> ## Documentation Index > Fetch the complete documentation index at: https://docs.codeant.ai/llms.txt > Use this file to discover all available pages before exploring further. # EU AI Act Statement > CodeAnt AI's position on compliance with Regulation (EU) 2024/1689 — the EU Artificial Intelligence Act. ## CodeAnt AI — AI-Assisted Code Review and Security Platform ## 1. Purpose This document sets out CodeAnt AI's position on compliance with Regulation (EU) 2024/1689 — the EU Artificial Intelligence Act ("AI Act") — as it applies to the CodeAnt platform. It is intended to support enterprise customers, in particular those operating in or deploying CodeAnt within the European Union, in completing their own due-diligence and AI impact assessments. ## 2. Product overview CodeAnt AI is a developer-assistance platform that integrates into source-code repositories (GitHub, GitLab, Bitbucket, Azure DevOps) to provide: * **AI Code Review** — natural-language and pattern-based feedback on pull requests, covering code quality, likely bugs, and improvement suggestions. * **Code Security** — static application security testing (SAST), secret scanning, infrastructure-as-code analysis, and software composition analysis. All findings are surfaced as **advisory suggestions** on pull requests, code-review interfaces, or developer dashboards. CodeAnt does not autonomously modify, merge, or deploy code; a human developer reviews every suggestion and decides whether to accept, modify, or reject it. ## 3. AI components CodeAnt combines: * **Deterministic / rule-based engines** for static analysis, secret detection, dependency scanning, and policy enforcement. These are not AI systems within the meaning of Art. 3(1) AI Act. * **AI components** used for natural-language code review, summarisation, and suggestion generation, including the use of third-party general-purpose AI (GPAI) foundation models accessed via \[confirm provider(s) — e.g., OpenAI, Anthropic, Azure OpenAI, self-hosted open-weights models] depending on deployment mode and customer configuration. ## 4. Risk classification under the AI Act CodeAnt has assessed the platform against the AI Act's risk framework. ### 4.1 Not a prohibited practice (Art. 5) CodeAnt does not perform any of the practices prohibited under Art. 5 (subliminal manipulation, social scoring, untargeted facial-image scraping, real-time remote biometric identification, emotion recognition in workplace/education, etc.). ### 4.2 Not a high-risk AI system (Art. 6 / Annex III) CodeAnt has reviewed each of the Annex III categories and concluded the platform does not fall within any of them: | Annex III category | Applies to CodeAnt? | Reasoning | | -------------------------------------------------------- | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Biometrics | No | No biometric processing. | | Critical infrastructure | No | Not used to manage or operate critical infrastructure (energy, water, transport, digital infrastructure as defined). | | Education and vocational training | No | Not used to determine access, assess learners, or detect prohibited behaviour. | | Employment, worker management, access to self-employment | No | Not used for recruitment, performance evaluation, promotion, termination, or task allocation. Any developer-productivity metrics surfaced are advisory and do not constitute automated employment decisions. | | Access to essential services | No | No role in credit scoring, benefits eligibility, emergency-services triage, or similar. | | Law enforcement | No | Not deployed to law-enforcement authorities for any covered purpose. | | Migration, asylum, border control | No | Not applicable. | | Administration of justice & democratic processes | No | Not applicable. | CodeAnt is therefore not subject to the high-risk obligations of Chapter III of the Act. ### 4.3 Limited-risk / transparency obligations (Art. 50) Where CodeAnt's AI generates text-based output that interacts with developers (e.g., AI code-review comments), CodeAnt complies with the Art. 50 transparency obligation by clearly labelling AI-generated content as such within the developer interface. ### 4.4 General-purpose AI model considerations (Chapter V) Where CodeAnt integrates third-party GPAI foundation models, the model provider carries the GPAI obligations under Chapter V (technical documentation, training-data summary, copyright policy, and — for models with systemic risk — additional obligations). CodeAnt acts as a downstream provider/deployer and selects model suppliers who are themselves compliant with, or actively working toward, these obligations. ## 5. Compliance measures in place Although CodeAnt is not classified as a high-risk AI system, the following measures — many of which mirror the high-risk obligations of Arts. 9–15 — are