AI Transparency & EU AI Act Compliance — CyberStackHub

Q: What AI systems does CyberStackHub use and how are they classified under the EU AI Act?

CyberStackHub uses large language models (LLMs) to generate security assessments, policy documents, compliance gap analyses, and incident response plans. Under the EU AI Act, our AI systems are classified as Limited Risk (Article 52) — they assist with information generation and decision support but do not make autonomous decisions affecting fundamental rights. All AI-generated outputs are clearly labeled, and human review is required before acting on any recommendation.

Q: How does CyberStackHub comply with the EU AI Act transparency requirements?

CyberStackHub complies with EU AI Act Article 52 transparency obligations by: (1) clearly labeling all AI-generated content at the point of output, (2) disclosing which AI systems are used in our tools, (3) providing this technical documentation page as required by Article 11, (4) maintaining logs of AI system interactions for accountability, and (5) offering human review pathways for all AI outputs. We conduct regular bias and accuracy audits of our AI systems.

Q: Can non-EU companies use CyberStackHub without EU AI Act concerns?

Yes. The EU AI Act applies to providers placing AI systems on the EU market and deployers using AI systems within the EU. If your business operates entirely outside the EU and does not target EU residents, EU AI Act requirements do not directly apply to your use of CyberStackHub. However, our transparency practices — clear AI labeling, model disclosure, and human review requirements — reflect best practices we apply globally regardless of jurisdiction.

CyberStackHub

1. AI System Risk Classification

Under the EU AI Act, all AI systems must be classified into one of four risk categories. The table below shows how each CyberStackHub AI feature is classified.

AI Feature / Tool	Risk Level	Basis	Obligations
Risk Assessment Tool Scores organizational security posture 0-100	Limited Risk	Informs but does not replace human judgment; no automated decision-making with legal effects	Article 52: AI-generated label, methodology disclosure
AI Document Generators Security policies, incident response plans, compliance gap reports, vendor risk assessments, cyber insurance readiness	Limited Risk	Generates template documents; all outputs require human review before use; no autonomous decisions	Article 52: AI-generated label, transparency statement
Compliance Readiness Checker SOC 2, ISO 27001, HIPAA, GDPR, PCI DSS readiness scoring	Limited Risk	Advisory tool; scores are informational only; not a certified audit or compliance determination	Article 52: AI-generated label, limitation disclaimers
Questionnaire / Assessment Bot 20-question cybersecurity assessment with grading	Limited Risk	Informational scoring; no automated action taken based on responses; human decides next steps	Article 52: Pre-interaction AI disclosure, output labeling
Breach Exposure Simulation AI-generated educational breach simulation	Minimal Risk	Purely educational simulation; clearly labeled as AI-generated; not connected to live breach databases	Voluntary best practice: clear AI-generated label
Password Strength Analyzer Rule-based + AI analysis of password strength	Minimal Risk	Deterministic analysis plus optional AI explanation; no personal data retained	Voluntary best practice: no special obligations
Phishing Indicator Analyzer Analyzes email text and URLs for phishing signals	Minimal Risk	Educational advisory tool; user makes all decisions; no automated filtering or blocking	Voluntary best practice: AI-generated label on output

Classification note: None of CyberStackHub's AI systems fall into the "High Risk" categories defined in EU AI Act Annex III (e.g., critical infrastructure, employment, credit scoring, law enforcement). Our tools are informational and advisory only — humans retain all decision-making authority.

2. AI Models and Providers

CyberStackHub uses large language models (LLMs) from third-party providers to generate outputs. We do not train, fine-tune, or host our own models.

GPT-4 / GPT-4o

Provider: OpenAI, Inc. (San Francisco, CA)

Used for generating structured security documents, compliance reports, risk recommendations, and narrative explanations. OpenAI processes inputs under their Data Processing Agreement. Inputs are not used to train OpenAI models.

Claude (Sonnet / Haiku)

Provider: Anthropic, PBC (San Francisco, CA)

Used for complex analytical assessments, vendor risk analysis, and longer-form document generation. Anthropic processes inputs under their commercial API terms. Inputs are not used to train Anthropic models.

Model selection: The specific model version used may vary based on task complexity, availability, and cost. All models used are commercially licensed general-purpose LLMs with no special training on customer data.

EU data residency: API calls to OpenAI and Anthropic are routed through US-based infrastructure. For organizations with EU data residency requirements, note that assessment inputs (company name, answers to questionnaire questions) are transmitted to US-based AI providers. Personal data is minimized and inputs contain no special category data.

Machine-readable AI system card

https://cyberstackhub.ai/api/ai-transparency

JSON · Public

3. How Outputs Are Generated

3.1 Methodology overview

When you use a CyberStackHub tool, the following steps occur:

Input collection: You provide structured inputs (company name, industry, answers to specific security questions). These are sanitized and validated server-side before being passed to the AI model.
Prompt construction: Our engineering team has developed structured system prompts that instruct the AI model on the cybersecurity framework to apply, the output format required, and the disclaimers to include. These prompts encode expert cybersecurity knowledge from publicly available frameworks (NIST CSF, ISO 27001, SOC 2, HIPAA, PCI DSS, CMMC).
AI inference: The structured prompt plus your inputs are sent to the AI provider API. The model generates a response based on patterns learned during its pre-training.
Post-processing: Outputs are parsed, validated for format compliance, and returned to you. Numeric scores are calculated programmatically from your answers — not solely from AI inference — ensuring consistency.
Logging: The session ID, tool used, and output metadata are stored. Raw inputs and full AI outputs are stored in our database to support your access to historical reports.

