Paxeer. All documents
COMPLIANCE

EU AI Act Compliance

Operator
PaxLabs Inc., a Delaware corporation ("PaxLabs," "we," "us," or the "Operator")
Applies to
the Matrix agentic infrastructure, AI Agents, the natural-language-to-on-chain intent layer, and related AI-powered features of the Services, to the extent they are offered to, used by, or produce effects on persons in the European Union.
Version
1.0
Effective Date
June 10, 2026

1Overview and Purpose

1.1 Regulation (EU) 2024/1689 (the "EU AI Act" or the "Act") establishes a comprehensive, risk-based regulatory framework for artificial intelligence systems in the European Union. This page describes how PaxLabs approaches the Act in connection with the Matrix infrastructure, the AI Agents it powers, and the AI-driven features of the Services.

1.2 This page supplements the Terms of Service, the AI Agent Responsible Use Policy (the "Agent Policy"), the Acceptable Use Policy, and the Privacy Policy. It is intended to provide transparency regarding PaxLabs' compliance posture and to inform Developers and Operators of their own obligations under the Act. It does not constitute legal advice regarding any Developer's or Operator's obligations.

1.3 Phased application timeline. The Act entered into force on 1 August 2024 and applies on a phased basis:

  • (i)2 February 2025 — Prohibitions on certain AI practices (Article 5) apply.
  • (ii)2 August 2025 — Obligations for general-purpose AI ("GPAI") models (Chapter V) and governance provisions apply.
  • (iii)2 August 2026 — Obligations for most high-risk AI systems (Annex III categories) apply, including conformity assessment, registration, and ongoing compliance requirements.
  • (iv)2 August 2027 — Obligations for high-risk AI systems that are safety components of products covered by existing EU harmonized legislation (Annex I) apply.

1.4 PaxLabs monitors the phased application timeline and emerging guidance from the European AI Office, national competent authorities, and standards bodies, and updates its compliance approach as obligations come into effect and interpretive guidance develops.

2Roles Under the Act

2.1 The Act's Role Framework.

The Act assigns obligations to different actors in the AI value chain, including:

  • (i)Provider — a natural or legal person that develops an AI system or GPAI model and places it on the market or puts it into service under its own name or trademark, whether for payment or free of charge.
  • (ii)Deployer — a natural or legal person that uses an AI system under its authority, except where the AI system is used in the course of a personal, non-professional activity.
  • (iii)Distributor — a natural or legal person in the supply chain, other than the provider or importer, that makes an AI system available on the EU market.
  • (iv)Importer — a natural or legal person located or established in the EU that places on the market an AI system bearing the name or trademark of a provider established outside the EU.

2.2 PaxLabs' Role Classification.

PaxLabs' role under the Act varies by component of the Services:

  • (i)Matrix runtime and intent layer. PaxLabs develops and operates the Matrix runtime, including the constrained execution environment, the natural-language-to-on-chain intent layer, and the Agent orchestration infrastructure. To the extent these components constitute AI systems within the meaning of the Act, PaxLabs may act as a provider (where PaxLabs develops the system and makes it available under its name) and/or a deployer (where PaxLabs uses the system in the course of operating the Services). [Counsel to confirm classification for each component based on the Act's definition of "AI system" (Article 3(1)) and emerging guidance.]
  • (ii)Developer-built Agents and applications. Developers who build, train, fine-tune, and operate their own Agents, models, and AI-powered applications through Matrix are themselves providers and/or deployers of those systems. PaxLabs provides infrastructure; PaxLabs does not assume the Developer's provider or deployer obligations for systems the Developer creates and operates.
  • (iii)Third-party GPAI models. Where PaxLabs integrates or routes inference requests to third-party GPAI models, the provider obligations applicable to the GPAI model (including technical documentation, copyright-related policies, and systemic-risk obligations where applicable) remain with the GPAI model provider. PaxLabs' role with respect to integrated third-party models is that of a deployer or downstream provider, depending on the degree of modification and the manner of integration. [Counsel to confirm classification for each material third-party model integration.]
  • (iv)Infrastructure provision. Where PaxLabs solely provides computing infrastructure (hosting, API routing, execution environment) without developing or substantially modifying the AI system itself, PaxLabs may not be acting as a provider or deployer of that system. However, PaxLabs acknowledges that providing specialized AI infrastructure may carry obligations under specific provisions of the Act, including transparency and record-keeping requirements.

