What is AI governance?

AI governance is the set of policies, processes, and accountability structures that ensure AI systems are used responsibly, transparently, and in compliance with applicable regulations such as the EU AI Act and ISO 42001. It covers AI surface mapping, decision accountability, risk classification, and audit readiness.

What does the EU AI Act require from enterprises?

The EU AI Act requires enterprises to classify AI systems by risk level, maintain an AI inventory, implement human oversight for high-risk AI, conduct conformity assessments, and keep technical documentation and audit trails. Complaix provides the infrastructure to meet these requirements operationally.

How does Complaix help with AI compliance?

Complaix provides an AI governance operating system that maps every AI tool in use across your organisation, assigns human accountability to every AI-influenced decision, scores your AI exposure risk, and generates board-ready governance reports aligned to the EU AI Act, ISO 42001, FCA guidance, and UK GDPR.

What is an AI Exposure Score?

An AI Exposure Score is a 0–100 metric that quantifies an organisation’s risk exposure from its current AI usage. It is calculated across five governance dimensions: AI surface visibility, decision accountability, operational governance, regulatory alignment, and accountability maturity. Complaix calculates and tracks this score continuously.

What is the difference between AI governance advisory and a SaaS platform?

AI governance advisory builds your governance infrastructure from scratch — mapping AI usage, assigning accountability, and delivering a board-ready report. The Complaix Platform then keeps that infrastructure operational with live dashboards, continuous decision logging, and regulatory update briefings. The Foundation Engagement bundles both.

Is Complaix aligned to ISO 42001?

Yes. The Complaix System is designed to align with ISO 42001 (AI Management Systems), the EU AI Act, FCA AI guidance, and UK GDPR. Every governance artefact produced by Complaix is mapped to the relevant regulatory requirements.

Trust Centre

We govern our AI
the same way we govern yours.

This page documents Complaix's security controls, privacy practices, compliance posture, and AI governance transparency. We hold ourselves to the same standards we implement for clients.

EU AI Act AlignedUK GDPR CompliantEU GDPR CompliantISO 42001 Aligned

Security Privacy Compliance AI Governance Sub-Processors Contact

Security controls

Complaix applies security controls appropriate for a platform handling sensitive organisational governance data.

Data Encryption

Encryption in transitTLS 1.2 and TLS 1.3

Encryption at restAES-256

Database encryptionEncrypted at rest and in transit

Access Control

AuthenticationOAuth 2.0 with session management

Session expiryAutomatic timeout on inactivity

Role-based accessAdmin, user, and advisor roles

Principle of least privilegeApplied across all system access

Infrastructure

HostingCloud-hosted, EU data residency

AvailabilityHigh availability architecture

BackupsAutomated daily backups with retention

MonitoringContinuous uptime and error monitoring

Development Practices

Code reviewAll changes reviewed before deployment

Dependency managementRegular dependency audits

Vulnerability disclosureResponsible disclosure policy in place

Incident responseDocumented incident response procedure

Vulnerability disclosure: If you discover a security vulnerability in Complaix products or infrastructure, please contact us at [email protected]. We will acknowledge your report within 48 hours and keep you informed of our response.

Privacy practices

A summary of how we collect, use, and protect your data. Full details are in our Privacy Policy.

Data Controller

Complaix™ Ltd, Registered in England and Wales, 20 Wenlock Road, London, England, N1 7GU. For all data protection enquiries, contact the Data Controller at [email protected]. This privacy summary was last reviewed in May 2026.

ICO RegisteredReference: ZC141905 · Registered 07 May 2026 · Expires 06 May 2027View ICO Certificate

What data we collect

We collect the information you provide when completing the AI Accountability Assessment (organisational context, assessment responses), when contacting us (name, email, organisation), and when using the Complaix Platform (AI system registrations, decision logs, governance artefacts). We do not collect unnecessary personal data.

How we use your data

Assessment data is used to generate your AI Exposure Score and governance report. Contact data is used to respond to enquiries and manage engagements. Platform data is used to operate the governance infrastructure you have built. We do not sell your data to third parties. We do not use your governance data to train AI models.

