// EXTERNAL REVIEW โ€” independent audit checklist

External Review PRODUCTION / FULL LIVE

Checklist for independent audit of claims and documents (legal / technical / compliance) before moving from TESTNET to FULL LIVE. This is a readiness checklist โ€” it does not replace an external auditor's report.

๐Ÿ‡ต๐Ÿ‡ฑ Polski (PL)  ยท  ๐Ÿ‡ฌ๐Ÿ‡ง English (EN)
STATUS: REVIEW NOT COMPLETED

An independent external review has not yet been carried out. The gate is awaiting an external auditor / partner (legal, technical and compliance). The checklist below defines the readiness scope for such an audit. All items marked โ˜ remain to be confirmed by a third party; the operator's self-assessment does not satisfy the "external review" criterion.

1. LEGAL area

โ˜/โ˜‘Checklist itemAcceptance criterionEvidence
โ˜ Claims without certification/notification suggestion No wording suggesting a certificate, accreditation or notified-body status; services described as advisory/readiness. /en/trust-center
โ˜ Audit-only / readiness positioning Public materials consistently position the offering as audit/readiness, not as implementation or compliance guarantee. /docs/ai-act-readiness.html
โ˜ GRL legal umbrella Responsible entity and legal umbrella (GRL) clearly identified; UnionAI โ†” legal entity relationship documented. /en/governance
โ˜ GDPR / data protection Privacy policy published, processing bases and data subject rights described; DPO contact indicated. /en/privacy
โ˜ No AI Act overclaims No statement declares "full AI Act compliance"; claims limited to mapping/readiness scope. /docs/ai-act-readiness.html

2. TECHNICAL area

โ˜/โ˜‘Checklist itemAcceptance criterionEvidence
โ˜ Authentication boundary Private resources require a token; anonymous access to PRIVATE-scope data returns 401/403 (no payload or metadata leak). /api/auth/*
โ˜ Rate limiting Request limit active on sensitive endpoints; mechanism with fallback (Redis โ†’ in-memory), verified under load. smoke / CI
โ˜ Hash-chain evidence Evidence chain verifiable end-to-end; no validation bypass; local artefact integrity confirmed. /api/evidence/verify
โ˜ HA / backup Multi-machine deployment (HA) and backup policy; state persistence survives restart. /en/status
โ˜ Smoke CI CI pipeline (Unit + Smoke) green on last deploy; regression tests for auth and evidence. CI (Unit + Smoke)
โ˜ No secrets in repo/UI Keys and tokens exclusively in environment secrets; no sensitive values in code, repository or UI layer. repo audit + secret scan

3. COMPLIANCE area

โ˜/โ˜‘Checklist itemAcceptance criterionEvidence
โ˜ AI Act readiness matrix Readiness matrix maps requirements to implementation status; gaps labelled and assigned. /docs/ai-act-readiness.html
โ˜ Risk register Risks catalogued with assessment, owner and mitigation status; current. /en/risk-register
โ˜ Incident policy Incident reporting, classification and communication process documented and publicly available. /en/incidents
โ˜ Human oversight Human oversight mechanisms over agent actions described; intervention and escalation points defined. /en/human-oversight
โ˜ Evidence manifest Evidence manifest complete; artefacts with sha256 hashes; no unexplained null entries. /evidence/manifest.json
Procedure

How to commission a review

The external review must be performed by independent third parties โ€” self-assessment does not satisfy this gate's criterion. Recommended composition:

  • Independent legal auditor โ€” verifying claims, audit-only positioning, GRL umbrella and GDPR compliance.
  • Pentest / security audit โ€” independent firm (e.g. operator's choice: RSpace (rspace.com.pl)) confirming auth boundary, rate limiting and absence of secrets.
  • Compliance review โ€” independent verification of the AI Act readiness matrix, risk register and policies (incidents, human oversight).

Output: an external report with date, scope, findings and status of each checklist item. Items โ˜ move to โ˜‘ only on the basis of auditor confirmation.

Result

Review outcome

First non-invasive review: 2026-05-24. Report and remediation status: docs/reports/EXTERNAL_REVIEW_2026-05-24.md.

  • Non-invasive technical review: โœ… 2026-05-24 โ€” GO CONTROLLED / NOT FULL GO. Report: EXTERNAL_REVIEW_2026-05-24.md
  • Legal/communications review: โœ… 2026-05-24 โ€” GO CONTROLLED; claims softened (LEGAL_CLAIMS_MATRIX).
  • EU AI Act readiness review: โœ… 2026-05-24 โ€” GO CONTROLLED conditionally. Report: AI_ACT_READINESS_REVIEW_2026-05-24.md
  • Self-pentest (active, bounded, self-assessment โ€” NOT independent): โœ… 2026-05-24 โ€” 0 BLOCKER/CRITICAL/MAJOR. Report: SELF_PENTEST_2026-05-24.md
  • Independent active pentest (RSpace, rspace.com.pl): โœ… 2026-05-25 โ€” completed and accepted; all CRITICAL + MAJOR addressed, verified live.

Remediation: CRITICAL-01 (CSP), CRITICAL-02 (CORS allowlist), BLOCKER-01/02 โ€” closed. Details in report.

Aggregate status: independent pentest (RSpace) COMPLETED and ACCEPTED 2026-05-25; all CRITICAL + MAJOR addressed, verified live and accepted by the auditor. FULL GO (P2-07) REACHED: 3 signatures on /production-gate + NETWORK_STATUS=PRODUCTION switched 2026-05-26.