AI & Data Transparency
Exactly how ReportingGPT uses AI – and what it never does with your data.
No fine-tuning with your reports
Your uploaded sustainability reports are never used to train or fine-tune any AI model – not ours, not AWS's, not any third party's. Each review session is stateless.
AWS Bedrock – stateless inference
We use AWS Bedrock for model inference. AWS documents that Bedrock does not store or log prompts and completions, and does not use them to train AWS foundation models or share them with third parties.
Source: AWS Bedrock Data Protection Policy
Invocation Logging – governance-controlled
AWS Bedrock's optional invocation logging is disabled by default. If enabled for governance purposes, logs are written to our own AWS CloudWatch/S3 – never to AWS or third parties. This is a deliberate governance feature, not a data risk.
Source: AWS Bedrock Model Invocation Logging
How the AI improves – validated Audit Knowledge Base
Quality improves on the application layer, not the model layer. Only approved, anonymised auditor comments are stored as structured references and re-used in future reviews via retrieval (RAG principle). No model weights are changed.
Prompt & system design – not disclosed
We do not disclose internal prompt templates, system prompts, guardrail rules, or retrieval parameters. This protects both IP and reduces attack surface (OWASP LLM Top 10: Prompt Injection, System Prompt Leakage).
Intentionally not public – this is a security measure.
Regulatory compliance
EU AI Act, WPK guidance, and professional standards
AI in audit practice is regulated at multiple levels. Here is how ReportingGPT maps to each framework.
Limited risk – not a high-risk AI system
ReportingGPT is classified as a "limited risk" AI system under Art. 6 EU AI Act. It does not fall under any Anhang III category (no biometric identification, no critical infrastructure, no employment decisions). Applicable transparency obligations under Art. 50 – including disclosure that content is AI-generated – will be implemented by August 2026.
WPK confirms: AI tools are permitted in audit practice
The Wirtschaftsprüferkammer FAQ on AI (July 2025) establishes three conditions for permissible AI use: (1) confidentiality must be ensured, (2) AI results must not be the sole basis for professional judgement, and (3) the tool must be integrated into the quality management system per IDW QMS 1. ReportingGPT is designed to meet all three requirements.
Your team needs AI competence training
Art. 4 EU AI Act requires that staff operating AI systems have sufficient AI competence – proportionate to the context of use. This applies to auditors using ReportingGPT. We provide onboarding materials and documentation to support your compliance with this obligation.
The world's first auditing standard for AI systems
IDW PS 861 (March 2023) provides a criteria-based framework for evaluating AI systems in professional contexts. ReportingGPT's architecture – stateless inference, no model training, validated knowledge base – is designed to be auditable under this standard.
AI assists. The auditor decides.
ReportingGPT is a review assistant, not a replacement for professional judgement. Every AI-generated comment can be accepted, modified, or dismissed by the auditor. The final review opinion is always yours. This is not just our design philosophy – it is a regulatory requirement per WPK FAQ KI and IDW QMS 1.
Questions about our AI architecture?
We are happy to provide additional technical details for procurement, compliance, or DPA purposes.