External Review PRODUCTION / FULL LIVE

Checklist for independent audit of claims and documents (legal / technical / compliance) before moving from TESTNET to FULL LIVE. This is a readiness checklist — it does not replace an external auditor's report.
Polski (PL) | English (EN)

1. LEGAL area

☐/☑Checklist itemAcceptance criterionEvidence
Claims without certification/notification suggestion No wording suggesting a certificate, accreditation or notified-body status; services described as advisory/readiness. /en/trust-center
Audit-only / readiness positioning Public materials consistently position the offering as audit/readiness, not as implementation or compliance guarantee. /docs/ai-act-readiness.html
GRL legal umbrella Responsible entity and legal umbrella (GRL) clearly identified; UnionAI ↔ legal entity relationship documented. /en/governance
GDPR / data protection Privacy policy published, processing bases and data subject rights described; DPO contact indicated. /en/privacy
No AI Act overclaims No statement declares "full AI Act compliance"; claims limited to mapping/readiness scope. /docs/ai-act-readiness.html

2. TECHNICAL area

☐/☑Checklist itemAcceptance criterionEvidence
Authentication boundary Private resources require a token; anonymous access to PRIVATE-scope data returns 401/403 (no payload or metadata leak). /api/auth/*
Rate limiting Request limit active on sensitive endpoints; mechanism with fallback (Redis → in-memory), verified under load. smoke / CI
Hash-chain evidence Evidence chain verifiable end-to-end; no validation bypass; local artefact integrity confirmed. /api/evidence/verify
HA / backup Multi-machine deployment (HA) and backup policy; state persistence survives restart. /en/status
Smoke CI CI pipeline (Unit + Smoke) green on last deploy; regression tests for auth and evidence. CI (Unit + Smoke)
No secrets in repo/UI Keys and tokens exclusively in environment secrets; no sensitive values in code, repository or UI layer. repo audit + secret scan

3. COMPLIANCE area

☐/☑Checklist itemAcceptance criterionEvidence
AI Act readiness matrix Readiness matrix maps requirements to implementation status; gaps labelled and assigned. /docs/ai-act-readiness.html
Risk register Risks catalogued with assessment, owner and mitigation status; current. /en/risk-register
Incident policy Incident reporting, classification and communication process documented and publicly available. /en/incidents
Human oversight Human oversight mechanisms over agent actions described; intervention and escalation points defined. /en/human-oversight
Evidence manifest Evidence manifest complete; artefacts with sha256 hashes; no unexplained null entries. /evidence/manifest.json
Procedure

How to commission a review

The external review must be performed by independent third parties — self-assessment does not satisfy this gate's criterion. Recommended composition:

  • Independent legal auditor — verifying claims, audit-only positioning, GRL umbrella and GDPR compliance.
  • Pentest / security audit — independent firm (e.g. operator's choice: RSpace (rspace.com.pl)) confirming auth boundary, rate limiting and absence of secrets.
  • Compliance review — independent verification of the AI Act readiness matrix, risk register and policies (incidents, human oversight).

Output: an external report with date, scope, findings and status of each checklist item. Items ☐ move to ☑ only on the basis of auditor confirmation.

Result

Review outcome

First non-invasive review: 2026-05-24. Report and remediation status: docs/reports/EXTERNAL_REVIEW_2026-05-24.md.

  • Non-invasive technical review (code/OpenAPI/endpoints): ✅ 2026-05-24 — GO CONTROLLED / NOT FULL GO. Report: EXTERNAL_REVIEW_2026-05-24.md
  • Legal/communications review: ✅ 2026-05-24 — GO CONTROLLED; claims softened (LEGAL_CLAIMS_MATRIX).
  • EU AI Act readiness review: ✅ 2026-05-24 — GO CONTROLLED conditionally. Report: AI_ACT_READINESS_REVIEW_2026-05-24.md
  • Self-pentest (active, bounded, self-assessment — NOT independent): ✅ 2026-05-24 — 0 BLOCKER/CRITICAL/MAJOR, 2× MINOR fixed. Report: SELF_PENTEST_2026-05-24.md
  • Independent active pentest (RSpace, rspace.com.pl): ✅ 2026-05-25 — completed and accepted; all CRITICAL + MAJOR addressed, verified live.

Readiness review — scope: provider/deployer/operator roles matrix, high-risk classification per use-case, human oversight, risk register, incident policy, claim ≤ proof. Status: GO CONTROLLED — readiness review, NOT certification/notification/conformity assessment. P2-07 condition: BLOCKER/CRITICAL closed (addressed) + active pentest + signatures.

Remediation: CRITICAL-01 (CSP), CRITICAL-02 (CORS allowlist), BLOCKER-01 (incident/governance auth, agent unverified, ack pending), BLOCKER-02 (status language), MAJOR-02/03 — closed. Open: endpoint class refactor + quarantine, evidence v2, CI security tooling. Details in report.

Aggregate status: independent pentest (RSpace) COMPLETED and ACCEPTED 2026-05-25; all CRITICAL + MAJOR addressed, verified live and accepted by the auditor. FULL GO (P2-07) REACHED: 3 signatures on /production-gate + NETWORK_STATUS=PRODUCTION switched 2026-05-26. The network operates in production mode (FULL LIVE).

Production gate Trust Center