3.2 Scoring methodology

Risk scores and compliance readiness percentages are calculated using a weighted scoring algorithm applied to your questionnaire answers. AI models supplement this with qualitative recommendations and narrative explanations — they do not determine the numeric score. This separation ensures scores are reproducible and auditable.

3.3 Calibration and quality

Our system prompts are reviewed by cybersecurity professionals and updated when major framework versions are released. We conduct periodic accuracy reviews against published industry benchmarks. We do not claim perfect accuracy — see Section 5 (Limitations).

4. Data Inputs and Governance

4.1 What data is used as AI input

AI model inputs consist exclusively of data you provide during tool use:

Company or organization name
Industry sector (if provided)
Answers to security questionnaire questions (Yes/No or multiple choice)
Descriptive inputs (e.g., vendor names, tech stack descriptions)
Email address (for report delivery only — not sent to AI providers)

We do not input into AI models:

Actual network configurations, firewall rules, or system credentials
Personal data of individuals beyond the submitting user
Special category data (health, financial, biometric data)
Data from sources other than your direct submission

4.2 No training on user data (EU AI Act Article 10)

CyberStackHub does not use your inputs to train, fine-tune, or improve AI models — ours or any third-party provider's. Your data is processed solely to generate the output you requested.

Both OpenAI and Anthropic have commercial API agreements that prevent API inputs from being used for model training by default. We have verified this with both providers.

4.3 Data retention

AI-generated outputs are stored in your account so you can access historical reports. Inputs are retained for the same period to allow output re-generation or audit. You can request deletion of all AI-generated content associated with your account by emailing privacy@cyberstackhub.ai. We will process deletion requests within 30 days.

5. Known Limitations and Biases

Transparency requires honesty about what our AI systems cannot do well. The following limitations are known and documented.

Training data cutoff

LLMs have knowledge cutoff dates. Newly disclosed CVEs, recently updated compliance standards, or emerging threat actors may not be reflected in outputs. We note the approximate knowledge reference date in full reports.

Self-reported input bias

Our tools rely entirely on inputs you provide. If inputs are incomplete, inaccurate, or optimistic, outputs will reflect those biases. We do not independently verify your security posture.

Geographic and sector gaps

Our prompts are primarily calibrated to US/EU cybersecurity frameworks and English-language standards. Organizations in other regions or operating under non-standard frameworks may receive less accurate guidance.

Non-determinism

LLM outputs are probabilistic. Running the same inputs twice may produce slightly different recommendations. Numeric scores are deterministic; AI-generated narratives are not.

No live system access

We do not perform active penetration testing, live network scans, or real-time vulnerability detection. All assessments are based solely on what you tell us, not what we observe.

Hallucination risk

LLMs can generate plausible-sounding but incorrect information, especially for very specific technical details, regulatory citations, or statistics. Always verify critical findings against primary sources.

6. Human Oversight Mechanisms

CyberStackHub's AI systems are designed with meaningful human oversight at every stage. No AI output triggers automated action — you decide what to do with every result.

🔍

You review all outputs before action Every AI-generated report, score, and recommendation is delivered to you for review. Nothing happens automatically. You decide whether to act, ignore, or seek a second opinion.
⚙

Deterministic scoring layer Numeric risk scores and compliance percentages are calculated algorithmically from your answers — not hallucinated by the AI. This layer is auditable and consistent.
📝

Mandatory disclaimers in every output Every AI-generated document and report includes a disclaimer stating it was AI-generated and is not a certified audit. This is enforced at the prompt level and the UI level.
👥

Human-reviewed system prompts All system prompts that guide AI model behavior are written and reviewed by cybersecurity professionals. Prompts are version-controlled and updated when framework standards change.
📣

Feedback mechanism Every output includes a way to report errors. Reports of significant inaccuracies are reviewed by our team within 5 business days and used to improve prompt quality.
🔒

No automated enforcement or gating CyberStackHub AI outputs are never used to automatically block, approve, deny, or score users for any purpose beyond the immediate report. No downstream systems consume our scores automatically.

7. Your Rights

Under the EU AI Act and GDPR, you have the following rights in relation to CyberStackHub AI systems:

Right to transparency: You have the right to know you are interacting with an AI system. We inform you before and after every AI interaction. This page provides full technical disclosure.
Right to explanation: You can request an explanation of how any specific output was generated. Email privacy@cyberstackhub.ai with your session ID.
Right to human review: If you believe an AI output is inaccurate or has materially harmed you, you can request human review of the methodology. We will respond within 10 business days.
Right to deletion: You can request deletion of all AI-generated outputs and the inputs used to generate them. Submit requests to privacy@cyberstackhub.ai. Requests are processed within 30 days.
Right to object: You may object to your data being processed by AI models. Note that this will prevent you from using AI-powered features, as AI inference is the core service.

8. Contact and Feedback

For questions about this AI transparency documentation, EU AI Act compliance, or to exercise your rights:

Email: privacy@cyberstackhub.ai
Subject line: "AI Transparency / EU AI Act"
Include your account email and session ID (shown on your reports) for faster processing

For general feedback on AI output accuracy: feedback@cyberstackhub.ai

Documentation currency: This page is reviewed and updated quarterly. If you notice outdated information or an inconsistency with our actual practices, please report it so we can correct it promptly. Last review: April 2026.