PowerQuantEUSend your AI questionnaire

Trust

PowerQuant builds compliance-evidence packages for the EU AI Act and NIS2, aimed at HR-tech providers and deployers. This page documents how our work can be verified — by your DPO, your CISO, your procurement team, and, where necessary, by a market-surveillance authority.

We do not ask for trust. We give you the means to verify it.

Source-referenced to the regulation

Every legal claim in a PowerQuant deliverable is linked to its exact source in Regulation (EU) 2024/1689 — by article, annex, or recital.

  • Risk-classification statements cite Art. 6 (including the Art. 6(3) derogation) and Annex III.
  • Provider obligations cite Art. 16 and the relevant articles in Chapter III, Section 2 (Art. 8–15).
  • Deployer obligations cite Art. 26.
  • Prohibited practices cite Art. 5.
  • General-purpose AI obligations cite Chapter V (Art. 51–55).
  • Enforcement and penalties cite Chapter XII (Art. 99 et seq.).

No claim about the AI Act appears in our work without a precise citation. If a citation cannot be made, the claim is not made.

Verifiably signed

Every PowerQuant deliverable is cryptographically signed with an Ed25519 key.

  • Each artefact ships with a detached signature and a SHA-256 content hash.
  • Our public verification key is published at powerquant.eu and fingerprinted in each deliverable.
  • Signatures are timestamped, so the moment of issuance can be established independently.
  • Any third party — your auditor, your DPO, or a market-surveillance authority — can verify integrity and authorship without contacting us.

A signed PDF that cannot be verified is not evidence. Ours can be.

Aligned to standards

PowerQuant's methodology is aligned with the relevant management-system standards for information security and AI:

  • ISO/IEC 27001 — information security management.
  • ISO/IEC 42001 — AI management systems.

We do not issue certifications in the customer's name, and we do not act as a conformity-assessment body or notified body under the AI Act. Where the AI Act requires a conformity assessment (Art. 43), that procedure remains the responsibility of the provider of the high-risk AI system.

Data protection

PowerQuant processes customer data under the GDPR.

  • A Data Processing Agreement under Art. 28 GDPR is in place with every customer.
  • Our current sub-processor list is available on request and is maintained under the change-notification terms of the DPA.
  • Technical and organisational measures meet Art. 32 GDPR, including encryption in transit and at rest, access controls, logging, and key rotation.
  • Transfers to third countries, where they occur, are covered by the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), together with supplementary measures where required.

We do not sell customer data, share it, or train models on it.

Anchored in EU supervision

The EU AI Act is enforced through the Member States, not by PowerQuant.

  • National market-surveillance authorities designated under Art. 70 hold the enforcement powers, including those imported from Regulation (EU) 2019/1020.
  • The European AI Office within the European Commission coordinates implementation and supervises general-purpose AI models (Art. 64).
  • The European Artificial Intelligence Board (Art. 65) ensures consistent application across Member States.

PowerQuant provides evidence. Supervision, enforcement, and penalties (Art. 99) sit with the public authorities.

Regulatory status

The AI Act entered into force on 1 August 2024. The following dates of application are relevant to HR-tech:

  • 2 February 2025 — the Art. 5 prohibitions on certain AI practices and the Art. 4 AI-literacy obligation for providers and deployers have applied since this date.
  • 2 August 2025 — the obligations on providers of general-purpose AI models (Chapter V) have applied since this date.
  • 2 August 2026 — under the regulation as adopted, the obligations on high-risk AI systems listed in Annex III become applicable. For HR-tech, this primarily means Annex III point 4 — AI systems used for the recruitment, selection, evaluation, and monitoring of employees, and for decisions affecting work-related contractual relationships.

A note on classification. Listing in Annex III does not automatically make a system high-risk. Article 6(3) provides a narrow derogation where the system performs a purely procedural task, improves the result of a previously completed human activity, or detects decision-making patterns without replacing or influencing human judgement — provided it does not pose a significant risk to health, safety, or fundamental rights. The derogation does not apply where the system performs profiling of natural persons, which always remains high-risk. We assess Art. 6(3) eligibility on a system-by-system basis and document the reasoning.

A note on Art. 27 (FRIA). The Fundamental Rights Impact Assessment under Art. 27 applies primarily to public bodies and private operators providing public services, together with the limited set of additional deployer scenarios listed in that article. It is not a universal obligation for every HR-tech customer; we identify when it applies on a case-by-case basis.

A note on the Digital Omnibus. On 7 May 2026, a political agreement on the Digital Omnibus package was reached between the co-legislators. As published, the agreement would postpone the Annex III high-risk obligations to 2 December 2027. As of today, the Digital Omnibus has not yet been formally adopted by the European Parliament and the Council, and it has not been published in the Official Journal. 2 August 2026 therefore remains the applicable date in law. PowerQuant tracks the legislative process and updates affected deliverables when, and only when, a change is formally adopted and published in the Official Journal.

Questions on any of the above are welcome at kontakt@powerquant.dk.