2.3 Role Determination Is Dynamic.

Role classification under the Act may change as the Services evolve, as PaxLabs modifies its level of involvement with particular AI components, and as regulatory guidance develops. PaxLabs reassesses its role classification periodically and upon material changes to the offering.

3Risk Classification

3.1 The Act's Risk Tiers.

The Act classifies AI systems into four risk categories, with escalating obligations:

  • (i)Prohibited practices (Article 5) — AI systems and uses that are banned outright.
  • (ii)High-risk AI systems (Title III, Annex III) — AI systems subject to comprehensive pre-market and post-market obligations.
  • (iii)Limited-risk AI systems — AI systems subject to specific transparency obligations (Article 50).
  • (iv)Minimal-risk AI systems — AI systems not subject to mandatory obligations beyond voluntary codes of practice.

3.2 Prohibited Practices.

PaxLabs does not permit the use of the Services for practices prohibited under Article 5 of the Act. The following are prohibited on the Services regardless of the Operator's jurisdiction:

  • (i)Manipulative and deceptive techniques — AI systems that deploy subliminal, manipulative, or deceptive techniques to materially distort behavior and cause significant harm.
  • (ii)Exploitation of vulnerabilities — AI systems that exploit vulnerabilities of specific groups (age, disability, social or economic situation) to materially distort behavior and cause significant harm.
  • (iii)Social scoring — AI systems that evaluate or classify individuals based on social behavior or personal characteristics, leading to detrimental or disproportionate treatment unrelated to the context in which the data was collected.
  • (iv)Prohibited biometric practices — including real-time remote biometric identification in publicly accessible spaces for law enforcement (subject to narrow exceptions not applicable to the Services), untargeted scraping of facial images for facial-recognition databases, emotion recognition in workplaces and educational institutions (with limited exceptions), and biometric categorization to infer sensitive attributes (race, political opinions, trade union membership, religious beliefs, sex life, or sexual orientation).
  • (v)Predictive policing based solely on profiling — AI systems that make risk assessments of natural persons to predict criminal offenses based solely on profiling or personality traits.

These prohibitions are enforced through the Acceptable Use Policy and the AI Agent Responsible Use Policy. Violations may result in immediate termination and referral to authorities.

3.3 High-Risk AI Systems.

  • (i)Where an Agent, application, or AI-powered feature deployed through Matrix falls within a high-risk category under Annex III of the Act — including, by way of example, AI systems used for: biometric identification and categorization; management and operation of critical infrastructure; education and vocational training (determining access or assessing students); employment (recruitment, selection, evaluation, monitoring); access to essential private and public services (creditworthiness assessment, risk assessment for insurance, emergency services dispatch); law enforcement; migration, asylum, and border control; and administration of justice and democratic processes — the applicable provider and/or deployer obligations apply.
  • (ii)Provider obligations for high-risk systems include, without limitation: establishing and maintaining a risk-management system; data governance and management for training, validation, and testing data; technical documentation; record-keeping and logging; transparency and provision of information to deployers; human-oversight measures; accuracy, robustness, and cybersecurity requirements; conformity assessment prior to placing on the market or putting into service; EU declaration of conformity; CE marking; and registration in the EU database.
  • (iii)Deployer obligations for high-risk systems include, without limitation: using the system in accordance with the provider's instructions; assigning human oversight to competent individuals; ensuring input data is relevant and representative; monitoring operation and reporting to the provider; conducting a data-protection impact assessment where required; and, for deployers that are public bodies or certain private entities, conducting a fundamental-rights impact assessment.
  • (iv)PaxLabs' position. Where PaxLabs acts as the provider or deployer of a high-risk AI system, PaxLabs will fulfill the applicable obligations. Where a Developer or Operator deploys a high-risk system through Matrix, that Developer or Operator is responsible for its own provider and/or deployer obligations. PaxLabs does not perform conformity assessments, register AI systems, or fulfill provider obligations on behalf of Developers or Operators.

