Attevera for AI SaaS — Answer procurement's AI governance questionnaire

Answer procurement's AI governance questionnaire without slowing the deal.

A living record of your AI systems, article-mapped obligations, and the evidence behind them. Exportable as a System Readiness Packet the customer's legal team can review without first asking for the system basics.

From €124/mo billed yearly

14-dayfree trial

Nocredit card

It isn't Brussels. It's procurement.

The first AI Act enforcement moment most SaaS teams actually feel isn't a letter from a regulator. It's a 30-to-60 question AI governance addendum that lands during security review for a deal you were about to close.

“Which articles of the EU AI Act apply to your system?” “What's your risk classification?” “Who is the named control owner for Article 14 human oversight?” “Can you provide evidence the system was reviewed in the last 90 days?” Legal forwards it to compliance. Compliance forwards it to engineering. Engineering sends back a Notion link. The deal stalls.

Attevera is the record those questions assume you already have.

AI system register

Every AI system in your product — model, vendor, data subjects, EU exposure, owner, deployment scope.

Role, vendor, owner

Obligation map

Each system's obligations mapped to the exact articles that apply, with plain-language rationale.

Article-mapped rationale

Control ownership

Named humans — legal, product, engineering — own each obligation. No diffused accountability.

Named operational ownership

Evidence with review dates

Linked controls, source URLs, acknowledged reviewers, 90-day staleness flags.

Review dates and freshness

Append-only audit trail

Every classification, assignment, evidence upload, and sign-off preserved with actor and timestamp.

Append-only activity history

Signed System Readiness Packet

One exportable PDF per system — the artifact you hand to procurement, counsel, or a regulator.

Review-ready handoff

What this does and doesn't cover.

In scope

Deployer obligations for high-risk AI systems you use under your authority, including Article 26 workflows.
Provider-side workflows for high-risk AI systems you develop or place on the market under your name, plus Article 6 carve-out handling for Annex III systems.
Article 50 transparency duties where they apply — direct AI interaction disclosures, synthetic-content marking or disclosure, and emotion-recognition or biometric-categorisation notices.
Article 73 serious-incident workflow for high-risk systems, including severity-based timelines, evidence capture, and provider or deployer handoff.
Article 4 AI literacy records for providers and deployers.

Out of scope

GPAI provider obligations (Art. 51–56) — if you train frontier models, Attevera is not your tool.
Annex I sector conformity — medical devices, aviation, rail, toy safety, and other embedded-product regimes.
SOC 2 / ISO 27001 evidence collection. Run Attevera alongside Vanta or Drata, not in place of them.
Legal advice. Your counsel signs off. Attevera helps you produce the record they're reviewing.

Starter at €124/mo billed yearly. Growth for most product teams.

Starter covers up to 5 AI systems and 3 team members — enough for a single product with one or two AI features. Growth at €332/mo billed yearly opens it up to 25 systems and 10 members, which is where most AI-heavy SaaS teams settle. No procurement dance, no demo gate — sign up, start with one system, and build the first packet the same day.

Before you commit a procurement answer.

Am I a provider or a deployer?

It depends on the system. Under the Act, a provider is the party that develops an AI system, or has it developed, and places it on the market or puts it into service under its own name or trademark. A deployer is the party using an AI system under its authority. Many SaaS teams end up as deployers for some systems and providers for others. Treat role classification as system-specific, and have counsel confirm edge cases.

Do I need a conformity assessment?

Only if the system is high-risk under Annex III or because it is a safety component or product in an Annex I-regulated regime. Many chatbots, copilots, summarizers, and support features sit outside those categories, but the feature label alone is not enough — intended purpose and deployment context decide the classification. Even where a system is not high-risk, Article 50 transparency duties can still apply.

Is this SOC 2 for AI?

No. Attevera is an AI Act specialist — Articles 5, 6(3), 9–15, 50, and 73 are encoded natively. It sits alongside a SOC 2 or ISO 27001 program, not instead of one. If your buyer wants SOC 2, use Vanta or Drata. If your buyer wants an AI governance answer, Attevera is the record behind it.

Will your packet satisfy my customer's legal team?

The packet gives legal what they usually ask for: system description, risk classification with citations, mapped obligations, named control owners, evidence with review dates, and a signed monthly review. Whether that closes the question for any specific counsel is their call. We help you produce the record; we do not replace your customer's legal review.

What about Colorado AI Act, NIST AI RMF, ISO 42001?

The register, ownership, evidence ledger, and monthly review cadence are reusable operating inputs for those frameworks. Attevera's explicit source-tracing is for the EU AI Act. For Colorado, NIST AI RMF, and ISO 42001, use the same record as source material, not as a substitute for framework-specific review or certification work.

Next step

Start with one system. Export a packet. See what your legal team says.

Start free trial Download the free template