance posture or service quality relied upon by Customer.
8. Incidents and cooperation
8.1. Serious incidents. UNLESS shall notify Customer without undue delay of any serious incident (as defined in Article 3(49) of the EU AI Act) affecting the Services used by Customer, and shall reasonably assist Customer in meeting its own reporting obligations.
8.2. Authority requests. The Parties shall cooperate in good faith with competent authorities in the context of inquiries, audits, or investigations relating to the EU AI Act, subject to the confidentiality provisions of the Main Agreement.
Technical documentation
On reasonable request, and subject to confidentiality obligations, UNLESS shall make available the technical documentation and instructions for use reasonably necessary for Customer to meet its deployer obligations under the EU AI Act.