implemented as a matter of responsible AI engineering and to support customers in regulated industries. ### 5.1 Risk management * Documented AI risk assessment covering intended purpose, reasonably foreseeable misuse, residual risks, and mitigations. * Reviewed and updated at least annually and on any material model or feature change. ### 5.2 Data governance * CodeAnt does **not** train its proprietary models on customer source code, pull-request content, or repository metadata. * For third-party GPAI inference, CodeAnt selects providers and configurations that contractually exclude customer content from being used to train the underlying foundation models. * Data minimisation at inference: only the code context strictly required for the requested review is submitted to the model. * Configurable redaction of secrets and identifiable personal data before inference. ### 5.3 Human oversight * All AI output is advisory. Developers retain full discretion to accept, modify, or reject suggestions. * CodeAnt does not auto-merge, auto-deploy, or otherwise act autonomously on production systems. * The accepting reviewer is clearly identified in the audit trail as the responsible decision-maker for any change merged on the basis of an AI suggestion. ### 5.4 Logging and traceability For every AI-generated suggestion, CodeAnt records: * Timestamp and triggering event (e.g., pull request opened, manual rerun). * Model identifier and version. * File path and line reference of the affected code. * The suggestion content. * The reviewer's decision (accepted / dismissed / modified) and timestamp. Logs are retained according to the customer's retention policy and are exportable for audit purposes. ### 5.5 Technical documentation CodeAnt maintains internal technical documentation covering system architecture, model selection rationale, evaluation methodology, known limitations, and change history. Customer-facing summaries are available under NDA on request. ### 5.6 Transparency to end users (Art. 50) * Developers are informed at first use that they are interacting with an AI system. * AI-generated comments and suggestions are clearly labelled (e.g., "CodeAnt AI") in the review interface so that they are distinguishable from human reviewer input. * Public-facing product documentation describes the capabilities and known limitations of the AI components. ### 5.7 Accuracy, robustness, cybersecurity * Pre-release evaluation of new model versions against internal benchmark suites covering correctness, false-positive rate, and prompt-injection resistance. * Standard application-security controls under SOC 2 Type II — report available under NDA. * Vulnerability management, third-party penetration testing, and secure SDLC practices in place and documented separately. ### 5.8 Non-discrimination CodeAnt operates on source code and code-adjacent text. The system does not make decisions about natural persons based on protected characteristics. Author and committer identifiers are not used as features influencing model output. ## 6. AI literacy (Art. 4) CodeAnt provides product documentation, in-product guidance, and onboarding materials so that customer personnel using the platform can develop a sufficient level of AI literacy in the context of their use of the system. Customers remain responsible for ensuring that their own staff complete appropriate AI-literacy training as required under Art. 4. ## 7. AI Act implementation timeline The AI Act entered into force on 1 August 2024 and applies in phases: * **2 February 2025** — Prohibitions under Art. 5 and AI-literacy obligations under Art. 4 became applicable. * **2 August 2025** — GPAI provider obligations and governance provisions became applicable. * **2 August 2026** — General application of the Act, including most high-risk and transparency obligations. * **2 August 2027** — Remaining obligations for high-risk systems embedded in regulated products. CodeAnt continues to monitor implementing acts, delegated acts, harmonised standards, and guidance issued by the European AI Office, and will update this statement accordingly. ## 8. Roles under the AI Act For the CodeAnt platform: * **Provider:** CodeAnt AI, Inc. * **Deployer:** The customer organisation using CodeAnt in the course of its professional activity within the EU. * **GPAI model providers:** The third-party foundation-model providers referenced in §3, each carrying its own GPAI obligations under Chapter V. ## 9. Supporting documentation available The following may be provided under NDA to support customer due diligence: * AI risk assessment summary. * Data flows description (per deployment mode). * Model documentation summary / model card. * SOC 2 Type II report. * Data Processing Agreement (Art. 28 GDPR) and Standard Contractual Clauses, as applicable.