Methodology — how KomplAI checks and why its results hold up

KomplAI is not a chatbot but an audit tool. This page explains, step by step, how an analysis is produced, what it is checked against, and what you can do to verify every single result yourself. It is written to be citable — to your management, your data-protection officer or a supervisory authority. Our standard: traceable findings anchored in the statutory text, not a confident answer without evidence.

How KomplAI checks Documents & code → Statutory grounding → AI analysis → Citation check vs EUR-Lex → Optional verification pass → Report with audit basis How KomplAI checks Verified steps Documents & code Statutory grounding Official EUR-Lex articles & annexes in model context AI analysis Findings per document page / code line Citation check vs EUR-Lex Every citation resolved against the local statutory corpus Optional verification pass Second, critical run: confirmed / uncertain / rejected Report with audit basis Hashes, model id, profile hash, legal version, cost Optional expert review by a data-protection expert (10+ yrs)

1. Statutory grounding — checks run against the law, not the model's memory

A language model only "knows" legal texts approximately, from training. That is not enough for a compliance check. KomplAI therefore places the official statutory texts directly into the model's working context: the relevant articles and annexes of the EU AI Act (Regulation (EU) 2024/1689 incl. all annexes), DORA and the GDPR — verbatim from EUR-Lex. The model works with the law in front of it, not from memory. For every finding the corresponding legal text is carried along, and you can display it right in the result. So a result rests on what the regulation actually says — not on a paraphrase from training.

2. Machine citation verification — every citation is resolved against the statutory corpus

Even with grounding, a model can mis-assign a reference or invent a source. So after the analysis KomplAI checks every single citation in the result mechanically against the local statutory corpus: does this article, this paragraph, this annex actually exist — and in the legal version used? References that resolve are marked as verified; a fabricated "Annex XXVII" or a source outside the corpus is flagged visibly (not found / outside the corpus) instead of being shipped silently. The result openly shows you the count of verified citations. A reference that does not exist cannot slip into your report unnoticed.

3. The verification pass — a second, critical look at every finding

Optionally, any analysis can be run with a verification pass. Here a second, adversarially framed model run checks each finding specifically against two things: the cited document passage (does the uploaded evidence really say this?) and the legal text (does the provision actually support the finding?). Each finding then receives a rating — confirmed, uncertain or rejected. The second run is meant to refute, not to agree; what it cannot refute stands on firmer ground. Rejected and uncertain findings stay visible in the result, so you can see what was filtered out and why. The verification pass is optional and costs one extra credit.

4. Full provenance — every report is reproducible

A defensible result has to be traceable: what was it checked with, against which legal version, with which model? Every KomplAI report therefore carries a basis of assessment with full provenance — among other things:

• SHA-256 checksums of every analysed document (so you can prove which file version was checked);
• the identifier of the model used and the tool version;
• the hash of the check profile used (which questions were asked, under which rules);
• the legal version of the statutory corpus (which version of the EUR-Lex texts the check relied on);
• timestamp and the token / cost effort of the run.

With this information a report can be placed in context, evidenced to third parties and — given the same input — re-run traceably. You are not auditing a black box, but a documented run.

5. Gaps, not hallucinations — conservative when in doubt

The most dangerous failure mode of an AI tool in compliance is not the gap it finds, but the certainty it invents: a finding that asserts a legal basis, a clause or a piece of evidence that does not exist. KomplAI is deliberately built to fail the other way. If something is missing from the uploaded material, it is reported as a gap — not plausibly filled in. In generated documents (such as transparency notices), missing details appear as clearly marked placeholders, never as invented content. This caution means KomplAI will sooner flag an open question than quietly answer it for you. For an audit tool that is the right direction to fail: a flagged gap costs you review time — a missed or invented detail costs you the reliability of the report.

6. Limits — and the boundary to legal advice

We are open about what KomplAI does not do. A check is only ever as good as the material you upload: what you don't provide can't be assessed — a missing piece of evidence shows up as a gap, not as a clearance. Citation verification ensures that a reference exists and that the quoted wording is correct; it does not replace the legal interpretation of whether a provision applies to your specific case. The verification pass, too, lowers the risk of error but does not remove it. And the law is rarely unambiguous: much depends on context, intent and supervisory practice that an automated tool cannot conclusively weigh.

Therefore, unambiguously: All KomplAI results are professional support results and do not constitute legal advice. They are built to prepare and structure the work of qualified people — your data-protection officer, your compliance function, your legal counsel — not to replace it. Responsibility for any decision built on a report stays with you and your advisers.

7. Optional expert review — a human as the final check

Because an automated result prepares human expert review but does not replace it, Tippel offers an optional expert review as a paid add-on: on request, the findings of a report are reviewed by a data-protection expert with over 10 years of experience before you rely on them. This is for customers who want a human check of the results before use — the human in the loop as the final backstop behind grounding, citation verification and the verification pass. The expert review is an optional, separately commissioned managed service by Tippel and is not part of the standard analysis. Even with a review, the boundary from section 6 still holds: it is a professional review by a data-protection expert, not legal advice and not a guarantee of any particular outcome.

Important upfront: All KomplAI results are professional support results and do not constitute legal advice. They support the decision of qualified people — they do not make it.