Art. 4 already enforceable — February 2025 EU AI Act · GDPR implications · CLOUD Act exposure

Know which AI systems you run. Know what you owe. Prove it.

Inventory your AI systems, classify their risk, and generate an audit-ready compliance package — without a lawyer, before the August 2026 enforcement deadline.

Start free — classify your first system See how it works

Free for your first AI system  ·  No credit card required  ·  EU-hosted data

app.inacta.eu/dashboard
AI System Register Obligation Map Evidence Export
3 systems registered
Systems registered
3
Obligations mapped
18
Evidence complete
11
Gaps remaining
7
AI Systems — Compliance Status
ChatGPT (OpenAI) Limited-risk Deployer
4/5 complete
Microsoft Copilot Limited-risk Deployer
3/5 complete
HubSpot AI Scoring High-risk Deployer
4/4 complete

Illustrative — your actual compliance dashboard

Your AI systems are already subject to EU law.

The question isn't whether the AI Act applies to you. It's whether you can prove you're complying.

Enforceable now
Art. 4 — AI Literacy
In force since 2 February 2025. Every organization deploying AI must ensure staff have appropriate competence. No grace period.
17 months
Aug 2026 — Main Enforcement
Art. 26 deployer obligations and Art. 50 transparency rules. Fines up to €15M or 3% of global turnover for non-compliance.
Already arriving
Supply-Chain Pressure
Enterprise customers are adding AI Act compliance requirements to vendor questionnaires today — before the legal deadline. Your next procurement review may ask.
How InActa works

From zero to compliance evidence
in three steps

No legal training required. InActa guides you through the EU AI Act's requirements one question at a time.

1
Inventory

Catalogue every AI system you use or build

Add your AI tools — ChatGPT, Copilot, Salesforce Einstein, or your own products — through a guided intake form. Pre-populated suggestions by department make it fast. Each system gets a role: we use this or we provide this.

Pre-filled suggestions for common tools
Deployer and/or provider role per system
Generates a timestamped AI system register
2
Classify & Map

Know exactly which obligations apply — and which don't

A deterministic decision tree classifies each system under the AI Act. For systems that touch personal data, InActa also generates a targeted GDPR implications checklist and flags CLOUD Act exposure if you're using US-headquartered providers.

AI Act obligations mapped per system + role
GDPR implications checklist auto-generated per system
CLOUD Act / data sovereignty flag per US provider
3
Prove It

Export audit-ready evidence in one click

Generate a versioned, timestamped compliance package — everything a market surveillance authority, enterprise customer, or board would ask for. Use templates for DPIAs, worker notifications, and transparency disclosures. Export as branded PDF.

Single-PDF compliance package export
Versioned and regenerable as you update
Ready for vendor questionnaires and audits
What's inside

Everything you need to comply.
Nothing you don't.

InActa covers the full deployer compliance workflow — and the provider obligations that matter for SMEs building AI products.

AI System Inventory

Know every AI system in your organisation

A structured register of every AI tool you use or provide — with metadata on purpose, data categories, affected persons, and deployment status. The foundation the AI Act requires you to have.

Deployer / provider role toggle per system
Pre-populated for ChatGPT, Copilot, Salesforce, HubSpot AI, and more
Timestamped register exportable as PDF or CSV
Risk Classification + Obligation Map

Know exactly what you owe — per system

A deterministic decision tree classifies each system (prohibited → high-risk → limited-risk → minimal-risk) and maps every resulting obligation. Classification rationale is documented at every node — defensible from day one.

Art. 5 prohibited practices check first
Full Annex III domain coverage
Red/amber/green gap dashboard across your whole register
DPIA · Worker Notification · Transparency

Generate the documents that prove compliance

Guided templates for every document the AI Act requires you to produce — pre-populated from your inventory, ready to customise and sign off. Covers the full deployer evidence trail.

AI-specific DPIA template (Art. 26(9) + GDPR Art. 35)
Worker notification generator — EU, DE (works council), FR (CSE)
Art. 50 transparency templates — chatbot, email, content labels
GDPR Implications · CLOUD Act · Regulatory Alerts

The data questions every AI system raises — answered per system

For every AI system that processes personal data, InActa generates a targeted GDPR checklist — lawful basis, DPA status, transfer mechanisms, Art. 22 rights. Not a full GDPR platform; exactly the questions triggered by that specific system. Plus: CLOUD Act exposure flagged automatically for US-headquartered providers, and regulatory alerts when new rules affect your registered systems.

GDPR implications checklist auto-generated per system — lawful basis, DPA, transfers, Art. 22
CLOUD Act exposure flag for US-headquartered providers — EU-only hosting options surfaced
Regulatory alerts when new rules affect your registered systems — from Starter tier
Pricing

Start free. Scale when you need to.

All paid plans include a 14-day full trial. Annual billing saves 20%.