Data retention

Assessment results are retained for 12 months unless you request deletion. Platform data is retained for the duration of your subscription plus 90 days following termination. Contact data is retained for as long as necessary to manage the relationship. You may request deletion at any time.

Data residency

Complaix infrastructure is hosted in the European Union. Data is not transferred outside the EEA without appropriate safeguards. UK clients are covered by UK GDPR. EU clients are covered by EU GDPR. US clients are covered by applicable US state privacy laws.

Your rights

You have the right to access, correct, export, and delete your personal data. You may exercise these rights by contacting us at [email protected] or submitting a data erasure request through our Data Erasure Request page.

Cookies

We use strictly necessary cookies for session management and authentication. We use analytics cookies (with consent) to understand how the site is used. We do not use advertising or tracking cookies. You can manage your cookie preferences at any time.

Data Processing Agreement (DPA)

Standard DPA for enterprise clients and procurement teams. Covers Article 28 UK GDPR / EU GDPR obligations, sub-processor controls, security measures, and audit rights. For a countersigned copy, contact [email protected].

Download DPA (PDF)

Compliance posture

Complaix maintains alignment with the regulatory frameworks most relevant to our clients and our operations.

EU AI Act

Aligned

Complaix is designed to help organisations comply with the EU AI Act. We apply the same governance standards internally: all AI systems in use at Complaix™ are documented, classified by risk level, and governed under the Complaix System.

UK GDPR

Compliant

Complaix Ltd is a UK-registered entity. We process personal data in accordance with UK GDPR. Registered with the ICO (reference: ZC141905, registered 07 May 2026). Our privacy practices are documented and reviewed regularly.

EU GDPR

Compliant

We process EU personal data in accordance with EU GDPR. EU data is stored within the EEA. We maintain records of processing activities as required.

ISO 42001

Aligned

The Complaix™ System is aligned to ISO 42001 (AI Management Systems). We help clients achieve ISO 42001 alignment as part of our Governance Advisory engagements.

Our AI governance

We apply the Complaix System to our own operations. Every AI tool in use at Complaix is documented, classified, and governed. This is our AI Surface Registry.

AI Tool	Purpose	Risk Level	Human Review	Data Shared
Claude (Anthropic)	Internal drafting, content review, and research assistance	Low	Yes. All AI-generated content reviewed before use.	No client data shared with external AI providers
GPT-4 (OpenAI)	Internal drafting and analysis assistance	Low	Yes. All AI-generated content reviewed before use.	No client data shared with external AI providers
Complaix Platform (internal)	AI Exposure Score calculation, governance artefact generation	Medium	Yes. Scores and reports reviewed by founder before delivery.	Client assessment data processed within Complaix infrastructure only

View our full AI governance posture including Exposure Score and Maturity Level

Sub-processors

Complaix uses the following third-party sub-processors to deliver its services. This list includes both currently active sub-processors and those being activated as part of our operational build-out. All listed sub-processors have been evaluated against our compliance criteria and have Data Processing Agreements in place. Customers are notified 30 days in advance of any changes to this list.

