Enterprise Sales Enablement Kit
Project: Pickles GmbH — AI Governance Framework
Stage: Stage 5 — Commercial Packaging
Status: Draft
Version: v1
Date: 2026-02-26
Assumptions: Built on outline assumptions — not verified against real Pickles GmbH data
1. How to Use This Document
This document provides pre-drafted responses to common enterprise procurement, security, and regulatory questionnaires. Each answer references underlying governance framework documents and relevant regulatory provisions.
Sales teams should:
- Adapt language only where necessary for client context.
- Avoid altering regulatory citations.
- Escalate unusual or high-risk requests to Legal or the AI Risk and Information Officer. [ASSUMPTION]
- Flag any question implying judicial authority use for legal review. [LEGAL REVIEW REQUIRED]
2. Security Questionnaire Responses
Q: How is data encrypted in transit and at rest?
A: All client communications are encrypted in transit using modern TLS protocols (minimum TLS 1.3) [ASSUMPTION]. Data at rest within hosting infrastructure is encrypted using industry-standard encryption mechanisms. These measures align with GDPR Article 32(1)(a), which requires appropriate technical and organisational measures to ensure confidentiality and integrity.
Source: L2-5.1 Data Flow Map
Q: Do you use third-party sub-processors?
A: Yes, where required for hosting or AI model inference [ASSUMPTION]. All sub-processors are assessed under GDPR Article 28(2) and must enter into written agreements consistent with Article 28(3). Where international transfers occur, appropriate safeguards under Articles 44 and 46 are required.
Source: L2-5.3 Vendor Model Risk Assessment
Q: How do you manage AI model provider risk?
A: Third-party model providers must execute GDPR Article 28-compliant DPAs and confidentiality agreements consistent with §43e BRAO. EU AI Act Article 25(4) requires written agreements across the AI value chain for high-risk systems.
Source: L2-5.3
Q: Do you log system activity?
A: Yes. High-risk systems implement automatic event logging in accordance with EU AI Act Article 12. Logging supports traceability, monitoring (Article 72), and incident response.
Source: L3-6.1
Q: What is your incident response timeline?
A: Personal data breaches are assessed under GDPR Article 33, requiring supervisory authority notification within 72 hours where applicable. Serious incidents under EU AI Act Article 73 must be reported without undue delay.
Source: L3-6.2
Q: How do you prevent unauthorised automated decisions?
A: Systems are designed to require human lawyer review before any AI-generated output may form final legal advice. This addresses GDPR Article 22(1) and EU AI Act Article 14 human oversight requirements.
Source: L1-3.4
Q: Is there a formal change management process?
A: Yes. All changes are classified under a structured protocol. Substantial modifications (EU AI Act Article 3(23)) trigger reassessment and, where required, new conformity assessment under Article 43(4).
Source: L3-6.3
Q: How do you monitor model performance?
A: Performance metrics such as hallucination rate, error patterns, and user-reported concerns are monitored continuously. For high-risk systems, post-market monitoring is mandatory under Article 72.
Source: L3-6.1
3. EU AI Act Compliance Responses
Q: How do you determine AI system risk classification?
A: Risk classification follows EU AI Act Article 6 and Annex III, interpreted through a structured internal framework. Legal AI use cases referencing Recital 61 are reviewed for potential high-risk status.
Source: L1-3.2
Q: Do your systems require CE marking?
A: CE marking for AI systems is governed by Article 48 of the EU AI Act (separate from the conformity assessment obligations in Articles 16–23, which apply to high-risk AI systems). Vertrag.AI is currently classified as limited risk, so neither conformity assessment nor CE marking currently applies. These obligations would apply if the system is reclassified as high-risk. Current classification assumptions must be legally verified. [LEGAL REVIEW REQUIRED]
Source: L2-4.1
Q: How do you meet transparency obligations?
A: Transparency obligations are implemented in line with Article 13 (deployer instructions) and Article 50 (AI interaction disclosure and synthetic content labelling, effective 2 August 2026).
Source: L2-4.3
Q: Is there a formal risk management system?
A: Yes. High-risk systems implement a lifecycle risk management system consistent with Article 9, including identification, mitigation, and continuous monitoring.
Source: L3-6.1
Q: How are substantial modifications managed?
A: Substantial modifications are identified under Article 3(23). Where compliance with Articles 9–15 may be affected, Article 43(4) requires reassessment prior to deployment.
Source: L3-6.3
Q: What logging obligations apply to your systems?
A: High-risk AI systems implement automatic logging under EU AI Act Article 12. Logs record operational events including timestamps, model version, and error conditions, supporting post-market monitoring under Article 72 and incident traceability. Source: L3-6.1 AI Monitoring Framework
Q: Are your systems subject to the EU AI Act prohibited practices list?
A: EU AI Act Article 5 prohibits specific AI practices including subliminal manipulation, exploitation of vulnerabilities, social scoring by public authorities, and real-time remote biometric identification in public spaces. No Pickles GmbH system is designed for any prohibited purpose. All new systems are assessed against Article 5 at intake (L1-3.3). Source: L1-3.2 Risk Classification Framework
Q: What obligations apply across the AI supply chain?
A: EU AI Act Article 25 sets out responsibilities where multiple parties contribute to an AI system. [ASSUMPTION] Pickles GmbH agreements with third-party model providers include written provisions addressing Article 25(4) requirements for high-risk systems, including allocation of compliance obligations and documentation access rights. Source: L2-5.3 Vendor Model Risk Assessment
4. Data Handling Responses
Q: What is your role under GDPR?