3.4 Limited-Risk — Transparency Obligations.

  • (i)AI systems that interact directly with natural persons must be designed and deployed so that the natural person is informed that they are interacting with an AI system, unless this is obvious from the circumstances (Article 50(1)).
  • (ii)Providers of AI systems that generate synthetic audio, image, video, or text content must ensure that the outputs are marked in a machine-readable format and are detectable as artificially generated or manipulated (Article 50(2)).
  • (iii)Deployers of AI systems that generate or manipulate content constituting a deep fake must disclose that the content has been artificially generated or manipulated (Article 50(4)).
  • (iv)These transparency obligations are reflected in the Agent Policy (Section 7) and are the responsibility of the relevant provider and/or deployer.

3.5 Minimal-Risk Systems.

AI systems that do not fall into the prohibited, high-risk, or limited-risk categories are subject to no mandatory obligations under the Act, though PaxLabs encourages Operators to adopt voluntary codes of practice and responsible-use principles consistent with the Agent Policy.

4General-Purpose AI (GPAI) Models

4.1 GPAI Framework.

The Act imposes specific obligations on providers of GPAI models (Chapter V), recognizing that these models can be integrated into a wide variety of downstream AI systems.

4.2 Third-Party GPAI Models.

Matrix routes inference requests to third-party GPAI model providers. Obligations applicable to GPAI model providers include:

  • (i)Drawing up and maintaining technical documentation of the model, including training and testing processes and evaluation results;
  • (ii)Drawing up and maintaining information and documentation for downstream providers who integrate the GPAI model into their AI systems;
  • (iii)Establishing a policy to comply with EU copyright law, including the text-and-data-mining opt-out under the Digital Single Market Directive (Directive (EU) 2019/790); and
  • (iv)Publishing a sufficiently detailed summary of the training data.

These obligations rest with the respective GPAI model provider, not with PaxLabs as an integrator or deployer.

4.3 GPAI Models with Systemic Risk.

Where a GPAI model is classified as presenting systemic risk (based on cumulative compute used for training exceeding the threshold set by the Act, or by Commission designation), additional obligations apply to the model provider, including: model evaluation in accordance with standardized protocols; assessment and mitigation of systemic risks; adversarial testing (red-teaming); incident tracking and reporting to the AI Office; and ensuring adequate cybersecurity.

PaxLabs monitors the systemic-risk classifications of the GPAI models it integrates. Where a model used by Matrix is classified as presenting systemic risk, PaxLabs will assess the implications for its own compliance posture and may adjust model-routing decisions accordingly.

4.4 PaxLabs as GPAI Model Provider.

To the extent PaxLabs develops and makes available a GPAI model under its own name (rather than solely integrating third-party models), PaxLabs will fulfill the applicable GPAI model provider obligations. [Counsel to confirm whether any PaxLabs-developed component constitutes a GPAI model within the meaning of the Act.]

5How Matrix Supports Compliance

5.1 Matrix's architecture includes features that support EU AI Act compliance by Operators, Developers, and PaxLabs itself. These features are engineering capabilities, not compliance guarantees — fulfillment of legal obligations remains the responsibility of the relevant provider or deployer.

5.2 Constrained Runtime.

The Matrix runtime operates within a constrained execution environment with a closed verb vocabulary and typed intent representation. This architecture limits the actions an Agent can take to a predefined set of authorized operations, supporting the boundedness, predictability, and oversight of Agent behavior.