Category	Provider	Data Processed	Processing Region	Certifications	Documents
Cloud Infrastructure	Amazon Web Services (AWS)	Application hosting, database, file storage, backups	EU (eu-west-1, eu-west-2), US (us-east-1) per customer residency	ISO 27001, SOC 2 Type II	DPA Privacy
Identity Provider	Auth0 (Okta CIC)	User authentication credentials, session data, MFA tokens	EU tenant for EU customers; UK tenant for UK customers	ISO 27001, SOC 2 Type II	DPA Privacy
Transactional Email	Postmark	Email addresses, message content for system emails	EU servers for EU customers	SOC 2 Type II	DPA Privacy
Customer Support	Plain	Support ticket content, contact details	EU/Global	SOC 2 Type II	DPA Privacy
Product Analytics	PostHog	Anonymised usage events, session data (no PII by default)	EU-hosted instance	SOC 2 Type II	DPA Privacy
Error Monitoring	Sentry	Error logs, stack traces (PII scrubbed)	EU-hosted instance	ISO 27001, SOC 2 Type II	DPA Privacy
Payment Processing	Stripe	Payment card data, billing details, invoice data	UK/EU	PCI DSS Level 1, ISO 27001	DPA Privacy
Payment Processing (Direct Debit)	GoCardless	Bank account details for UK Direct Debit and SEPA	UK/EU	ISO 27001, SOC 2 Type II	DPA Privacy
E-Signing	DocuSign	Signatory names, email addresses, signed document content	EU/Global	ISO 27001, SOC 2 Type II	DPA Privacy
CRM	Attio	Contact names, email addresses, deal and pipeline data	EU/Global	SOC 2 Type II	DPA Privacy
Calendar / Scheduling	Cal.com	Meeting booking data, calendar availability	EU/Global	SOC 2 Type II	DPA Privacy
DNS / CDN	Cloudflare	Network traffic metadata, IP addresses (anonymised)	Global edge network	ISO 27001, SOC 2 Type II	DPA Privacy
Email Automation	Customer.io	Email addresses, first name, engagement events for lifecycle and transactional email flows	EU-hosted instance (EU data centre)	SOC 2 Type II	DPA Privacy

Change notification: Customers can subscribe to sub-processor change notifications at [email protected]. When a sub-processor is added, removed, or changes scope, subscribed customers receive 30 days advance notice with the right to object within 14 days. This list was last reviewed in April 2026.

Security and privacy contacts

Security disclosures

[email protected]

Report vulnerabilities or security concerns

Privacy & data enquiries

[email protected]

Data subject requests, privacy questions, GDPR enquiries

Legal & compliance

[email protected]

Regulatory questions, audit requests, DPA enquiries

Data erasure requests

Submit a formal data erasure request

Build the same trust infrastructure for your organisation.

Complaix helps regulated organisations build AI governance infrastructure that is auditable, accountable, and board-ready.

Free Resources

Governance Frameworks & Guides

Practical frameworks and reference documents for enterprise AI governance. Enter your email and we'll send the PDF directly to your inbox.

PDF · 10 pages

Operational AI Governance Framework

The complete Complaix five-framework methodology. Includes the Governance Maturity Model, Audit Readiness Standard, and regulatory alignment tables for the EU AI Act, ISO 42001, and FCA guidance.

EU AI ActISO 42001FCA Guidancev1.0 · May 2026

Free Download

EU AI Act Compliance Checklist

A practical checklist for assessing your organisation's readiness against the EU AI Act's high-risk AI system requirements. Covers Articles 9-17, technical documentation, and human oversight obligations.

EU AI ActHigh-Risk AIArticles 9-17v1.0 · May 2026

PDF · 2 pages

AI Accountability Maturity Model

A concise self-assessment tool showing the five maturity levels from Unmanaged to Optimised. Maps directly to Framework 05 and is designed to share with boards and senior leadership.

Framework 05Board-ReadyISO 42001v1.0 · May 2026

Whitepaper

The Governance Gap

Why enterprise AI is outpacing accountability and how to close the gap before August 2026. 12 pages covering structural failures, regulatory landscape, and the Complaix methodology.

12 pages · PDF

AI GovernanceEU AI ActEnterprise

PDF · 1 page

Governance Lifecycle One-Pager

The six-phase AI governance lifecycle from Discovery to Continuous Improvement. Designed as a board and procurement leave-behind showing the full Complaix methodology at a glance.

1 page · PDF

GovernanceLifecycleSales Asset

We govern our AIthe same way we govern yours.

Security controls

Data Encryption

Access Control

Infrastructure

Development Practices

Privacy practices

Data Controller

What data we collect

How we use your data

Data retention

Data residency

Your rights

Cookies

Compliance posture

EU AI Act

UK GDPR

EU GDPR

ISO 42001

Our AI governance

Sub-processors

Security and privacy contacts

Build the same trust infrastructure for your organisation.

Governance Frameworks & Guides

Operational AI Governance Framework

EU AI Act Compliance Checklist

AI Accountability Maturity Model

The Governance Gap

Governance Lifecycle One-Pager

We govern our AI
the same way we govern yours.