Free
€0
1 AI system · Unlimited users
Risk classifier
Basic obligation checklist
Regulatory knowledge base
Get started free
Starter
€99/mo
Unlimited systems · Unlimited users
Full inventory + classification
GDPR implications layer
Evidence export (PDF)
Regulatory alerts
Agent-ready API
Start 14-day trial
Most popular
Professional
€349/mo
Unlimited systems · Unlimited users
Everything in Starter
AI-specific DPIA templates
Worker notification generator (DE, FR, EU)
FRIA template (Art. 27)
Priority support
Start 14-day trial
Enterprise
From €1,500/mo
Unlimited systems · Unlimited users
Custom evidence templates
Custom obligation workflows per sector
Dedicated onboarding
Quarterly check-ins
Contract SLA
Talk to us
Unlimited users at every tier — compliance is a team sport, not a per-seat fee.

Not ready to subscribe?

One-time · €249

Compliance Snapshot

Get a complete, exportable compliance pack for up to 10 systems — no subscription required.

Up to 10 AI systems
Full inventory + risk classification
Complete PDF evidence export
14-day workspace + API access
No ongoing alerts or version history
Get the Snapshot — €249
Why you can trust the output

Built to be defensible,
not just convenient.

Compliance evidence is only as good as its defensibility. InActa is designed for DPOs and CTOs who'll be asked hard questions — by regulators, auditors, and enterprise procurement teams.

Deterministic classification — no AI hallucinations
Risk classification uses a 100% rule-based decision tree. No LLM decides your legal status. The rationale for every classification step is documented and reviewable.
EU-hosted data — Hetzner, Germany
All data stored on German infrastructure. No US CLOUD Act exposure. Your compliance records stay under EU jurisdiction — a competitive advantage when facing enterprise procurement questions.
Advisory framing — not legal advice
InActa produces "likely classification with documented rationale" — never a definitive legal opinion. Borderline cases are flagged for legal review. Every output is a tool for your counsel, not a substitute.
Versioned and timestamped
Every compliance report is versioned and timestamped. Regenerate at any point in time. Show regulators exactly what your compliance status was on any given date.
Data residency
Your compliance data stays in the EU. Full stop.

InActa runs on self-hosted Supabase deployed to Hetzner Cloud in Nuremberg, Germany. No third-party US cloud. No ambiguity. When an enterprise customer asks where your data lives, the answer is a specific city.

Hetzner Cloud, Nuremberg DE
GDPR-compliant processing
No US CLOUD Act exposure
What about the Digital Omnibus?

The Digital Omnibus proposal (Nov 2025) may delay some Annex III obligations to December 2027. Outcome uncertain as of March 2026. InActa's strategy works under both timelines — Art. 4 and Art. 50 are enforceable now regardless, and supply-chain pressure isn't waiting for a court ruling.

FAQ

Common questions

Is this legal advice?
No. InActa produces structured compliance documentation and risk classification guidance, framed as "likely classification with documented rationale." It is a tool to help you understand and evidence your obligations under the EU AI Act — not a substitute for legal counsel. Borderline cases are always flagged for professional review. We recommend using InActa's output as the foundation for a conversation with your legal team, not as the final word.
What if my risk classification turns out to be wrong?
The classification wizard uses a deterministic decision tree — not an LLM — and documents the rationale at every step. Where ambiguity exists, it errs on the side of the higher risk category and flags the case for legal review. InActa never gives you a confident wrong answer; it gives you a reasoned position with documented inputs. That documented reasoning is itself a form of compliance evidence, demonstrating you took the question seriously.
Does the Digital Omnibus change what I need to do right now?
The Omnibus may delay Annex III high-risk obligations for some systems to December 2027 — but Art. 4 (AI literacy) is already enforceable since February 2025, and Art. 50 (transparency) is on track for August 2026 regardless. Supply-chain pressure from enterprise customers is operating on its own timeline too. The smart move is to build your compliance foundation now, with the knowledge that you'll be ready either way.
Does InActa cover high-risk AI provider obligations?
Not in the current version. InActa covers deployer obligations at all risk tiers, and provider obligations for limited/minimal-risk systems. If you're building and selling a system that InActa classifies as high-risk, it will flag this clearly and provide a roadmap of what's required (Art. 16–24, Annex IV, conformity assessment) — but those workflows are complex enough to require dedicated legal review, and we won't surface them without the appropriate caveats. High-risk provider support is on the V3 roadmap.
Where is my data hosted?
All data is hosted on Hetzner Cloud infrastructure in Nuremberg, Germany — EU jurisdiction only. We use self-hosted Supabase, not cloud-managed services with US-parent companies. There is no US CLOUD Act exposure. Data processing is GDPR-compliant. If you're a fintech or regulated-sector company that needs detailed data processing documentation, contact us and we'll send our DPA and technical architecture overview.
How long does it actually take to get compliant?
For most SMEs with 3–5 AI tools and limited-risk classifications, you can complete your first compliance report in under an hour. A company with 10–15 systems including some higher-risk use cases should budget a few hours across two or three sessions — some obligations (like completing a DPIA or running a worker notification process) take time regardless of tool. InActa's goal is to make that time as productive as possible: no time wasted figuring out what's required, only time spent actually doing it.
Get started

August 2026 is closer
than it looks.

Start with one AI system, free. Classify it, see what you owe, and generate your first evidence report — in about 20 minutes.

Classify your first system — free

No credit card. No lawyer. No months of work.