5.3 Deterministic Replay and Logging.

Matrix is designed so that a canonical intent produces a byte-identical, replayable execution record. This provides:

  • (i)Traceability — the ability to reconstruct the sequence of actions taken by an Agent, supporting the logging and record-keeping obligations applicable to high-risk systems;
  • (ii)Auditability — the ability to verify that an Agent acted within its authorized scope and in accordance with its configuration; and
  • (iii)Reproducibility — the ability to reproduce an Agent's behavior for investigation, debugging, or regulatory inspection.

5.4 Human-Oversight Controls.

Matrix provides controls that enable Operators to monitor, constrain, suspend, and halt their Agents, consistent with the Agent Policy (Section 3). These controls support the human-oversight requirements applicable to high-risk AI systems under Article 14 of the Act.

5.5 Transparency Infrastructure.

Matrix supports Operators in fulfilling transparency obligations by providing mechanisms for: (a) disclosing automated operation to Users who interact with Agents; and (b) labeling AI-generated content where required. Implementation of these mechanisms for a specific Agent is the Operator's responsibility.

5.6 Limitations.

Matrix's compliance-supporting features do not: (a) perform conformity assessments; (b) automatically classify AI systems into risk categories; (c) generate technical documentation required of providers; (d) conduct fundamental-rights impact assessments; or (e) substitute for the Operator's or Developer's independent legal analysis of their obligations. These obligations require human judgment and legal expertise.

6Developer and Operator Responsibilities

6.1 Independent Obligation.

Developers and Operators who build, deploy, or operate AI systems through Matrix are independently responsible for determining their own role and obligations under the Act. PaxLabs provides infrastructure and compliance-supporting tooling; PaxLabs does not assume or discharge a Developer's or Operator's legal obligations under the Act.

6.2 Key Obligations for Developers and Operators.

Depending on their role classification, Developers and Operators may be responsible for:

  • (i)Risk classification — determining whether their AI system is prohibited, high-risk, limited-risk, or minimal-risk under the Act;
  • (ii)Conformity assessment — completing the required conformity-assessment procedure for high-risk systems before placing them on the market or putting them into service;
  • (iii)Registration — registering high-risk AI systems and certain AI systems used by public authorities in the EU database established under Article 71;
  • (iv)Technical documentation — preparing and maintaining technical documentation that demonstrates compliance with the Act's requirements;
  • (v)Transparency — informing natural persons when they are interacting with an AI system, labeling AI-generated content, and disclosing deep fakes;
  • (vi)Human oversight — implementing measures that allow effective oversight by natural persons during the period of use of the AI system;
  • (vii)Data governance — ensuring that training, validation, and testing data meet the quality and governance standards required by the Act;
  • (viii)Post-market monitoring — monitoring the performance of the AI system after deployment and reporting serious incidents to competent authorities;
  • (ix)Fundamental-rights impact assessment — where required, conducting an assessment of the impact on fundamental rights before deploying a high-risk system; and
  • (x)Record-keeping — maintaining logs automatically generated by the AI system, to the extent under their control, for a period appropriate to the intended purpose and applicable legal obligations.

6.3 PaxLabs' Support Role.

PaxLabs supports Developers and Operators by:

  • (i)Providing the compliance-supporting infrastructure features described in Section 5;
  • (ii)Making available documentation regarding the Matrix runtime, execution environment, and logging capabilities;
  • (iii)Cooperating with reasonable requests for information necessary for a Developer or Operator to fulfill its own compliance obligations; and
  • (iv)Updating this page and related documentation as guidance and standards develop.

PaxLabs does not provide legal advice to Developers or Operators regarding their EU AI Act obligations.

7Governance and Internal Processes

7.1 Internal AI Governance.

PaxLabs maintains internal processes to:

  • (i)Assess the applicability of the Act to the Services and to specific components of the offering, and reassess as the offering evolves;
  • (ii)Monitor regulatory developments, including guidance from the European AI Office, delegated acts, implementing acts, harmonized standards, and codes of practice;
  • (iii)Classify and document PaxLabs' role (provider, deployer, or other) for each relevant AI component;
  • (iv)Implement and maintain compliance measures proportionate to PaxLabs' obligations;
  • (v)Train relevant personnel on EU AI Act requirements and internal procedures; and
  • (vi)Coordinate with OpenNet Security LLC on security, robustness, and adversarial-testing measures relevant to AI system integrity.