A: [ASSUMPTION] Pickles GmbH acts as processor for client-submitted legal documents (Article 4(8)) and controller for its own account data (Article 4(7)). Final allocation requires contract verification. [LEGAL REVIEW REQUIRED]
Source: L2-5.1
Q: Do you conduct DPIAs?
A: Yes. DPIA screening is performed under Article 35. High-risk systems require full DPIA assessment.
Source: L2-5.2
Q: How do you handle international transfers?
A: Transfers outside the EEA require safeguards under Articles 44 and 46 GDPR, including Standard Contractual Clauses where applicable.
Source: L2-5.3
Q: What are your retention policies?
A: Retention is governed by purpose limitation and storage limitation principles under GDPR Article 5(1)(b)–(e). Specific periods are documented in the Data Flow Map. [ASSUMPTION]
Source: L2-5.1
Q: How do you notify clients of a personal data breach?
A: As data processor, Pickles GmbH notifies the controller without undue delay upon becoming aware of a personal data breach, consistent with GDPR Article 33(2). [ASSUMPTION] Notification includes sufficient detail for the controller to meet its Article 33 and Article 34 obligations. Timelines and procedures are set out in the Incident Response Playbook. Source: L3-6.2 Incident Response Playbook
Q: How do you handle data subject rights requests?
A: Pickles GmbH assists the controller in responding to data subject rights under GDPR Articles 15-22, consistent with the processor obligation at Article 28(3)(e). [ASSUMPTION] Rights addressed include access, rectification, erasure, restriction, and portability. Procedures and response timelines are set out in the DPA. Source: L2-5.1 Data Flow Map
Q: Do you use client data to train AI models?
A: [ASSUMPTION] Pickles GmbH does not use client-submitted documents or query data for model training, fine-tuning, or model development. This prohibition is a required contractual control documented in the DPA and vendor model agreements. Each model provider must contractually confirm this restriction. [LEGAL REVIEW REQUIRED] Source: L2-5.2 DPIA Assessment; L2-5.3 Vendor Model Risk Assessment
Q: Have you designated a Data Protection Officer?
A: [ASSUMPTION] Pickles GmbH has designated a Data Protection Officer under BDSG Section 38, given the nature and scale of its personal data processing activities. DPO contact details are included in client DPAs. The DPO designation threshold must be confirmed against actual staffing and processing scope. [LEGAL REVIEW REQUIRED] Source: L2-5.2 DPIA Assessment
Q: What safeguards apply to international data transfers?
A: Where sub-processors or AI model providers are located outside the EEA, data transfers are governed by GDPR Articles 44 and 46. [ASSUMPTION] Standard Contractual Clauses (2021 Commission Decision) are used where applicable, supplemented by transfer impact assessments for each sub-processor. [LEGAL REVIEW REQUIRED] Source: L2-5.3 Vendor Model Risk Assessment
5. Professional Liability Responses
Q: Does your system replace lawyer judgement?
A: No. Under BRAO §43a(1) and EU AI Act Article 14, AI systems are assistive tools. Final responsibility remains with the qualified lawyer.
Source: L1-3.4
Q: How do you protect attorney-client confidentiality?
A: Vendor selection includes §43e BRAO-compliant confidentiality obligations and strict purpose limitation clauses.
Source: L2-5.3
Q: Who is responsible for AI output?
A: AI outputs are advisory tools; responsibility for client-facing advice rests with the instructing lawyer. System documentation clarifies intended purpose per Article 13(3)(b)(i).
Source: L2-4.2
Q: Do you carry professional indemnity insurance?
A: [ASSUMPTION] Pickles GmbH maintains professional indemnity insurance appropriate for a legal technology provider. Specific coverage details and policy limits are available on request under NDA. Procurement teams should conduct their own assessment of whether coverage is adequate for their specific deployment context. [LEGAL REVIEW REQUIRED] Source: Commercial arrangements [ASSUMPTION]
Q: What are the limits of Pickles GmbH contractual liability?
A: [ASSUMPTION] Contractual liability is subject to limitations set out in the master services agreement. Because Pickles GmbH systems are assistive tools, clients bear professional responsibility for advice provided to their own clients. Contractual limitation clauses should be reviewed by legal counsel before contract execution. [LEGAL REVIEW REQUIRED] Source: Commercial terms [ASSUMPTION]
Q: What happens if a client suffers loss due to an AI error?
A: Responsibility for legal advice given to end clients rests with the qualified lawyer. Where an AI system error contributes to a client loss, the allocation of liability between Pickles GmbH contractual liability and the lawyer professional liability must be assessed case by case against applicable contract terms and professional rules. [LEGAL REVIEW REQUIRED] [ASSUMPTION] Source: L1-3.4 Human Oversight Policy; Commercial terms [ASSUMPTION]
Q: How are accuracy complaints handled?
A: [ASSUMPTION] Clients may raise accuracy concerns or formal complaints through the Pickles GmbH incident reporting channel. All complaints are logged, investigated under the Incident Response Playbook (L3-6.2), and responded to within defined SLA timelines. Unresolved complaints may be escalated to the AI Risk and Information Officer (AIRO). Source: L3-6.2 Incident Response Playbook
6. Appendix: Document Cross-References
| Topic | Framework Document |
|---|---|
| AI System Registration | L1-3.1 |
| Risk Classification | L1-3.2 |
| Intake Workflow | L1-3.3 |
| Human Oversight | L1-3.4 |
| EU AI Act Mapping | L2-4.1 |
| Technical Documentation | L2-4.2 |
| Transparency Framework | L2-4.3 |
| Data Flow & Roles | L2-5.1 |
| DPIA | L2-5.2 |
| Vendor Risk | L2-5.3 |
| Monitoring | L3-6.1 |
| Incident Response | L3-6.2 |
| Change Management | L3-6.3 |
End of Document 2