{"schema_version":"1.0","generated_at":"2026-05-06T16:37:25.561Z","operator":{"name":"Steeled Inc.","product":"CyberStackHub","website":"https://cyberstackhub.ai","contact":"privacy@cyberstackhub.ai","legal_basis_eu":"Art. 6(1)(b) GDPR — processing necessary for performance of contract"},"eu_ai_act_compliance":{"status":"compliant","enforcement_date":"2026-08-02","documentation_url":"https://cyberstackhub.ai/ai-transparency","last_review":"2026-04-12","next_review":"2026-07-01"},"ai_systems":[{"id":"risk-assessment","name":"Cybersecurity Risk Assessment Tool","description":"Scores organizational security posture across 5 domains (Access Control, Data Protection, Network Security, Incident Response, Compliance) producing a 0–100 score, letter grade, and prioritized remediation recommendations.","risk_classification":"limited_risk","eu_ai_act_article":"Article 52 — transparency obligations for certain AI systems","obligations":["Disclose AI-generated nature of output","Inform user before interaction","Provide methodology summary"],"ai_providers":["OpenAI","Anthropic"],"models_used":["gpt-4","gpt-4o","claude-sonnet","claude-haiku"],"input_data":["company_name","industry","employee_count","security_questionnaire_answers"],"output_type":"structured_report","human_oversight":"full — no automated actions taken; user reviews all outputs","training_on_user_data":false,"data_retention_days":365,"cross_border_transfer":true,"transfer_destinations":["US (OpenAI, Anthropic API)"],"safeguards":"Standard Contractual Clauses; commercial API agreements prohibiting training use"},{"id":"document-generators","name":"AI Security Document Generators","description":"Generates cybersecurity policy documents, incident response plans, vendor risk assessments, compliance gap analyses, pentest readiness reports, cyber insurance readiness reports, and security training plans based on user inputs.","risk_classification":"limited_risk","eu_ai_act_article":"Article 52 — transparency obligations for certain AI systems","obligations":["Disclose AI-generated nature of output","Include human-review disclaimer in all documents"],"ai_providers":["OpenAI","Anthropic"],"models_used":["gpt-4","gpt-4o","claude-sonnet"],"input_data":["company_name","industry","company_size","user_provided_context"],"output_type":"structured_document","human_oversight":"full — documents are templates requiring human review before use","training_on_user_data":false,"data_retention_days":365,"cross_border_transfer":true,"transfer_destinations":["US (OpenAI, Anthropic API)"],"safeguards":"Standard Contractual Clauses; commercial API agreements prohibiting training use"},{"id":"compliance-checker","name":"Compliance Readiness Checker","description":"Assesses readiness for SOC 2, ISO 27001, HIPAA, GDPR, and PCI DSS frameworks. Produces per-framework readiness scores, gap lists, and certification timelines.","risk_classification":"limited_risk","eu_ai_act_article":"Article 52 — transparency obligations for certain AI systems","obligations":["Disclose AI-generated nature of output","State explicitly that output is not a certified audit"],"ai_providers":["OpenAI","Anthropic"],"models_used":["gpt-4","gpt-4o","claude-sonnet"],"input_data":["company_name","target_frameworks","current_security_measures","industry"],"output_type":"structured_report","human_oversight":"full — advisory only; certified auditors make all compliance determinations","training_on_user_data":false,"data_retention_days":365,"cross_border_transfer":true,"transfer_destinations":["US (OpenAI, Anthropic API)"],"safeguards":"Standard Contractual Clauses; commercial API agreements prohibiting training use"},{"id":"breach-simulation","name":"Breach Exposure Simulation","description":"Educational AI simulation of potential breach exposure based on email/domain. Clearly labeled as simulation — not connected to live breach databases.","risk_classification":"minimal_risk","eu_ai_act_article":"Not subject to mandatory Article 52 obligations; voluntary transparency applied","obligations":["Best practice: label output as AI simulation"],"ai_providers":["OpenAI","Anthropic"],"models_used":["gpt-4o","claude-haiku"],"input_data":["email_address_or_domain"],"output_type":"educational_simulation","human_oversight":"full — purely educational; no automated actions","training_on_user_data":false,"data_retention_days":30,"cross_border_transfer":true,"transfer_destinations":["US (OpenAI, Anthropic API)"],"safeguards":"Standard Contractual Clauses; inputs minimized to email/domain only"},{"id":"password-analyzer","name":"Password Strength Analyzer","description":"Analyzes password strength using deterministic algorithms plus optional AI-generated explanation. Passwords are never stored or logged.","risk_classification":"minimal_risk","eu_ai_act_article":"Not subject to mandatory Article 52 obligations","obligations":[],"ai_providers":["OpenAI"],"models_used":["gpt-4o-mini"],"input_data":["password_string"],"output_type":"strength_analysis","human_oversight":"full","training_on_user_data":false,"data_retention_days":0,"data_retention_note":"Passwords are never stored. Zero retention.","cross_border_transfer":false,"transfer_destinations":[],"safeguards":"Password is processed locally for scoring; only explanation request sent to AI (without raw password)"},{"id":"phishing-analyzer","name":"Phishing Indicator Analyzer","description":"Analyzes email text, URLs, and sender addresses for phishing signals. Advisory output only.","risk_classification":"minimal_risk","eu_ai_act_article":"Not subject to mandatory Article 52 obligations","obligations":["Best practice: label output as AI-generated"],"ai_providers":["OpenAI","Anthropic"],"models_used":["gpt-4o","claude-haiku"],"input_data":["email_text","url","sender_address"],"output_type":"risk_analysis","human_oversight":"full — advisory only; user decides all actions","training_on_user_data":false,"data_retention_days":30,"cross_border_transfer":true,"transfer_destinations":["US (OpenAI, Anthropic API)"],"safeguards":"Inputs truncated to 2000 characters; no full email threads transmitted"}],"data_governance":{"training_on_user_data":false,"training_on_user_data_confirmation":"Verified with OpenAI (commercial API terms) and Anthropic (commercial API terms). API usage does not permit training on inputs.","data_minimization":"Only user-provided inputs are sent to AI providers. No browsing history, system telemetry, or third-party data is included.","retention_policy":"AI inputs and outputs retained for account duration or 12 months (whichever is shorter) unless user requests earlier deletion.","deletion_process":"Email privacy@cyberstackhub.ai with subject \"Data Deletion Request\". Processed within 30 days.","eu_transfers":"AI API calls processed in US. Covered by Standard Contractual Clauses with both OpenAI and Anthropic."},"human_oversight_summary":{"automated_decisions":false,"automated_decisions_note":"No AI output on CyberStackHub triggers automated actions. All outputs require human review.","feedback_mechanism":"feedback@cyberstackhub.ai","error_correction_sla":"5 business days for significant accuracy errors","human_review_available":true,"human_review_contact":"privacy@cyberstackhub.ai"},"known_limitations":["Training data cutoff — newly emerged threats or updated framework versions may not be reflected","Self-reported input bias — outputs reflect accuracy of user-provided inputs","Geographic calibration — primarily US/EU frameworks; other regions may receive less accurate guidance","Non-determinism — narrative outputs may vary slightly between identical runs","No live system access — assessments are based solely on self-reported information","Hallucination risk — LLMs can generate plausible but incorrect technical details; verify critical findings"]}