7.2 Standards and Codes of Practice.

PaxLabs monitors the development of harmonized European standards (through CEN/CENELEC and other standards bodies) and codes of practice issued under the Act. Where applicable standards are adopted, PaxLabs will assess alignment and implement changes as necessary to maintain compliance.

7.3 Incident Reporting.

Where PaxLabs becomes aware of a serious incident involving an AI system it has placed on the market or put into service, PaxLabs will report the incident to the relevant national competent authority in accordance with Article 73 of the Act. Developers and Operators who experience serious incidents involving their own AI systems deployed through Matrix are independently responsible for their own reporting obligations.

8EU Authorized Representative

8.1 Where PaxLabs is a provider of an AI system placed on the EU market and does not have an establishment in the EU, PaxLabs is required to appoint an EU authorized representative under Article 22 of the Act.

8.2 EU Authorized Representative: [Name, address, and contact information to be inserted — counsel to confirm whether appointment is required and to designate the representative.]

8.3 The EU authorized representative is mandated to: (a) verify that the EU declaration of conformity and technical documentation have been drawn up; (b) keep a copy of the declaration of conformity and technical documentation available to competent authorities; (c) cooperate with competent authorities upon reasoned request; (d) inform the provider of any request from a competent authority; and (e) terminate the mandate if the provider acts contrary to its obligations under the Act.

9Enforcement and Penalties

9.1 The Act establishes a tiered penalty framework for non-compliance:

  • (i)Violations of prohibited AI practices (Article 5) — administrative fines of up to EUR 35,000,000 or 7% of worldwide annual turnover, whichever is higher.
  • (ii)Violations of high-risk AI system obligations and other substantive requirements — administrative fines of up to EUR 15,000,000 or 3% of worldwide annual turnover, whichever is higher.
  • (iii)Supply of incorrect, incomplete, or misleading information to authorities — administrative fines of up to EUR 7,500,000 or 1% of worldwide annual turnover, whichever is higher.

9.2 Developers and Operators are independently liable for their own violations. PaxLabs' compliance with this page and the Agent Policy does not shield a Developer or Operator from penalties arising from their own non-compliance.

9.3 PaxLabs may take enforcement action under the AUP and Agent Policy — including suspension or termination — against Developers or Operators whose AI systems violate the Act's prohibitions or pose a risk to Users, regardless of whether a regulatory authority has taken action.

10Relationship to Other Policies

This page operates alongside and should be read together with:

  • (i)The AI Agent Responsible Use Policy — which establishes the operational requirements for Agent deployment, including the risk-classification framework (Section 4 of the Agent Policy) that aligns with the Act's risk-based approach;
  • (ii)The Acceptable Use Policy — which prohibits conduct that would violate the Act's prohibitions;
  • (iii)The Privacy Policy — which addresses data-protection obligations, including those that overlap with the Act's data-governance requirements for high-risk systems;
  • (iv)The M2M Agreement — which governs agent-to-agent interactions and extends compliance obligations to automated, multi-agent contexts; and
  • (v)The Compliance Statement — which summarizes PaxLabs' overall compliance posture across all applicable regulatory frameworks.

11Changes

11.1 This page will be updated as the Services evolve, as new obligations come into effect under the Act's phased timeline, and as regulatory guidance, delegated acts, implementing acts, harmonized standards, and codes of practice are issued.

11.2 When we make material updates, we will update the "Version" and "Effective Date" and provide notice through the Services or developer documentation.

12Contact

EU AI Act / Compliance inquiries: [Email address to be inserted]

EU Authorized Representative: [Contact to be inserted per Section 8.2]

General compliance contact: [Email address to be inserted]

For security and incident-related matters: [security contact to be inserted]

Version 1.0 — Effective Date: June 10, 2026

↑ Top